Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

神明達哉 <jinmei@wide.ad.jp> Wed, 06 May 2015 16:51 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F28E11B2CA1 for <dnsop@ietfa.amsl.com>; Wed, 6 May 2015 09:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMMaTSKKq_Ix for <dnsop@ietfa.amsl.com>; Wed, 6 May 2015 09:51:43 -0700 (PDT)
Received: from mail-ig0-x22c.google.com (mail-ig0-x22c.google.com [IPv6:2607:f8b0:4001:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 529AB1B2C9B for <dnsop@ietf.org>; Wed, 6 May 2015 09:51:43 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so53954igb.1 for <dnsop@ietf.org>; Wed, 06 May 2015 09:51:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=MeomZNLDjpxzsvC0os+63PqttQQGDI5KMtLzxOTBDFs=; b=pOM+qpl8Ohr3F5ffkRA9+mG+cWFuPYZfNamp7UO1lw1wYRPkRYDmNK2//JsMIuRX70 4FG+prL1NvIM3A9FRzbMHcGIU9vR15hfYFSxj1vStzd+onc4lH5yjO3v2vvTE2x+9sWB FgjFHYcG56HTM+aaSRKhbvF0ODVaNdfuapGShwJc8EXwYazYMccmw6zu7Y8M/6wJ620I Tl0p+WLTr7mQx4esi2kRToYk1c/UgcXhmbeWkvdjXJG4UbyKLRGXgvYuV/yc5nWUMicG qowx+XYLi8wN8vTUjDZlGl766nSzQQ1Ai5Tmo6eKFn4EOAQsYvnL7Ehr87Je43VkpU3G sg3A==
MIME-Version: 1.0
X-Received: by 10.50.30.138 with SMTP id s10mr9272723igh.3.1430931101966; Wed, 06 May 2015 09:51:41 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.50.80 with HTTP; Wed, 6 May 2015 09:51:41 -0700 (PDT)
In-Reply-To: <CAHw9_iL9RLp0jynT0m_D6dGZYhmdonvBC-5ifTdB63eh5gvBeg@mail.gmail.com>
References: <553EBF02.3050703@gmail.com> <CAJE_bqc-T75k3sQZKtAF1VHp49biGn+Es5v5FivNSz5e3oB-Cg@mail.gmail.com> <CAHw9_iL9RLp0jynT0m_D6dGZYhmdonvBC-5ifTdB63eh5gvBeg@mail.gmail.com>
Date: Wed, 06 May 2015 09:51:41 -0700
X-Google-Sender-Auth: 8_hA-GlnDfv_cv_EHp025dw2mE0
Message-ID: <CAJE_bqesFPG6d3UsFmtFRjUBQqfifHkaBMR0sXAaNKuN10HL4A@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Warren Kumari <warren@kumari.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/IO7oFQJ3cqPSl2qQaMqRDKFVFJg>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2015 16:51:45 -0000

At Tue, 5 May 2015 17:06:04 -0400,
Warren Kumari <warren@kumari.net> wrote:

> ... and now I'm replying to the rest of the comments.

Thanks, I've confirmed that my major and minor points are addressed in
the 05 version.  So I'm now basically fine with shipping it.

Some non-blocking comments follow...

> I've integrated them and posted a new version with the clarifications
> on a *positive* **trust anchor** under an NTA.
> I'm not very happy with the text I added, if others have better text
> happy to consider it...

The added text looks good enough to me.  If you don't like it
yourself, I might suggest something else, but I'm not sure if it's
obviously better than the current one.  In any case, I think Section 2
is probably a better place to clarify this, partly because that
section has example cases.  But it's not a strong opinion.

Two more related points:

1. In my very original comment on this matter:
   www.ietf.org/mail-archive/web/dnsop/current/msg12614.html
   I noted one other corner case, which we might also want to clarify:
     On a related note, there are some corner cases which may also be
     worth noting: queries for DS or DLV (or anything similar to that).
     So, for example, zone1.example.com/DS should still be validated even
     if there's an NTA for zone1.example.com.  Again, this might sound
     obvious, but I think it's worthwhile.

2. What if both positive and negative trust anchors are specified for
   the same name at the same time?  Maybe it's just implementation
   dependent, and it may or may not be something that is worth
   discussing in this document.

And, here are some other editorial points I happened to notice in this
round of read:

- (this is technical rather than editorial in some sense) Section 4:

   When removing the NTA, the implementation SHOULD remove all cached
   entries below the NTA node.

  Probably s/below/at and below/

- Appendix B: s/do this/to do this/ ?
   There are several tools do this, an incomplete list includes:

- Appendix B: It's better if we can use a different level of bullets
   for these:
   o  DS pointing to a non existent key in the child zone.  Questions...
   o  DS pointing to an existent key, but no signatures are made with...
   o  Data in DS or DNSKEY doesn't match the other.  This is more common...

  since they are sub-bullets of this one:

   o  DNSKEYs in child zone don't match the DS record in the parent
      zone. [...] Common Variations of
      this can be:

  (I don't know if I-D xml allows nested listing though).

--
JINMEI, Tatuya