IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for for draft-ietf-dnsop-rfc5011-security-considerations-12; was Publication has been requested for draft-ietf-dnsop-rfc5011-security-considerations-12

Michael StJohns <msj@nthpermutation.com> Tue, 10 July 2018 17:25 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E741311D3 for <dnsop@ietfa.amsl.com>; Tue, 10 Jul 2018 10:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ofHsNyzTLHXF for <dnsop@ietfa.amsl.com>; Tue, 10 Jul 2018 10:25:12 -0700 (PDT)
Received: from mail-yb0-x236.google.com (mail-yb0-x236.google.com [IPv6:2607:f8b0:4002:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 352611311D2 for <dnsop@ietf.org>; Tue, 10 Jul 2018 10:25:11 -0700 (PDT)
Received: by mail-yb0-x236.google.com with SMTP id s1-v6so8921228ybk.3 for <dnsop@ietf.org>; Tue, 10 Jul 2018 10:25:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=ig7rjc1RTrrqKX/k1ndvCV2LKn7b2aeQzUaYCND5l6o=; b=PYiyTiHTzFK+zJkiBerOFTxK7wIsC8QleHdul1feW8vU1v472tEMHGOAivW5KtmRwJ FjbLIHzcuse7PiX/LVKQV8F3jm/MpYpHy9v0cKExeHDd0OjNPman/Tq7Ylv/KAC1Ow91 QX9F8xGTCA1s/AW8DEPhTph/dCDU+3xdGRmmI2QgI3kGTwkNzqeuLokn/4KoTxn+CMl1 yzSncij7sBJfPqeM16xU+PNK+6SLoRzOE7AxUVNoBmqLKAqxwurgjtor8mxcYjVhw+Zl Xp03TWC7WC0YTgvFTFXCJK9r+CxAQZSx3s35JNLAWTVlQ5I5H6cXfej4Kt4UkwA/vnM9 jrwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ig7rjc1RTrrqKX/k1ndvCV2LKn7b2aeQzUaYCND5l6o=; b=lZxsT2XiIPBt63S52/1El6mcZY8p0x6COxL7uM6V4gWOPDi2cJEdFQJGW5WSbUpuJu FULAE5ZOknnwSYILvij6kuq4Ofzgi+7W6H+oBEin/mtPJFdKIOrbzJ2qD1TbntYR3WLm 23u752XLBBckADhSFH7wK/95LNdkyyuP5aGPtotYUDwtDF6F1rRGSi+R8g7TCLRHM2Gn ohgK81FljPcjJIiYDfTAZ1c3WBz3yvFg8ZpPVWEDtJjzunIMjTTUDCiBo9+qIWLBSac9 Qe6FcrqVvVpReRcojbFB9DXGIWfAJAi1AUHhi7dl0ftDuTo+S7FsuDZx/oFxcWn7nvMC /Vww==
X-Gm-Message-State: APt69E2w7FR5K1/M7ZNZQPS+vw6n6tEONH9AvDZMhtVt5OM5Vbn1NYsZ YNHu4SpqMZqXM3WHfLS5znBerw/d
X-Google-Smtp-Source: AAOMgpdYc3AEZbGntI/lH3e7l1wp5DHJBuEqkPyp/ER9CtQqjjLmgkWfnLVXLWB/ON64OodMNvLbrA==
X-Received: by 2002:a25:4e87:: with SMTP id c129-v6mr13514167ybb.156.1531243509683; Tue, 10 Jul 2018 10:25:09 -0700 (PDT)
Received: from ?IPv6:2601:152:4400:4013:3194:825e:d3f8:7b8e? ([2601:152:4400:4013:3194:825e:d3f8:7b8e]) by smtp.gmail.com with ESMTPSA id y2-v6sm4829391ywf.89.2018.07.10.10.25.08 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Jul 2018 10:25:08 -0700 (PDT)
To: dnsop@ietf.org
References: <153092238624.5315.17258755138091784954.idtracker@ietfa.amsl.com> <f233b9ed-a356-5124-e052-ce4833e25e43@nthpermutation.com> <468b0483-4e16-3042-a8e2-c6348126842b@nthpermutation.com> <CADyWQ+HKq1NoqMFDmGOuHK-9hDK=r28aUOsM=T=Lb=OvUCpVUA@mail.gmail.com> <6121b7c4-247b-7fca-ac03-c6c2196d12dd@nthpermutation.com> <CA9772AF-6055-48F5-BFEC-8FF549A0C50A@vpnc.org>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <32c3fcd1-5739-4625-32ab-72e3f8de9970@nthpermutation.com>
Date: Tue, 10 Jul 2018 13:25:07 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0
MIME-Version: 1.0
In-Reply-To: <CA9772AF-6055-48F5-BFEC-8FF549A0C50A@vpnc.org>
Content-Type: multipart/alternative; boundary="------------6D370B9E9BCEB192B8345860"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KXUKaJSb046W7I3zqrVuhnoVBe8>
Subject: Re: [DNSOP] Working Group Last Call for for draft-ietf-dnsop-rfc5011-security-considerations-12; was Publication has been requested for draft-ietf-dnsop-rfc5011-security-considerations-12
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 17:25:28 -0000

On 7/10/2018 12:34 PM, Paul Hoffman wrote:
> On 10 Jul 2018, at 11:35, Michael StJohns wrote:
>
>> And as you may have guessed I object to the publication of this 
>> document on the basis of quality for all the reasons previously 
>> stated.  This version of the document is actually in worse shape than 
>> the one that failed last call back in October.
>
> Documents go to WG Last Call to determine consensus and fix errors; 
> this document appears to have done both, so there was no failure.

