Re: [DNSOP] Working Group Last Call for for draft-ietf-dnsop-rfc5011-security-considerations-12; was Publication has been requested for draft-ietf-dnsop-rfc5011-security-considerations-12
Michael StJohns <msj@nthpermutation.com> Tue, 10 July 2018 17:25 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E741311D3 for <dnsop@ietfa.amsl.com>; Tue, 10 Jul 2018 10:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ofHsNyzTLHXF for <dnsop@ietfa.amsl.com>; Tue, 10 Jul 2018 10:25:12 -0700 (PDT)
Received: from mail-yb0-x236.google.com (mail-yb0-x236.google.com [IPv6:2607:f8b0:4002:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 352611311D2 for <dnsop@ietf.org>; Tue, 10 Jul 2018 10:25:11 -0700 (PDT)
Received: by mail-yb0-x236.google.com with SMTP id s1-v6so8921228ybk.3 for <dnsop@ietf.org>; Tue, 10 Jul 2018 10:25:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=ig7rjc1RTrrqKX/k1ndvCV2LKn7b2aeQzUaYCND5l6o=; b=PYiyTiHTzFK+zJkiBerOFTxK7wIsC8QleHdul1feW8vU1v472tEMHGOAivW5KtmRwJ FjbLIHzcuse7PiX/LVKQV8F3jm/MpYpHy9v0cKExeHDd0OjNPman/Tq7Ylv/KAC1Ow91 QX9F8xGTCA1s/AW8DEPhTph/dCDU+3xdGRmmI2QgI3kGTwkNzqeuLokn/4KoTxn+CMl1 yzSncij7sBJfPqeM16xU+PNK+6SLoRzOE7AxUVNoBmqLKAqxwurgjtor8mxcYjVhw+Zl Xp03TWC7WC0YTgvFTFXCJK9r+CxAQZSx3s35JNLAWTVlQ5I5H6cXfej4Kt4UkwA/vnM9 jrwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ig7rjc1RTrrqKX/k1ndvCV2LKn7b2aeQzUaYCND5l6o=; b=lZxsT2XiIPBt63S52/1El6mcZY8p0x6COxL7uM6V4gWOPDi2cJEdFQJGW5WSbUpuJu FULAE5ZOknnwSYILvij6kuq4Ofzgi+7W6H+oBEin/mtPJFdKIOrbzJ2qD1TbntYR3WLm 23u752XLBBckADhSFH7wK/95LNdkyyuP5aGPtotYUDwtDF6F1rRGSi+R8g7TCLRHM2Gn ohgK81FljPcjJIiYDfTAZ1c3WBz3yvFg8ZpPVWEDtJjzunIMjTTUDCiBo9+qIWLBSac9 Qe6FcrqVvVpReRcojbFB9DXGIWfAJAi1AUHhi7dl0ftDuTo+S7FsuDZx/oFxcWn7nvMC /Vww==
X-Gm-Message-State: APt69E2w7FR5K1/M7ZNZQPS+vw6n6tEONH9AvDZMhtVt5OM5Vbn1NYsZ YNHu4SpqMZqXM3WHfLS5znBerw/d
X-Google-Smtp-Source: AAOMgpdYc3AEZbGntI/lH3e7l1wp5DHJBuEqkPyp/ER9CtQqjjLmgkWfnLVXLWB/ON64OodMNvLbrA==
X-Received: by 2002:a25:4e87:: with SMTP id c129-v6mr13514167ybb.156.1531243509683; Tue, 10 Jul 2018 10:25:09 -0700 (PDT)
Received: from ?IPv6:2601:152:4400:4013:3194:825e:d3f8:7b8e? ([2601:152:4400:4013:3194:825e:d3f8:7b8e]) by smtp.gmail.com with ESMTPSA id y2-v6sm4829391ywf.89.2018.07.10.10.25.08 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Jul 2018 10:25:08 -0700 (PDT)
To: dnsop@ietf.org
References: <153092238624.5315.17258755138091784954.idtracker@ietfa.amsl.com> <f233b9ed-a356-5124-e052-ce4833e25e43@nthpermutation.com> <468b0483-4e16-3042-a8e2-c6348126842b@nthpermutation.com> <CADyWQ+HKq1NoqMFDmGOuHK-9hDK=r28aUOsM=T=Lb=OvUCpVUA@mail.gmail.com> <6121b7c4-247b-7fca-ac03-c6c2196d12dd@nthpermutation.com> <CA9772AF-6055-48F5-BFEC-8FF549A0C50A@vpnc.org>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <32c3fcd1-5739-4625-32ab-72e3f8de9970@nthpermutation.com>
Date: Tue, 10 Jul 2018 13:25:07 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.0
MIME-Version: 1.0
In-Reply-To: <CA9772AF-6055-48F5-BFEC-8FF549A0C50A@vpnc.org>
Content-Type: multipart/alternative; boundary="------------6D370B9E9BCEB192B8345860"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KXUKaJSb046W7I3zqrVuhnoVBe8>
Subject: Re: [DNSOP] Working Group Last Call for for draft-ietf-dnsop-rfc5011-security-considerations-12; was Publication has been requested for draft-ietf-dnsop-rfc5011-security-considerations-12
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 17:25:28 -0000
On 7/10/2018 12:34 PM, Paul Hoffman wrote: > On 10 Jul 2018, at 11:35, Michael StJohns wrote: > >> And as you may have guessed I object to the publication of this >> document on the basis of quality for all the reasons previously >> stated. This version of the document is actually in worse shape than >> the one that failed last call back in October. > > Documents go to WG Last Call to determine consensus and fix errors; > this document appears to have done both, so there was no failure. I'm not sure if you're word parsing or what here, but the result of the WGLC was that the document still needed work and that there was