Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag-00.txt
Bob Harold <rharolde@umich.edu> Thu, 10 December 2015 18:13 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B24F1AC3B9 for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2015 10:13:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Qi1E6y-w2OK for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2015 10:13:26 -0800 (PST)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1EAF1ABC10 for <dnsop@ietf.org>; Thu, 10 Dec 2015 10:13:10 -0800 (PST)
Received: by vkbs1 with SMTP id s1so94741379vkb.1 for <dnsop@ietf.org>; Thu, 10 Dec 2015 10:13:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich-edu.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9s4mPmpWm62ba3Ty142KX1omeetvQfb/Z+wDvWeaT5E=; b=lAa0WcLJzN30nk9ewCsQW7pIk1aW5rliqmVK8BmuJ72wyoklw+XyiPGZ8HBaxE9x2W YZ9EO7AApgWyj5pPpGH6kGQovIxwk3fnfGiVuKg8Tfe0i4xiHaou+rSd8R1XZu5cwWw+ M5WcZoo271abiicMR4FjSbShGbA4MVjjTvbs85zEQI4NK8eeEoqoY760X017F3LmHJAH mD0hUCBE2zYU/3+f0ynSWtOx88xQbNnu9z9zjl8rRBlyEkqbp85NaPS6hqDhmdnV/eC3 7QjR1oembt+vO14CVgEHbWGhrDwkp6L6fK5+a6cmgUj7N0AR6s2b/b7AqN/LS66X6O7L MuBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=9s4mPmpWm62ba3Ty142KX1omeetvQfb/Z+wDvWeaT5E=; b=WKIhuLjKLuWXFleKQTJitY7wq7AFQuRQPn+p7n3jvSCEalhfx0z35QC88H7ErcwLy9 Uv3X+Kl+IFwCzM98OQSHp3XF0LlntdqQQMk7qPk0qxhCuZ5u85kCpLi9lMBs2MUyHv/f uAMN+YwZA6iUyygRTbcM31eA/qerzUH7vvaNyY/9FLTB9N5UJ/YbFdvuDiy6K4WY6GUa sRM0HhmSmgpuOMuxrZ485oMoh7k1lqwFBsP7QPHp82BaXWYCACcdJCwZN7yZp7DEbwTH gmpUpSVNF5XeC+kJwpi+bOdaXbHYTKW4Vnuo9QvE+hFcp1s+H9y/Zrx/SDUIQmzp5Us/ pykA==
X-Gm-Message-State: ALoCoQnFX11w0TQ1W/sj9Q1oB5sY0QOmpXlXNgwnvUVy+xfIU4lvWzxnEPNCzlEy3baX1A9ZT6W/apmk3OyMjp6tntSGRfhHOvxpZc2BP5bkhZDw50h6O1o=
MIME-Version: 1.0
X-Received: by 10.13.211.194 with SMTP id v185mr5588302ywd.213.1449771189631; Thu, 10 Dec 2015 10:13:09 -0800 (PST)
Received: by 10.129.91.212 with HTTP; Thu, 10 Dec 2015 10:13:09 -0800 (PST)
In-Reply-To: <20151209202733.1080.44157.idtracker@ietfa.amsl.com>
References: <20151209202733.1080.44157.idtracker@ietfa.amsl.com>
Date: Thu, 10 Dec 2015 13:13:09 -0500
Message-ID: <CA+nkc8AJD5F2o6hg-UQPFZmr722g2Ld8fh5iH8x80j3W_LFC-g@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
To: internet-drafts@ietf.org
Content-Type: multipart/alternative; boundary="001a114e5610c3b29605268f2832"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/MXGFXpRo9Zv5pXfF0ZR8xF_kkH0>
Cc: IETF DNSOP WG <dnsop@ietf.org>, i-d-announce@ietf.org
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 18:13:28 -0000
On Wed, Dec 9, 2015 at 3:27 PM, <internet-drafts@ietf.org> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations Working > Group of the IETF. > > Title : The EDNS Key Tag Option > Author : Duane Wessels > Filename : draft-ietf-dnsop-edns-key-tag-00.txt > Pages : 9 > Date : 2015-12-09 > > Abstract: > The DNS Security Extensions (DNSSEC) were developed to provide origin > authentication and integrity protection for DNS data by using digital > signatures. These digital signatures can be verified by building a > chain-of-trust starting from a trust anchor and proceeding down to a > particular node in the DNS. This document specifies a way for > validating end-system resolvers to signal to a server which keys are > referenced in their chain-of-trust. The extensions allow zone > administrators to monitor the progress of rollovers in a DNSSEC- > signed zone. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-edns-key-tag/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-dnsop-edns-key-tag-00 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ 5.2.1 <https://tools.ietf.org/html/draft-ietf-dnsop-edns-key-tag-00#section-5.2.1>. Validating Recursive Resolvers This sentence concerns me: "When the recursive server receives a query with the option set, the recursive server SHOULD set the edns-key-tag list for any outgoing iterative queries for that resolution chain to a union of the stub client's Key Tag(s) and the validating recursive resolver's Key Tag(s)." That approach hides the fact that the stub client's Key Tag(s) might be missing the latest tags, which is precisely the information that we are trying to gather. The intersection (only tags in all lists) would be a better indicator of what tags everyone can use to validate. Better yet would be to forward multiple lists of keytags (either encoded in one option, or repeated options) so that the receiver gets a better picture of all the resolvers and their state. I would suggest that the recursive server's tag list be the last list, since that information might be useful to the receiver.
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Stephane Bortzmeyer
- [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Bob Harold
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Edward Lewis
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key… Wessels, Duane