IETF Logo Mail Archive

[DNSOP]Re: [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)

Peter Thomassen <peter@desec.io> Wed, 15 May 2024 20:49 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9636AC1840EF; Wed, 15 May 2024 13:49:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EeTh9S7VceYM; Wed, 15 May 2024 13:49:50 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8D70C1840D1; Wed, 15 May 2024 13:49:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nB4AT1CiaEVWvCBT9qf78Va/+Ja/lmwQYb3H5VQaaBE=; b=bOPXvt/pG7fQHq99zQ0+btt319 SlGE33sBQs9nV70w8DZiDpe4m0+7HF040Gkc1n0dtRX9Yw3t27mbmxNjy4OntYmlCB4lmamg0+G6b PzebmBP1BYw0FgqtJf9D/PgLFhw69wRf7R+djCV+QlhDoyCAB0kMI9UHZOeloZMWrDxcoOmvNgZrG 33nykY5aFPZKg/q/0g33zKWVnMCzbQns5gE8knFco/e727GIc8o9CRXGagr0SUAh4Yr6rN+z7F87m KOzD/XkyOp3gaJJt/i+WRhDAOvFfrL0x20G42+wZ2XT82X8lrN/fY3iqKukucLgXvdgN88DBOZeAZ rRpxR1cQ==;
Received: from [2a02:8109:9283:8800:c02b:4ff4:bd85:8031] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1s7LZ4-005QQ1-8D; Wed, 15 May 2024 22:49:30 +0200
Message-ID: <cdf0bf6d-d482-4d95-bbc8-c3b2227330d9@desec.io>
Date: Wed, 15 May 2024 22:49:29 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: drafts-expert-review-comment@iana.org
References: <RT-Ticket-1362913@icann.org> <rt-5.0.3-225992-1713566832-1739.1362913-9-0@icann.org> <647558F8-2FEF-4418-AE1C-3BDC3B22A89B@nohats.ca> <1cb4663f-9502-47db-a099-ce5147bb733e@desec.io> <94ea3a71-6c1c-10af-a71f-7cee34e8d0d4@nohats.ca> <F21226BA-266A-4BF8-AD17-0D908B10AC54@nist.gov> <rt-5.0.3-189191-1713786135-470.1362913-9-0@icann.org> <rt-5.0.3-1375868-1714672753-112.1362913-9-0@icann.org> <e8749688-39bc-4ba2-a4a0-659a81736f0c@desec.io> <rt-5.0.3-2156695-1715247569-1774.1362913-9-0@icann.org> <rt-5.0.3-106980-1715724231-1490.1362913-9-0@icann.org>
Content-Language: en-US
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <rt-5.0.3-106980-1715724231-1490.1362913-9-0@icann.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: C2MRWV5H3J3JOLIREKYTHGP7ELWSGHA4
X-Message-ID-Hash: C2MRWV5H3J3JOLIREKYTHGP7ELWSGHA4
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: scott.rose@nist.gov, nils@desec.io, dnsop@ietf.org, oli.schacher@switch.ch, q@as207960.net, christian@elmerot.se, daniel.salzman@nic.cz, paul@nohats.ca, johnl@taugh.com, draft-ietf-dnsop-dnssec-bootstrapping.all@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP]Re: [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/N3h4OYDsB2wxgbLf55Yw_oOMrkk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi David,

The DNSOP chairs have told me that the document is no longer a WG document as it's with the IESG, so a consensus call here is not applicable.

Given the discussion here, we'll leave it to the IESG to decide. If I hear any news, I'll post them here.

