IETF Logo Mail Archive

Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>

"Paul Hoffman" <paul.hoffman@vpnc.org> Mon, 28 September 2015 16:35 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05F731ACE52 for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 09:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7KeCa0VG7kMI for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 09:35:52 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B3E61ACE51 for <dnsop@ietf.org>; Mon, 28 Sep 2015 09:35:52 -0700 (PDT)
Received: from [10.32.60.125] (142-254-17-123.dsl.dynamic.fusionbroadband.com [142.254.17.123]) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t8SGZng6032501 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Sep 2015 09:35:50 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-123.dsl.dynamic.fusionbroadband.com [142.254.17.123] claimed to be [10.32.60.125]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Joe Abley <jabley@hopcount.ca>
Date: Mon, 28 Sep 2015 09:35:39 -0700
Message-ID: <4F880C04-95D4-47E5-8132-DCCA6F2F1C14@vpnc.org>
In-Reply-To: <0E4AA958-7740-4602-A3CF-D2E481DBC15E@hopcount.ca>
References: <20150928114202.823.19868.idtracker@ietfa.amsl.com> <0E4AA958-7740-4602-A3CF-D2E481DBC15E@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/MNkfDScbF-yr5PMB8vDDMqYMu28>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 16:35:54 -0000

On 28 Sep 2015, at 4:59, Joe Abley wrote:

> Hi all,
>
> We don't seem to be getting anywhere with this draft. (Jakob is going 
> to bump it to -12; there have been no real updates apart from the 
> version bump in
>
> I appreciate that the methods described in this document are not 
> universally liked. I have a feeling that we would get more discussion 
> if the question was more open-ended, e.g. how should trust anchors be 
> published?
>
> This document describes existing practice, and provides guidance for 
> people who need to bootstrap a validator using the mechanisms provided 
> by ICANN back in 2009/2010 when the root zone was first published.
>
> Here's a suggestion. If we were to consider publishing this document 
> as-is as a way of describing the current approach, we would at least 
> have a stable reference to the way we do things today. We could always 
> consider other approaches and, once implemented by ICANN, publish a 
> new document that obsoletes or updates this one.
>
> If that's an approach that people could stomach, then I would suggest 
> the next step is to WGLC this document and for those who would like to 
> propose different mechanisms to write them down.

We could do that, but the RFC should probably not be published for at 
least another six months due to terminology / politics / IANAPLAN, so we 
don't need to rush the WG LC either. For example, the draft uses the 
phrase "an IANA function performed by ICANN", to which many folks at 
layer 9 will object until the transition has already happened.

If the WG wants to adopt this draft before the IANA transition is done, 
I would strongly prefer that the document be first adopted before there 
is a WG Last Call. Getting the wording in the document about "this is a 
current implementation" should be done in more than one step. As a 
concrete example, the abstract boldly states "This document describes 
how such trust anchors are published" which should instead be "This 
document describes one way how such trust anchors are published". Even 
the phrase in the abstract "has been cryptographically signed" can be 
misread by the ICANN skeptics as "was signed in the past, but isn't 
currently". There are other examples in the document that should be 
stated more carefully.

Also: how much is this document really needed? Are there operators of 
validating resolvers who are unfamiliar with how to get the trust 
anchor? It is likely that the most common method for getting the DNSSEC 
trust anchor for the DNS is "it came in my distro". If so, then a "how 
it is currently done" document needs to emphasize the positive and 
(maybe very) negative aspects of this practice.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email