no consensus. Generally referred to as "failing to pass the WGLC". Generally, passing means nits to be fixed, with a general consensus to publish. That didn't happen - the "pass", so the opposite of "pass" is "fail". If you're saying that the document has both fixed the issues and gained consensus - well, that's what this call is for. My opinion is that the document still needs work, others may not agree. As for consensus, AFAICT, there has been no on-the-list call from consensus since the previous WG meeting that noted meeting consensus - and as we all know - meeting consensus isn't sufficient to determine consensus. > >> I strongly object to the publication of this document as a Standards >> Track document. The appropriate status - if published - is >> Informational with or without a BCP tag on it. > > There is no such thing as a "BCP tag". An RFC that is a BCP is treated > as a standard. See Section 5 of RFC 2026. Mostly fair point - but while treated as a standard, a BCP is not a standard in the meaning of Standards Track. So Informational or BCP, not Proposed Standard. And given 7893, I'd say Informational. > >> The document does not provide any implementable protocol, and by that >> I mean that the only protocol elements in this document must be >> executed by humans. There is no on-the-wire elements, nor any process >> that can be implemented by a DNS resolver or server. This is solely >> and only an operational practices document, > > True. > >> and AFAICT, none of these have ever ended up as Standards Track. > > Not true. Plenty of WGs, including this one, put operational documents > on standards track. Here are the RFCs that come up with "Standard Track" and "dnsop" as the search terms. Which one is an "operational document"? I didn't have time to search through the other pile of 8K plus RFCs, but did check dnsext and found a dearth of operational documents as standards there. AFAICT, all of these propose modifications to resolver or server behavior. > Number > <https://www.rfc-editor.org/search/rfc_search_detail.php?sortkey=Number&sorting=DESC&page=25&wg_acronym=dnsop&pubstatus[]=Standards%20Track&std_trk=Proposed%20Standard&pub_date_type=any> > > > Files Title Authors Date > <https://www.rfc-editor.org/search/rfc_search_detail.php?sortkey=Date&sorting=DESC&page=25&wg_acronym=dnsop&pubstatus[]=Standards%20Track&std_trk=Proposed%20Standard&pub_date_type=any> > More Info Status > RFC 7344 <http://www.rfc-editor.org/info/rfc7344> ASCII > <http://www.rfc-editor.org/rfc/rfc7344.txt>, PDF > <http://www.rfc-editor.org/pdfrfc/rfc7344.txt.pdf> Automating DNSSEC > Delegation Trust Maintenance W. Kumari, O. Gudmundsson, G. Barwood > September 2014 Updated by RFC 8078 > <http://www.rfc-editor.org/info/rfc8078> Proposed Standard (changed > from Informational March 2017 <https://www.rfc-editor.org/info/rfc8078>) > RFC 7477 <http://www.rfc-editor.org/info/rfc7477> ASCII > <http://www.rfc-editor.org/rfc/rfc7477.txt>, PDF > <http://www.rfc-editor.org/pdfrfc/rfc7477.txt.pdf> Child-to-Parent > Synchronization in DNS W. Hardaker March 2015 Errata > <http://www.rfc-editor.org/errata/rfc7477> Proposed Standard > RFC 7686 <http://www.rfc-editor.org/info/rfc7686> ASCII > <http://www.rfc-editor.org/rfc/rfc7686.txt>, PDF > <http://www.rfc-editor.org/pdfrfc/rfc7686.txt.pdf> The ".onion" > Special-Use Domain Name J. Appelbaum, A. Muffett October 2015 > Proposed Standard > RFC 7766 <http://www.rfc-editor.org/info/rfc7766> ASCII > <http://www.rfc-editor.org/rfc/rfc7766.txt>, PDF > <http://www.rfc-editor.org/pdfrfc/rfc7766.txt.pdf> DNS Transport over > TCP - Implementation Requirements J. Dickinson, S. Dickinson, R. > Bellis, A. Mankin, D. Wessels March 2016 Obsoletes RFC 5966 > <http://www.rfc-editor.org/info/rfc5966>, Updates RFC 1035 > <http://www.rfc-editor.org/info/rfc1035>, RFC 1123 > <http://www.rfc-editor.org/info/rfc1123> Proposed Standard > RFC 7828 <http://www.rfc-editor.org/info/rfc7828> ASCII > <http://www.rfc-editor.org/rfc/rfc7828.txt>, PDF > <http://www.rfc-editor.org/pdfrfc/rfc7828.txt.pdf> The > edns-tcp-keepalive EDNS0 Option P. Wouters, J. Abley, S. Dickinson, > R. Bellis April 2016 Proposed Standard > RFC 7873 <http://www.rfc-editor.org/info/rfc7873> ASCII > <http://www.rfc-editor.org/rfc/rfc7873.txt>, PDF > <http://www.rfc-editor.org/pdfrfc/rfc7873.txt.pdf> Domain Name System > (DNS) Cookies D. Eastlake 3rd, M. Andrews May 2016 Proposed Standard > RFC 8020 <http://www.rfc-editor.org/info/rfc8020> ASCII > <http://www.rfc-editor.org/rfc/rfc8020.txt>, PDF > <http://www.rfc-editor.org/pdfrfc/rfc8020.txt.pdf> NXDOMAIN: There > Really Is Nothing Underneath S. Bortzmeyer, S. Huque November 2016 > Updates RFC 1034 <http://www.rfc-editor.org/info/rfc1034>, RFC 2308 > <http://www.rfc-editor.org/info/rfc2308> Proposed Standard > RFC 8078 <http://www.rfc-editor.org/info/rfc8078> ASCII > <http://www.rfc-editor.org/rfc/rfc8078.txt>, PDF > <http://www.rfc-editor.org/pdfrfc/rfc8078.txt.pdf> Managing DS > Records from the Parent via CDS/CDNSKEY O. Gudmundsson, P. Wouters > March 2017 Errata <http://www.rfc-editor.org/errata/rfc8078>, Updates > RFC 7344 <http://www.rfc-editor.org/info/rfc7344> Proposed Standard > RFC 8145 <http://www.rfc-editor.org/info/rfc8145> ASCII > <http://www.rfc-editor.org/rfc/rfc8145.txt>, PDF > <http://www.rfc-editor.org/pdfrfc/rfc8145.txt.pdf> Signaling Trust > Anchor Knowledge in DNS Security Extensions (DNSSEC) D. Wessels, W. > Kumari, P. Hoffman April 2017 Proposed Standard > RFC 8198 <http://www.rfc-editor.org/info/rfc8198> ASCII > <http://www.rfc-editor.org/rfc/rfc8198.txt>, PDF > <http://www.rfc-editor.org/pdfrfc/rfc8198.txt.pdf> Aggressive Use of > DNSSEC-Validated Cache K. Fujiwara, A. Kato, W. Kumari July 2017 > Updates RFC 4035 <http://www.rfc-editor.org/info/rfc4035> Proposed > Standard > > >> Or to put it more bluntly - humans are not protocol elements that >> can be standardized. > > True, but not relevant to the issue at hand. And that's where you're wrong. DNS is problematic because there are some humans in the loop - basically on the database management and publication side. This is never so obvious as when thinking about RFC5011. In that case, it was possible to specify the behavior for the resolver based on the zone content, but it was impossible to specify that a zone manager actually place the content at a specific time and with a specific set of keys and signatures. If you'll note, 5011 has normative (the resolver behavior) and informative (suggested ways that a zone manager can publish data that 5011 would find useful) sections for just this purpose. In this case, this document is all about human behavior - NMI - no machines involved. Protocol standards are about consistent, coherent and repeatable behavior - terms rarely used with humans. If this document had "here's the modifications to the protocol engine" and "here's what people should do about it" you could publish this as a standard, but the second section would be marked "Informative". > >> Finally, this purports to update RFC7538 which is Informational. > > That's a good point. The WG draft that led to RFC 7538 was marked as > Informational for its entire lifetime, so the WG must have thought it > was OK to treat key rollover timing considerations as Informational. *sigh* Sorry - RFC7583 - not 7538. Mike > > --Paul Hoffman > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- Re: [DNSOP] Publication has been requested for dr… Tim Wicinski
- Re: [DNSOP] Publication has been requested for dr… Michael StJohns
- Re: [DNSOP] Publication has been requested for dr… Michael StJohns
- [DNSOP] Publication has been requested for draft-… Tim Wicinski
- [DNSOP] Working Group Last Call for for draft-iet… Michael StJohns
- Re: [DNSOP] Working Group Last Call for for draft… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for for draft… Michael StJohns
- Re: [DNSOP] Working Group Last Call for for draft… Wes Hardaker
- Re: [DNSOP] Working Group Last Call for for draft… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for for draft… Warren Kumari