Thanks,
Peter


On 5/15/24 00:03, David Dong via RT wrote:
> Hi all,
> 
> Following up on this. Please let us know how we should proceed for this. Thank you.
> 
> Best regards,
> 
> David Dong
> IANA Services Sr. Specialist
> 
> On Thu May 09 09:39:29 2024, peter@desec.io wrote:
>> [another (last) attempt of reposting this as it did not get delivered
>> to dnsop@ietf.org on May 7, as evidenced by the list archive]
>>
>>
>> Hi,
>>
>> On 5/2/24 19:59, David Dong via RT wrote:
>>> Following up on this; does the group agree that "_dnssec" is OK?
>>
>> Looking at what's been said in this thread:
>> - Two people have proposed to change the label, current proposal:
>> _dnssec
>> - Two implementers have said they'd make the change but don't seem
>> convinced
>> - The authors (hats off, but also implementers and authors of current
>> drafts using the mechanism) are not convinced
>>
>> The authors don't feel comfortable declaring consensus in either
>> direction (neither do we know whether that's our role), and we're not
>> sure how to proceed. Perhaps the DNSOP chairs could weigh in, as the
>> discussion is happening on the WG list although the document is
>> technically out of the door ...
>>
>>
>> I've been reluctant adding the following argument as to not seem
>> insisting; OTOH it may have its own technical merit, so here is.
>>
>> The "_dnssec" label implies that the mechanism is not suitable for
>> signaling unrelated to DNSSEC. That's an artificial limitation, and
>> it's unclear why to impose the restriction. An operator could very
>> well want to publish other things, like
>>
>> - TXT at _abuse.example.com._signal.ns1.provider.net for an abuse
>> address,
>> - PTR at _catalog.example.com._signal ... for catalog zone membership,
>> - ...
>>
>> If the signaling method is generic, I believe it should have a short
>> generic label. Any specificity to determine the kind of signal can go
>> into the first label.
>>
>> I have no specific preference for "_signal" other than I don't know
>> what a good alternative would be. Narrowing the scope with "_dnssec"
>> doesn't seem to improve the situation.
>>
>> Thanks,
>> Peter
>> + Nils (for the "we"/author statements)
>>
>>
>>> Thank you.
>>>
>>> Best regards,
>>>
>>> David Dong
>>> IANA Services Sr. Specialist
>>>
>>> On Mon Apr 22 11:42:15 2024, scott.rose@nist.gov wrote:
>>>> On 20 Apr 2024, at 19:38, Paul Wouters wrote:
>>>>
>>>>> On Sat, 20 Apr 2024, Peter Thomassen wrote:
>>>>>
>>>>>> The authors certainly don't insist, but we'd need to pick a
>>>>>> suitable
>>>>>> replacement for the "_signal" label.
>>>>>>
>>>>>> John proposed "_dnssec-signal" elsewhere in this thread.
>>>>>>
>>>>>> The authors would like to note that adding "_dnssec-" eats up 8
>>>>>> more
>>>>>> bytes, increasing chances that bootstrapping will fail due to the
>>>>>> _dsboot.<domain-name>._dnssec-signal.<nsname> length limitation.
>>>>>> Other than this (unnecessary?) use case narrowing, this choice
>>>>>> seems
>>>>>> fine.
>>>>>>
>>>>>> That said, does this choice address your concerns?
>>>>>
>>>>> It would, but I would also be okay if it is just _dnssec.
>>>>>
>>>>
>>>> If the concern is that the label is too generic, “_dnssec” might be
>>>> too generic as well. If it is to be more precise, go with _ds-boot
>>>> or
>>>> something more specific to the use case. I don’t have an
>>>> implementation in the mix, so it this isn’t a strong opinion.   If
>>>> the
>>>> group agrees _dnssec is fine, then I am fine with it too.
>>>>
>>>> Scott
>>>>
>>>> =====================================
>>>> Scott Rose
>>>> NIST/CTL/WND
>>>> scott.rose@nist.gov
>>>> ph: 301-975-8439
>>>> GoogleVoice: 571-249-3671
>>>> =====================================
>>>
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

-- 
Like our community service? 💛
Please consider donating at

https://desec.io/

deSEC e.V.
Kyffhäuserstr. 5
10781 Berlin
Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525

v2.30.2 | Report a Bug | By Email | System Status