[DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.

Warren Kumari <warren@kumari.net> Fri, 30 August 2024 01:14 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAC24C15107C for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2024 18:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DxAZTsWiBn-a for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2024 18:14:51 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B1BBC14F748 for <dnsop@ietf.org>; Thu, 29 Aug 2024 18:14:51 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id 38308e7fff4ca-2f4f505118fso14988281fa.3 for <dnsop@ietf.org>; Thu, 29 Aug 2024 18:14:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; t=1724980489; x=1725585289; darn=ietf.org; h=cc:to:subject:message-id:date:references:in-reply-to:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bfPXnZL4kWT1b79z3GjqHKtG1ZDsZSWcwxvV6FV5vlk=; b=S3wkqrKhQgPpkN/1IhN5anAy0vz4pcQyoPiC8mlemRVg7ngz/WUvcnD4OxaC5+JPV0 tkrLa056vigqeVgzXjwlJzquOOWmHfG7bbU7/ALyA12cKxIx+WIiwanGlUm1FOJkt22z mRDDKgEjzI2QoeosxIgA24Nuj7xJoSQgT4+9DFggaz4vyXFshGM8dHmp4zfbwZA9of6n PDUgGNFcijBuuv28SJ/e0pWxIo9owZcN7irvpc+JUQrQXGtxTb3ZD31codaxffL6L9qD yisb9/gYCe1q5M5uo5czlotKwcvIxtLXvuHK+AD4Srf4hLrx+Z4t59Mx69sEwU3f/3M4 0KMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724980489; x=1725585289; h=cc:to:subject:message-id:date:references:in-reply-to:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bfPXnZL4kWT1b79z3GjqHKtG1ZDsZSWcwxvV6FV5vlk=; b=jrIo/mAhFdwz/hIBJ137Tm6IbF2NN8kkk9/mgncvyGkRCkdG2FpdkBkzVIw4d3STfD TPL9T4MwUVS+GEfYZvDwKUTpjJAmbhz5CfZmhAmy3QwOg16jlxIUM4jz1xl19uh3q9An Lmf3DGmevYWnDqKF5zB6NYkWdZynen3ElN+tAdwzyCbQSyGz9W4nedzeVseAC4/U5jSK t/iPRQBhfjS3aabW/QzxuNSChXUGmG4LnU7gzN+otCrC5B5LHp0GbISEge/UGj6bwk5t dEmfdACvkNzi0KelCfBYX5t/ioZqc/JXY+6IdA4jO6PUv6wyH5qTx7aesTXrp0HapeSX ckiw==
X-Gm-Message-State: AOJu0Yw3DqqCikFKzapjE+VQCyfzmSmmN1xsmTLk5khoBcccw//rJ//W 2Hde7oSJGqa6xf6uila2lofeeL6S2YMfPcDvsq90d2mJz1zvd7em68k2gQtAyKI5Nq4eTcBFPBB WtpVso2L+PSwhnQFkbIWTptRx3UrRNpNEPkwftbBu7gW0l8kD
X-Google-Smtp-Source: AGHT+IGgNirtj2MG6M7gOfhgvyP/k8hPUgcbP0B/u7oD4yvDrJPMNbFCsq0UVJp41Fv+X5O5tDZ4psaAJCh8s/PLKBE=
X-Received: by 2002:a2e:9593:0:b0:2ee:80b2:1e99 with SMTP id 38308e7fff4ca-2f610579bf1mr24691391fa.44.1724980488916; Thu, 29 Aug 2024 18:14:48 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Thu, 29 Aug 2024 18:14:47 -0700
Mime-Version: 1.0
X-Mailer: Superhuman Desktop (2024-08-29T19:06:00Z)
X-Superhuman-Draft-ID: draft00783b624270c45d
From: Warren Kumari <warren@kumari.net>
X-Superhuman-ID: m0g0ucrl.b1fe0f84-85e5-400d-928c-aa8e911ffeef
In-Reply-To: <e220ce5e-7624-4ade-8be4-77685e20f3cf@nthpermutation.com>
References: <CAHw9_iL-ZwwA_pckR+=7SndOvqjfcNX9FjZ9Bim24uSYgTxkyw@mail.gmail.com> <98896B9D-259E-4E46-8DC7-E873D8B25F55@icann.org> <d9aed09d-b1c8-4ba1-9d4e-e83d504bfe40@nthpermutation.com> <65A596AD-1A4F-400A-9404-E2D60A54BE66@icann.org> <36118f44-d18d-443b-8aa8-007b8b62db3f@nthpermutation.com> <49523BCB-7747-44A2-97FA-8F46B238B4E0@icann.org> <cb326dc1-cee9-4369-9cb4-7ffc314e0eb3@isc.org> <CAHw9_iJ_xpJ4_WOPqkP6XjahiS01czO3=8fiAZbjUwTop7_zBA@mail.gmail.com> <3A844030-5C0A-4BB7-A56B-B6C8C159D9BC@icann.org> <e220ce5e-7624-4ade-8be4-77685e20f3cf@nthpermutation.com>
Date: Thu, 29 Aug 2024 18:14:47 -0700
Message-ID: <CAHw9_iKGt5NpWnAuOh3Sz6RUCc7J=joJHFYL+uNsjRK8wesQ4Q@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: multipart/alternative; boundary="000000000000497c100620dc5136"
Message-ID-Hash: F4PIRO3AVRGYDLIIYEQFGKRZIVHT2CR6
X-Message-ID-Hash: F4PIRO3AVRGYDLIIYEQFGKRZIVHT2CR6
X-MailFrom: warren@kumari.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Lmmz5BoKb5AjMHNfQL1HfXayeJM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Thu, Aug 29, 2024 at 6:21 PM, Michael StJohns <msj@nthpermutation.com>
wrote:

