IETF Logo Mail Archive

[DNSOP] draft-dnsop-dnssec-trust-anchor-01 comments

"Scott Rose" <scottr@nist.gov> Wed, 04 June 2008 19:15 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@optimus.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2FA1428C27A; Wed, 4 Jun 2008 12:15:38 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4765028C261 for <dnsop@core3.amsl.com>; Wed, 4 Jun 2008 12:15:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.523
X-Spam-Level:
X-Spam-Status: No, score=-0.523 tagged_above=-999 required=5 tests=[AWL=-0.524, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id auROU5q5NXOZ for <dnsop@core3.amsl.com>; Wed, 4 Jun 2008 12:15:36 -0700 (PDT)
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by core3.amsl.com (Postfix) with ESMTP id D134828C2C1 for <dnsop@ietf.org>; Wed, 4 Jun 2008 12:11:50 -0700 (PDT)
Received: from postmark.nist.gov (emailha2.nist.gov [129.6.16.198]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id m54JBnuj025889 for <dnsop@ietf.org>; Wed, 4 Jun 2008 15:11:49 -0400
Received: from 619893L ([129.6.220.160]) by postmark.nist.gov (8.13.1/8.13.1) with SMTP id m54JBejK029198 for <dnsop@ietf.org>; Wed, 4 Jun 2008 15:11:45 -0400
From: Scott Rose <scottr@nist.gov>
To: IETF DNSOP WG <dnsop@ietf.org>
Date: Wed, 04 Jun 2008 15:11:39 -0400
Message-ID: <JNEGICILJHDCEMKOEACNCEOADFAA.scottr@nist.gov>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
In-Reply-To: <20080429085440.GC5612@unknown.office.denic.de>
Importance: Normal
X-NIST-MailScanner-Information:
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: scottr@nist.gov
Subject: [DNSOP] draft-dnsop-dnssec-trust-anchor-01 comments
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

I remembered that I was one of the folk volunteering to review this draft.

I support this draft with some general comments below-

1. Introduction
A resolver might want to maintain a zone's key as a trust anchor even if the
zone has a signed delegation.  Likewise a zone may wish to distribute it's
key for use as a trust anchor in addition to having a DS RR in the parent
zone.  This really doesn't change things in the document as a whole, but
something to keep in mind.

Last sentence in Section 3:  Should the resolver really consider zone
responses as BOGUS?  What if the zone is now provably unsecure?

Security Considerations:
If the text in Section 3 changes, this would need to change too.


These are fairly minor things really.
Scott



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email