Re: [DNSOP] [Ext] Paul Wouters' Discuss on draft-ietf-dnsop-dnssec-bcp-05: (with DISCUSS and COMMENT)
Paul Hoffman <paul.hoffman@icann.org> Wed, 19 October 2022 18:27 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3877C1524B2; Wed, 19 Oct 2022 11:27:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBXGNxshwDjg; Wed, 19 Oct 2022 11:27:29 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7719AC1524AE; Wed, 19 Oct 2022 11:27:29 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa3.lax.icann.org (8.17.1.5/8.17.1.5) with ESMTPS id 29JIRPZT001426 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 19 Oct 2022 18:27:25 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.12; Wed, 19 Oct 2022 11:27:24 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.1118.012; Wed, 19 Oct 2022 11:27:24 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Paul Wouters <paul.wouters@aiven.io>
CC: The IESG <iesg@ietf.org>, "draft-ietf-dnsop-dnssec-bcp@ietf.org" <draft-ietf-dnsop-dnssec-bcp@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>
Thread-Topic: [Ext] Paul Wouters' Discuss on draft-ietf-dnsop-dnssec-bcp-05: (with DISCUSS and COMMENT)
Thread-Index: AQHY4o4MfH9uTNk2o0SPsn7F9t2FA64WgRoA
Date: Wed, 19 Oct 2022 18:27:24 +0000
Message-ID: <ECF181D2-0FD3-4D15-B6E4-2F42B93AD57E@icann.org>
References: <166605526710.24284.11363203575520574738@ietfa.amsl.com>
In-Reply-To: <166605526710.24284.11363203575520574738@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: multipart/signed; boundary="Apple-Mail=_BF890C8D-2447-4D82-B3CF-EA93B8979177"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-19_11,2022-10-19_04,2022-06-22_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Mi-JaFUxftcV1ZNzkvftXkUHKNU>
Subject: Re: [DNSOP] [Ext] Paul Wouters' Discuss on draft-ietf-dnsop-dnssec-bcp-05: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 18:27:33 -0000
On Oct 17, 2022, at 6:07 PM, Paul Wouters via Datatracker <noreply@ietf.org> wrote: > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > > Since draft-ietf-dnsop-rfc5933-bis is in IETF Last Call now, Timing is everything in Internet protocols and comedy. > I think it is > worth waiting on and updating this text: > > The GOST signing algorithm [RFC5933] was also adopted, but > has seen very limited use, likely because it is a national algorithm > specific to a very small number of countries. > > To add a reference that RFCXXX updates the GOST algorithms for DNSSEC Yes. > (but that > it is uncertain at this point whether it will be widely adopted) It is unwise to try predict the future in any RFC, much less a BCP. > I could be convinced for this document to not wait, but then I do think this > paragraph should state that it is NOT RECOMMENDED to implement RFC5933 since > the underlying GOST algorithms have been deprecated by its issuer. No, I think it's fine to hold this document to be correct about GOST. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > One purpose is to introduce all of the RFCs in one place so > that the reader can understand the many aspects of DNSSEC. This > document does not update any of those RFCs. Another purpose is to > move DNSSEC to Best Current Practice status. > > I think another purpose not mentioned, which for me was a main motivator for > this document, is to provide a single RFC reference for other documents that > want to point to "DNSSEC" using a single reference instead of referring to the > 3 core components (in an incomplete way) Good additon. > > More than 15 years after the DNSSEC specification was published, it > is still not widely deployed. Recent estimates are that fewer than > 10% of the domain names used for web sites are signed, and only > around a third of queries to recursive resolvers are validated. > > What is the value of this paragraph? This was debated in the WG, and was chosen for inclusion to highlight that a BCP does not mean "widely deployed". > You wouldn't want to have a single IPv6 > reference RFC say this either :) Oh, I think I would. :-) There is a long list of technologies that could be inserted there... > > This document will be "the reference RFC" for a long time. It should not have > dated/outdated statistics in it. It feels like it is better to give statistics than to just handwave "still not widely deployed". > > However, this low level of implementation does not affect whether > DNSSEC is a best current practice > > I don't think the level of implementation is low. It is actually quite high. > Practically all DNS software implements it. I think you meant deployment ? Yes, good. > > NITS: > > which algorithms recursive resolver operators should or should not > validate. > > change to: > > which algorithms recursive resolver operations should or should not > use for validation > > (the algorithms themselves are not validated) > Yep. <https://github.com/paulehoffman/draft-hoffman-dnssec/commit/cbc5040> --Paul Hoffman
- [DNSOP] Paul Wouters' Discuss on draft-ietf-dnsop… Paul Wouters via Datatracker
- Re: [DNSOP] [Ext] Paul Wouters' Discuss on draft-… Paul Hoffman