Re: [DNSOP] Benjamin Kaduk's Yes on draft-ietf-dnsop-dns-zone-digest-13: (with COMMENT)
"Wessels, Duane" <dwessels@verisign.com> Mon, 12 October 2020 15:54 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0793A158B; Mon, 12 Oct 2020 08:54:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hR_DEFXVlCNw; Mon, 12 Oct 2020 08:54:05 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74D503A158A; Mon, 12 Oct 2020 08:54:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=10323; q=dns/txt; s=VRSN; t=1602518045; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=YO5f15Ec33oCGLIrdmzL4rktcqSKQmFu6K2Tbv9aDV0=; b=mRQ3M6pimJ0XzVNwhEZ4riCjsCAz2opNjuhimkHwM9e0VoONcKhlWLAZ +R90v5cmGtUSZWTPnw5RK2VjoBTpX1o9fZUQwwEVd1RS1H9PIgFJh/DM/ fLTVYWajfacmcxKZO3OqCU2JXMgteBowZRHmiFxE6kvH8d+Fh3URXIAy7 7Wj2h/zkHMW4RRzwmc/4vdIiohARSRUm/5TTUiDEZe4OwZw4StBEkSsx/ 7LUeEpa9VsKgv6bfMxg8Q0+2U6b+ndjhvkeL6Ayvj88IjDWgs3vlbPCRk Fv+vDImxkXvC6FZTKmyTT78sKWCzFINrwv94T35+1oXR9BKAYE864cjKT w==;
IronPort-SDR: OzoFOP9WCJUI/ufFEzsEXg/Fh9DDvrMxikf9OUHuCLwNZYzyg6PYHRNOlvtJFGQU6ibEEqKgXk S+hFZ5FNqecjcs5jJXV9lCcmbUgF3ERBM7+j9wDwMNLjPVlrfksERYjTbu3GYG/yn73iOZGdnJ jgH9/5Rdb4/FL4AL6p5VHzNpphHWzp02vN1vxSD/N3JAtJbhVtpn3cgh3RjR5FA+ErLNLGhTg2 8YqwNDhpuyFfdDxLoKznaQms+2DXpMx0PgaCU7T0Kb3g3NwtOe9ZBtH4VALGVAB8IuARtwQeN9 TmE=
X-IronPort-AV: E=Sophos; i="5.77,367,1596513600"; d="p7s'?scan'208"; a="3237372"
IronPort-PHdr: 9a23:l2PbZRab8AfpMnWTNt5T7cr/LSx+4OfEezUN459isYplN5qZps66YR7h7PlgxGXEQZ/co6odzbaP7Oa9Bidfsd6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCybL9vLhi6twXcu8sZjYZgKas61wfErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgzocOjUn7G/YlNB/jKNDoBKguRN/xZLUYJqIP/Z6Z6/RYM8WSXZEUstXSidPAJ6zb5EXAuQBI+hWspX9qVUNoxuwBwaiA+LvxSNHiXLt0q02z+EhHBvG3AA8Ad4DtmnfotXvNKcVVOC41KfEwjXdYPNNwjfy9ozIcgs5rfqRU7xwbNDeyU8xGA/Lk16drpHqPj2L2eQWqGiU8e5gVfm0hm45tQ5xuDmvxtwtionGgIIZ0EzL9SJ8wIssI9CzVUF0b8K+HpRKqyGaK5V5QtkkQ2xwtis31L0Lt56lcSUJ1JkqyR3SZuGHfoaI/B/tWuifLzd5iX57d7yymQu+/0euxOHhSsW630pHozdZn9TOtn4A0xre4dWERPtl5kqtxCqD2xrO5uxGL004j7fXJp4vz7IqmZceslzPEjLqlEnskaObdFko9vK15+noYbjqvIKQOoxyhwrjKKohgNa/Dv49MgUWWmib/vmz26P78E3iRbVKkuU2kq7EsJDGPcgbprC2AwtS0os79huxEy+o3MkYkncfI1xKeQ6Lg5XzN1HQPP/4Cu2/g0y2nDhx2v/KJKPhAo/WLnjFirvuYbF960tExAoyy9BQ+Y5UB6kcLP7vQEP9qd7VAxEjPwCpw+vqBs9x24wdVG6XB6+WKqLSsVuG5uI1JOmMYZcYtyvzKvc7/P7ulmE2mVsGfaSyw5sYdmq4HvV9I0WYbnrshM0NHnsNvgo7VODqkkGNUSZPZ3auWKIx/jI7B5i7AofeRYCgm7mB3CanHpFMeG9JF02MG2/yd4qYQ/cMdD6SIsh5nzwFS7ehUIAh2AqvtADk17pnIPDY+ioCtZLszNJ1/fHclQku9TxoCMSQy3yCT3tukWMGWz86xaF/rlJhyleNyKR3nvpYFcdU5/NRSws1KJjcz/djB9HzXQLBeMmGRE+7TdWnDjE+UMkxw8MVbkZ8Bdqikh7D0zCtA78PmLyBHIY0/b7E33jtO8Z9zG7L27Qnj1k9RctPLXSqibJ/9wfJBo7JiV6Zmr2rdasCwC7N+n2PzW2UvEFXSARwS7nKXWgDZkvKqtT0/l7NT7m1CbQgKgtM0s+CJbVWat3nl1lGQ+3jONvGaWKrh2iwHQqIxq+LbIfyZ2Ud3ivcBFIFkw8N4XaGOxMzBiiko23EDTxuEUjjbF/r8el7+zuHSRoewgeIZkhg0fKW8xIIhrTISPofw7EsvSY97Th4AQDu8cjRDo/KmAd6Z6hYepd1zEpO02+T/1hxIZG7NK1mnXYAfh52pELh0VN8DYAWwptil28j0AcncfHQ61hGbT7NmMmoYrA=
X-IPAS-Result: A2G6AADUeoRf/zCZrQpaBg4NAQEBAQEBAQEFAQEBEgEBAQMDAQEBQIFPgXuBS4EICpVMg3qYLAQHAQEBAQEBAQEBBAQBLwQBAYRKAoIYJjgTAgMBAQsBAQEFAQEBAQEGAwEBAQKGUYI3KQGDagEBAQECAXkFCwIBCBguAjAlAgQOBQ6DGAGCXBGnAHSBNIoyEIE4gVOLfoFCPoE4HIJNPoQtD4NLgi0EkCSCZQGkVgMHgmiETIJfjjeFCh+hOq9ng2ACBAIEBQIVgWuBe3AVZQGCPj4SFwINjioYFG4BCYxaPnQ3AgYKAQEDCYwELYEGgREBAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Mon, 12 Oct 2020 11:54:02 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.1979.003; Mon, 12 Oct 2020 11:54:02 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-dnsop-dns-zone-digest@ietf.org" <draft-ietf-dnsop-dns-zone-digest@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>
Thread-Topic: [EXTERNAL] Benjamin Kaduk's Yes on draft-ietf-dnsop-dns-zone-digest-13: (with COMMENT)
Thread-Index: AQHWoEycEGNuKWgqQESqBfh/dfeA46mUYkOA
