IETF Logo Mail Archive

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

Florian Obser <florian+ietf@narrans.de> Wed, 07 June 2023 17:38 UTC

Return-Path: <florian+ietf@narrans.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F539C1516FF; Wed, 7 Jun 2023 10:38:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IcwrfCRLu734; Wed, 7 Jun 2023 10:38:09 -0700 (PDT)
Received: from imap.narrans.de (michelangelo.narrans.de [45.77.55.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63E3CC14CE5F; Wed, 7 Jun 2023 10:38:07 -0700 (PDT)
Received: from pinkunicorn (2001-1c00-270d-e800-ddfa-1155-30ee-5532.cable.dynamic.v6.ziggo.nl [2001:1c00:270d:e800:ddfa:1155:30ee:5532]) by michelangelo.narrans.de (OpenSMTPD) with ESMTPSA id da90654e (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 7 Jun 2023 19:38:03 +0200 (CEST)
From: Florian Obser <florian+ietf@narrans.de>
To: Tim Wicinski <tjw.ietf@gmail.com>
Cc: dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
References: <CADyWQ+FBu991wu4ZEwKs9w-hGQfUR0oOGXruQv1BwX63NsNhBw@mail.gmail.com> <CADyWQ+EXXDkw_LfFm6w9OZjWunsgRchE-E3FVh38JO+QSGJ0cw@mail.gmail.com>
Date: Wed, 07 Jun 2023 19:38:02 +0200
In-Reply-To: <CADyWQ+EXXDkw_LfFm6w9OZjWunsgRchE-E3FVh38JO+QSGJ0cw@mail.gmail.com> (Tim Wicinski's message of "Wed, 7 Jun 2023 13:08:14 -0400")
Message-ID: <m1wn0fp405.fsf@narrans.de>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (darwin)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/NR4__iENf4j7c3dQy9rIh7k3T48>
Subject: Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2023 17:38:13 -0000

On 2023-06-07 13:08 -04, Tim Wicinski <tjw.ietf@gmail.com> wrote:
> Just a reminder we're looking for any feedback on continuing work on this
> document.  The Chairs/OverLord Warren feel significant work on this
> document is needed, but that may not be relevant.

The document seems to have a rather pessimistic view on running a
validator. It has this huge list of things that an operator has to do
and does not assign any importance to them - everything seems to be
equally important.

If I were to read this as the person responsible for running the
recursive resolver at an enterprise or at an ISP I'd think: That sounds
like effort and incredibly fragile, it's probably best to not enable
validation.

It would be nice to have an informational RFC on the topic, but I'm not
convinced this is it. Maybe Andrew's suggestion to split this up is the
way forward. Maybe have one document with minimum requirements (correct
time, stuff like that) and take it from there.

>
> We're wrapping this feedback up this Sunday 11 June.
>
> (and Thanks Andrew for your comments)
>
> tim

-- 
In my defence, I have been left unsupervised.

v2.20.0 | Report a Bug | By Email