I'm not sure if you're word parsing or what here, but the result of the 
WGLC was that the document still needed work and that there was no 
consensus.  Generally referred to as "failing to pass the WGLC".   
Generally, passing means nits to be fixed, with a general consensus to 
publish.  That didn't happen - the "pass", so the opposite of "pass" is 
"fail".

If you're saying that the document has both fixed the issues and gained 
consensus - well, that's what this call is for.  My opinion is that the 
document still needs work, others may not agree.  As for consensus, 
AFAICT, there has been no on-the-list call from consensus since the 
previous WG meeting that noted meeting consensus - and as we all know - 
meeting consensus isn't sufficient to determine consensus.

>
>> I strongly object to the publication of this document as a Standards 
>> Track document. The appropriate status  - if published - is 
>> Informational with or without a BCP tag on it.
>
> There is no such thing as a "BCP tag". An RFC that is a BCP is treated 
> as a standard. See Section 5 of RFC 2026.

Mostly fair point - but while treated as a standard, a BCP is not a 
standard in the meaning of Standards Track.   So Informational or BCP, 
not Proposed Standard.  And given 7893, I'd say Informational.


>
>> The document does not provide any implementable protocol, and by that 
>> I mean that the only protocol elements in this document must be 
>> executed by humans. There is no on-the-wire elements, nor any process 
>> that can be implemented by a DNS resolver or server.  This is solely 
>> and only an operational practices document,
>
> True.
>
>> and AFAICT, none of these have ever ended up as Standards Track.
>
> Not true. Plenty of WGs, including this one, put operational documents 
> on standards track.

Here are the RFCs that come up with "Standard Track" and "dnsop" as the 
search terms.   Which one is an "operational document"?    I didn't have 
time to search through the other pile of 8K plus RFCs, but did check 
dnsext and found a dearth of operational documents as standards there.  
AFAICT, all of these propose modifications to resolver or server behavior.