Date: Mon, 12 Oct 2020 15:54:02 +0000
Message-ID: <1B53DFDF-4A87-46F2-AEC7-20D966DC32E4@verisign.com>
References: <160247539257.14934.7821393078907455062@ietfa.amsl.com>
In-Reply-To: <160247539257.14934.7821393078907455062@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_A0FA4F42-C71B-46CA-92DE-618CE31170B1"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JPSV6Z2_72N5QPKYI-zHqM7asDw>
Subject: Re: [DNSOP] Benjamin Kaduk's Yes on draft-ietf-dnsop-dns-zone-digest-13: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 15:54:07 -0000
> On Oct 11, 2020, at 9:03 PM, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-dnsop-dns-zone-digest-13: Yes > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for addressing my discuss (and comment!) points. There are still > a few more threads to tidy up, but I'm happy with the direction we're > going. > > Section 1 > > We (implicitly) mention "integrity" here as provided in the absence of > DNSSEC, but later in Section 1.1 we say that integrity can only be assured > when the zone is signed. I leave it to Roman to say when his discuss is > resolved, but it seems likely that we should be consistent about which way > we go with it. Looks like I missed that spot in when addressing Roman's point. Now changed to this: It allows a receiver of the zone to verify the zone's integrity and authenticity when used in combination with DNSSEC. > Section 1.1 > > It's perhaps unusual to follow "the motivation for this protocol" with "a > secondary motivation"; instead writing "the primary motivation" would reduce > the surprise at seeing a secondary motivation added later. Agreed. This has been changed. > > Section 2.2.2 > > This change seems to be a regression? The value 1 in question is the > scheme value, not a Hash Algorithm value. (I would make this a > Discuss point but I am sure we will get it resolved quickly.) Oops, I changed that in the wrong place. Now it says "with Scheme value 1" there and "with Hash Algorithm value 1" in the next section. > > Section 3 > > (nit) Right now the literal reading of "identical" is that the ZONEMD and > the signature and the denial-of-existence records are identical, which > is of course nonsensical. Perhaps adding "to the ones produced by this > procedure" or similar would reduce the stress for people who habitually > make sentence diagrams. Changed to this: Implementations that deviate from the described algorithm are advised to ensure that it produces ZONEMD RRs, signatures, and dential-of-existence records that are identical to the ones generated by this procedure. > > Section 4 > > I can't tell if there's a duplicate line in the XML source or not, here > (as an editing leftover), but that's my guess as to what happened. In > particular, I'm not sure how one would query for a DS RR *in the anchor*. > If I'm reading the previous thread correctly we were only proposing to talk > about querying for (and validating) DS RRs in the parent zone, not the > anchor (whatever that means). Yes indeed there was a line duplicated during editing. Now: This is done by examining locally configured trust anchors, and, if necessary, querying for (and validating) DS RRs in the parent zone. > > Who is going to come to a conclusion on the "[ Maybe remove all the "SHOULD > report" above and just say this:]"? (I'd be fine with it, for what little > it's worth, but I don't think my opinion is anywhere close to the most > relevant one.) Both you and Rob asked about this -- the possibility of overly verbose reporting. I'd like to hear Rob's opinion. DW
- [DNSOP] Benjamin Kaduk's Yes on draft-ietf-dnsop-… Benjamin Kaduk via Datatracker
- Re: [DNSOP] Benjamin Kaduk's Yes on draft-ietf-dn… Wessels, Duane
- Re: [DNSOP] Benjamin Kaduk's Yes on draft-ietf-dn… Benjamin Kaduk