Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
神明達哉 <jinmei@wide.ad.jp> Wed, 06 May 2015 16:51 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F28E11B2CA1 for <dnsop@ietfa.amsl.com>; Wed, 6 May 2015 09:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMMaTSKKq_Ix for <dnsop@ietfa.amsl.com>; Wed, 6 May 2015 09:51:43 -0700 (PDT)
Received: from mail-ig0-x22c.google.com (mail-ig0-x22c.google.com [IPv6:2607:f8b0:4001:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 529AB1B2C9B for <dnsop@ietf.org>; Wed, 6 May 2015 09:51:43 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so53954igb.1 for <dnsop@ietf.org>; Wed, 06 May 2015 09:51:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=MeomZNLDjpxzsvC0os+63PqttQQGDI5KMtLzxOTBDFs=; b=pOM+qpl8Ohr3F5ffkRA9+mG+cWFuPYZfNamp7UO1lw1wYRPkRYDmNK2//JsMIuRX70 4FG+prL1NvIM3A9FRzbMHcGIU9vR15hfYFSxj1vStzd+onc4lH5yjO3v2vvTE2x+9sWB FgjFHYcG56HTM+aaSRKhbvF0ODVaNdfuapGShwJc8EXwYazYMccmw6zu7Y8M/6wJ620I Tl0p+WLTr7mQx4esi2kRToYk1c/UgcXhmbeWkvdjXJG4UbyKLRGXgvYuV/yc5nWUMicG qowx+XYLi8wN8vTUjDZlGl766nSzQQ1Ai5Tmo6eKFn4EOAQsYvnL7Ehr87Je43VkpU3G sg3A==
MIME-Version: 1.0
X-Received: by 10.50.30.138 with SMTP id s10mr9272723igh.3.1430931101966; Wed, 06 May 2015 09:51:41 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.50.80 with HTTP; Wed, 6 May 2015 09:51:41 -0700 (PDT)
In-Reply-To: <CAHw9_iL9RLp0jynT0m_D6dGZYhmdonvBC-5ifTdB63eh5gvBeg@mail.gmail.com>
References: <553EBF02.3050703@gmail.com> <CAJE_bqc-T75k3sQZKtAF1VHp49biGn+Es5v5FivNSz5e3oB-Cg@mail.gmail.com> <CAHw9_iL9RLp0jynT0m_D6dGZYhmdonvBC-5ifTdB63eh5gvBeg@mail.gmail.com>
Date: Wed, 06 May 2015 09:51:41 -0700
X-Google-Sender-Auth: 8_hA-GlnDfv_cv_EHp025dw2mE0
Message-ID: <CAJE_bqesFPG6d3UsFmtFRjUBQqfifHkaBMR0sXAaNKuN10HL4A@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Warren Kumari <warren@kumari.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/IO7oFQJ3cqPSl2qQaMqRDKFVFJg>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2015 16:51:45 -0000
At Tue, 5 May 2015 17:06:04 -0400, Warren Kumari <warren@kumari.net> wrote: > ... and now I'm replying to the rest of the comments. Thanks, I've confirmed that my major and minor points are addressed in the 05 version. So I'm now basically fine with shipping it. Some non-blocking comments follow... > I've integrated them and posted a new version with the clarifications > on a *positive* **trust anchor** under an NTA. > I'm not very happy with the text I added, if others have better text > happy to consider it... The added text looks good enough to me. If you don't like it yourself, I might suggest something else, but I'm not sure if it's obviously better than the current one. In any case, I think Section 2 is probably a better place to clarify this, partly because that section has example cases. But it's not a strong opinion. Two more related points: 1. In my very original comment on this matter: www.ietf.org/mail-archive/web/dnsop/current/msg12614.html I noted one other corner case, which we might also want to clarify: On a related note, there are some corner cases which may also be worth noting: queries for DS or DLV (or anything similar to that). So, for example, zone1.example.com/DS should still be validated even if there's an NTA for zone1.example.com. Again, this might sound obvious, but I think it's worthwhile. 2. What if both positive and negative trust anchors are specified for the same name at the same time? Maybe it's just implementation dependent, and it may or may not be something that is worth discussing in this document. And, here are some other editorial points I happened to notice in this round of read: - (this is technical rather than editorial in some sense) Section 4: When removing the NTA, the implementation SHOULD remove all cached entries below the NTA node. Probably s/below/at and below/ - Appendix B: s/do this/to do this/ ? There are several tools do this, an incomplete list includes: - Appendix B: It's better if we can use a different level of bullets for these: o DS pointing to a non existent key in the child zone. Questions... o DS pointing to an existent key, but no signatures are made with... o Data in DS or DNSKEY doesn't match the other. This is more common... since they are sub-bullets of this one: o DNSKEYs in child zone don't match the DS record in the parent zone. [...] Common Variations of this can be: (I don't know if I-D xml allows nested listing though). -- JINMEI, Tatuya
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Olafur Gudmundsson
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Rose, Scott W.
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Dan York
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… Bob Harold
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Ralf Weber
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