> Number 
> <https://www.rfc-editor.org/search/rfc_search_detail.php?sortkey=Number&sorting=DESC&page=25&wg_acronym=dnsop&pubstatus[]=Standards%20Track&std_trk=Proposed%20Standard&pub_date_type=any> 
>
>
> 	Files 	Title 	Authors 	Date 
> <https://www.rfc-editor.org/search/rfc_search_detail.php?sortkey=Date&sorting=DESC&page=25&wg_acronym=dnsop&pubstatus[]=Standards%20Track&std_trk=Proposed%20Standard&pub_date_type=any> 
> 	More Info 	Status
> RFC 7344 <http://www.rfc-editor.org/info/rfc7344> 	ASCII 
> <http://www.rfc-editor.org/rfc/rfc7344.txt>, PDF 
> <http://www.rfc-editor.org/pdfrfc/rfc7344.txt.pdf> 	Automating DNSSEC 
> Delegation Trust Maintenance 	W. Kumari, O. Gudmundsson, G. Barwood 
> September 2014 	Updated by RFC 8078 
> <http://www.rfc-editor.org/info/rfc8078> 	Proposed Standard (changed 
> from Informational March 2017 <https://www.rfc-editor.org/info/rfc8078>)
> RFC 7477 <http://www.rfc-editor.org/info/rfc7477> 	ASCII 
> <http://www.rfc-editor.org/rfc/rfc7477.txt>, PDF 
> <http://www.rfc-editor.org/pdfrfc/rfc7477.txt.pdf> 	Child-to-Parent 
> Synchronization in DNS 	W. Hardaker 	March 2015 	Errata 
> <http://www.rfc-editor.org/errata/rfc7477> 	Proposed Standard
> RFC 7686 <http://www.rfc-editor.org/info/rfc7686> 	ASCII 
> <http://www.rfc-editor.org/rfc/rfc7686.txt>, PDF 
> <http://www.rfc-editor.org/pdfrfc/rfc7686.txt.pdf> 	The ".onion" 
> Special-Use Domain Name 	J. Appelbaum, A. Muffett 	October 2015 	 
> Proposed Standard
> RFC 7766 <http://www.rfc-editor.org/info/rfc7766> 	ASCII 
> <http://www.rfc-editor.org/rfc/rfc7766.txt>, PDF 
> <http://www.rfc-editor.org/pdfrfc/rfc7766.txt.pdf> 	DNS Transport over 
> TCP - Implementation Requirements 	J. Dickinson, S. Dickinson, R. 
> Bellis, A. Mankin, D. Wessels 	March 2016 	Obsoletes RFC 5966 
> <http://www.rfc-editor.org/info/rfc5966>, Updates RFC 1035 
> <http://www.rfc-editor.org/info/rfc1035>, RFC 1123 
> <http://www.rfc-editor.org/info/rfc1123> 	Proposed Standard
> RFC 7828 <http://www.rfc-editor.org/info/rfc7828> 	ASCII 
> <http://www.rfc-editor.org/rfc/rfc7828.txt>, PDF 
> <http://www.rfc-editor.org/pdfrfc/rfc7828.txt.pdf> 	The 
> edns-tcp-keepalive EDNS0 Option 	P. Wouters, J. Abley, S. Dickinson, 
> R. Bellis 	April 2016 		Proposed Standard
> RFC 7873 <http://www.rfc-editor.org/info/rfc7873> 	ASCII 
> <http://www.rfc-editor.org/rfc/rfc7873.txt>, PDF 
> <http://www.rfc-editor.org/pdfrfc/rfc7873.txt.pdf> 	Domain Name System 
> (DNS) Cookies 	D. Eastlake 3rd, M. Andrews 	May 2016 		Proposed Standard
> RFC 8020 <http://www.rfc-editor.org/info/rfc8020> 	ASCII 
> <http://www.rfc-editor.org/rfc/rfc8020.txt>, PDF 
> <http://www.rfc-editor.org/pdfrfc/rfc8020.txt.pdf> 	NXDOMAIN: There 
> Really Is Nothing Underneath 	S. Bortzmeyer, S. Huque 	November 2016 
> Updates RFC 1034 <http://www.rfc-editor.org/info/rfc1034>, RFC 2308 
> <http://www.rfc-editor.org/info/rfc2308> 	Proposed Standard
> RFC 8078 <http://www.rfc-editor.org/info/rfc8078> 	ASCII 
> <http://www.rfc-editor.org/rfc/rfc8078.txt>, PDF 
> <http://www.rfc-editor.org/pdfrfc/rfc8078.txt.pdf> 	Managing DS 
> Records from the Parent via CDS/CDNSKEY 	O. Gudmundsson, P. Wouters 
> March 2017 	Errata <http://www.rfc-editor.org/errata/rfc8078>, Updates 
> RFC 7344 <http://www.rfc-editor.org/info/rfc7344> 	Proposed Standard
> RFC 8145 <http://www.rfc-editor.org/info/rfc8145> 	ASCII 
> <http://www.rfc-editor.org/rfc/rfc8145.txt>, PDF 
> <http://www.rfc-editor.org/pdfrfc/rfc8145.txt.pdf> 	Signaling Trust 
> Anchor Knowledge in DNS Security Extensions (DNSSEC) 	D. Wessels, W. 
> Kumari, P. Hoffman 	April 2017 		Proposed Standard
> RFC 8198 <http://www.rfc-editor.org/info/rfc8198> 	ASCII 
> <http://www.rfc-editor.org/rfc/rfc8198.txt>, PDF 
> <http://www.rfc-editor.org/pdfrfc/rfc8198.txt.pdf> 	Aggressive Use of 
> DNSSEC-Validated Cache 	K. Fujiwara, A. Kato, W. Kumari 	July 2017 
> Updates RFC 4035 <http://www.rfc-editor.org/info/rfc4035> 	Proposed 
> Standard
>


>
>>    Or to put it more bluntly - humans are not protocol elements that 
>> can be standardized.
>
> True, but not relevant to the issue at hand.

And that's where you're wrong.

DNS is problematic because there are some humans in the loop - basically 
on the database management and publication side.    This is never so 
obvious as when thinking about RFC5011.  In that case, it was possible 
to specify the behavior for the resolver based on the zone content, but 
it was impossible to specify that a zone manager actually place the 
content at a specific time and with a specific set of keys and 
signatures.   If you'll note, 5011 has normative (the resolver behavior) 
and informative (suggested ways that a zone manager can publish data 
that 5011 would find useful) sections for just this purpose.

In this case, this document is all about human behavior - NMI - no 
machines involved.   Protocol standards are about consistent, coherent 
and repeatable behavior - terms rarely used with humans.

If this document had "here's the modifications to the protocol engine" 
and "here's what people should do about it" you could publish this as a 
standard, but the second section would be marked "Informative".

>
>> Finally, this purports to update RFC7538 which is Informational.
>
> That's a good point. The WG draft that led to RFC 7538 was marked as 
> Informational for its entire lifetime, so the WG must have thought it 
> was OK to treat key rollover timing considerations as Informational.

*sigh*  Sorry - RFC7583 - not 7538.

Mike

>
> --Paul Hoffman
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email