> On 8/29/2024 4:24 PM, Paul Hoffman wrote:
>
> On Aug 27, 2024, at 16:46, Warren Kumari <warren@kumari.net> <warren@kumari.net> wrote:
>
> Thank you very much for your comments. We've had some discussions, and the authors will be publishing a new version in the next few days addressing these.
>
> As you can see, we have turned in -05. We think this deals with the comments from Petr and Mike. In the diff, you can see that we moved all things that said what a relying party who accepts the trust anchor file MUST/SHOULD do to the Security Considerations; this puts them in one place and gives the context for them. We also added some text about how to do the comparison for the two fields (referring to the specific part of RFC 4034 that they need).
>
> Given that this is still in your (Warren's) two hands, not the WG's many hands, let us know if you need any more changes before the assigned telegchat.
>
> --Paul Hoffman (for the authors)
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>
> Hi -
>
> Took a brief look at -05.  Still problems unaddressed.  Section 2.2 6th
> paragraph:
>
>
>    The validFrom and validUntil attributes in the KeyDigest element
>    specify the range of times that the KeyDigest element can be used as
>    a trust anchor.
>
>
> "can be used as a trust anchor" is problematic as it appears to be
> directive on the recipient.   As I've said - now at least three times -
> please change this language so it represents what the IANA is doing, not
> what the recipient should do.  Among other things, specifying a
> "validUntil" date on a trust anchor and then NOT ceasing to use that trust
> anchor and not "replacing" it is problematic.
>
> Instead replace this paragraph with:
>
> "The validFrom attribute in the KeyDigest element indicates the first
> planned date that the IANA intends to start signing the root DNSKEY RRSet
> with this key.  Likewise, the validUntil attribute indicates the last
> planned date of such signing.  However, these are for planning purposes
> only and relying parties should not automatically invoke a state change on
> a trust anchor based on these dates as operational considerations may
> result in a delay past these dates."
>


Yes, you have stated this multiple times; however, I believe you are in the
rough. The IANA has reviewed this text (which is identical in the original
RFC, RF7958), and the validUntil is intended to mean exactly what it
says:  the material is validUntil then, and is not intended to be used
after that. Yes, this does mean that the IANA has to publish new keys
before then, and it is an error if they don't. This is just like any other
trust anchor — e.g my machine ships with a "Baltimore CyberTrust Root" cert
in the trust store, which is Not Valid After Monday, May 12, 2025 at
7:59:00 PM Eastern Daylight Time. This is when it stops being valid, not
necessarily when they hope to have replaced it by…

Yes, I might *personally* decide to use the IANA TA after the validUntil if
they haven't published a new one. If I did, that would be entirely my own
(bad) decision, and I'm clearly doing something unsupported… just like if I
happen to eat a can of beans past their expiration date…


Section 4 - nit - generally we don't have single entry subsections.
>
>
> Delete section 4.1.1 - continues to be a problem if IANA fails to
> supercede a trust anchor on the planned schedule.
>


As above -- the validUntil is not the planned schedule; it is when the key
is validUntil.


> It is directive on the relying party in a way that could cause operational
> difficulties - to wit - iana actually continuing to sign with the set of
> trust anchors past their validUntil dates.  There is also no such thing as
> "change to a trust anchor" in DNSSEC.  All trust anchors are equally valid
> until revoked or removed.
>
> Delete the third paragraph of section 5.
>
> In section 5, replace the first sentence with:
>
> "The intent is for the IANA to publish trust anchors using this format at
> least <6> months before the first use of a new trust anchor.  The intent is
> also that the published document will include all DNSSEC trust anchors for
> the root zone that are currently under management (e.g. generated and
> loaded for use within a key signing ceremony but not revoked) by the IANA
> at the time of publication."
>
> Second paragraph - lower case the "may" - people are mostly not protocol
> elements, although the DNS crowd seems to think so.  Also, add "Also for
> operational reasons, IANA may delay taking any trust anchor key out of
> service past the dates indicated in the most recent publication of the
> trust anchor file."
>

Your suggested text is attempting to specify IANA policy / telling IANA how
they should be running and managing the trust anchor. This is not the
document to do it in, nor is this the list to do it on — that's the
ksk-rollover@icann.org mailing list.

I understand that you don't like this document; however, I believe you are
in the rough. The document went through WGLC and IETF LC, and was reviewed
by the IANA. Petr identified issues which he clearly documented in a polite
and helpful manner, and these were addressed, and the changes confirmed
with the WG. I'm not seeing support for your interpretation, nor do I think
that the larger changes are in scope for this document or the IETF.


> Please - can we avoid moving the deck chairs around again without actually
> fixing anything?
>

I believe that the authors are attempting to do what the WG, IETF, IANA and
myself have requested, and I think that the above tone was neither helpful
nor necessary.

W

Thanks - Mike
>
>
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>