Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt
Warren Kumari <warren@kumari.net> Tue, 16 December 2014 17:54 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B4731A700B for <dnsop@ietfa.amsl.com>; Tue, 16 Dec 2014 09:54:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tj-97yNZoYN7 for <dnsop@ietfa.amsl.com>; Tue, 16 Dec 2014 09:54:45 -0800 (PST)
Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67EA21A1BBE for <dnsop@ietf.org>; Tue, 16 Dec 2014 09:54:45 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id h11so13093239wiw.13 for <dnsop@ietf.org>; Tue, 16 Dec 2014 09:54:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=1fO4tQsaieeANqckmKAegu9bYncbBbs/afbMlroosC0=; b=OZi1F09pfnvw/SIFTPJqc5nT2mogWsgYRPW6Ccu1oyS/TQ6DJJpXeA3L3BLsD66DCn czu294Y5kj4eM7Fs1IDNENpD753V+yLJhEe//aRP383rEGsr4r7VDsVpWrIFGLi3lVw5 +ueAnV4E65OO3sNx97vV12vYHf+QyWGd8rtyhghKlNQKRHTn56JkSIuQLeM624hlZ5Eb 1V+rs67bJHI87rXoxTqXzkrxlEKbkj8pv6dGNUzcOaZPCYryCdd6HUTHYG/WkGcdezEZ B+FDUzl+2L0+Iai2pUtZ4WGJAg63EOZoNVDx28WxPkFlSBtynmM5KE9PKZw8tFA4Nixd mi9A==
X-Gm-Message-State: ALoCoQkwdI1T11HGB0FmUt5s1fD8tAYHaBmVvZFxZssr0NZdZTk3AMWnoYQJuIt6fs4kYGlOwzCb
MIME-Version: 1.0
X-Received: by 10.180.91.36 with SMTP id cb4mr6799728wib.30.1418752483962; Tue, 16 Dec 2014 09:54:43 -0800 (PST)
Received: by 10.194.64.37 with HTTP; Tue, 16 Dec 2014 09:54:43 -0800 (PST)
In-Reply-To: <A086A53B-5187-4498-8BE3-117CFD203DC6@nic.br>
References: <20141216011517.21875.32371.idtracker@ietfa.amsl.com> <A086A53B-5187-4498-8BE3-117CFD203DC6@nic.br>
Date: Tue, 16 Dec 2014 12:54:43 -0500
Message-ID: <CAHw9_iJxKncf-zWKOZdXKdhCkrJiKjuzqWrG_r=SBNreKbn6UQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Rubens Kuhl <rubensk@nic.br>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/K_9z9A8dmz18MGh46nnsfvpWwaQ
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 17:54:47 -0000
On Mon, Dec 15, 2014 at 9:17 PM, Rubens Kuhl <rubensk@nic.br> wrote: > > My feedback to a possible -01 version is to add something related to not consider NTAs for the upper hierarchy of a failed DNSSEC domain. For instance, even if I see a good number of .gov domains failed DNSSEC, adding a NTA configuration for .gov would not be considered good operational practice, unless .gov itself starts failing DNSSEC validation. > > I know no RFC can determine what ops really end up doing, but not being allowed to claim that as a prescribed practice has some value. We had tried to capture that with: "It does not and should not involve turning off validation more broadly." and "Finally, a Negative Trust Anchor SHOULD be used only in a specific domain or sub-domain and MUST NOT affect validation of other names up the authentication chain. " I thought that we also had some text that said that the NTA should cover the minimum necessary to fix the issue, but I cannot find that text at the moment - we may have removed it because it was very klunky. Anyway, do the above bits cover what you wanted, or do you think we need to be more explicit? W > > > Rubens > >> On Dec 15, 2014, at 11:15 PM, internet-drafts@ietf.org wrote: >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts directories. >> This draft is a work item of the Domain Name System Operations Working Group of the IETF. >> >> Title : Definition and Use of DNSSEC Negative Trust Anchors >> Authors : Paul Ebersman >> Chris Griffiths >> Warren Kumari >> Jason Livingood >> Ralf Weber >> Filename : draft-ietf-dnsop-negative-trust-anchors-00.txt >> Pages : 17 >> Date : 2014-12-15 >> >> Abstract: >> DNS Security Extensions (DNSSEC) is now entering widespread >> deployment. However, domain signing tools and processes are not yet >> as mature and reliable as those for non-DNSSEC-related domain >> administration tools and processes. Negative Trust Anchors >> (described in this document) can be used to mitigate DNSSEC >> validation failures. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-negative-trust-anchors/ >> >> There's also a htmlized version available at: >> http://tools.ietf.org/html/draft-ietf-dnsop-negative-trust-anchors-00 >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] I-D Action: draft-ietf-dnsop-negative-tru… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Rubens Kuhl
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Evan Hunt
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Rubens Kuhl
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Warren Kumari