Re: [DNSOP] Last Call: <draft-ietf-dnsop-negative-trust-anchors-10.txt> (Definition and Use of DNSSEC Negative Trust Anchors) to Informational RFC

"Joe Abley" <jabley@hopcount.ca> Tue, 09 June 2015 15:29 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECF1F1A889D for <dnsop@ietfa.amsl.com>; Tue, 9 Jun 2015 08:29:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zhVJxBLuD_qi for <dnsop@ietfa.amsl.com>; Tue, 9 Jun 2015 08:29:18 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2711F1A8879 for <dnsop@ietf.org>; Tue, 9 Jun 2015 08:29:18 -0700 (PDT)
Received: by igbhj9 with SMTP id hj9so15991321igb.1 for <dnsop@ietf.org>; Tue, 09 Jun 2015 08:29:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type; bh=gGTXo+m4x0jhtaPPGFTO13iMCMGslO7aebtoKibpghc=; b=N6DpGWLc5Bi9DHsJClAa2eaA7kaU+43BTcSh7ZG524TtmHoofej90cfb1O9oDNnV5W UEUZi7kOw5gLHx3QX5gLG1rUl8FjuT+38+0P6mbscLY9UaHGUtYWxv5abwQc0bcIAmuM n2lwnz/KxPakyREz6s5RpY4OpBeymejiKvFgk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-type; bh=gGTXo+m4x0jhtaPPGFTO13iMCMGslO7aebtoKibpghc=; b=nDdlAhnQgHZtg2nGJvjc5IooK4lF3hdpQ2cq1bBC7n+BlIaiKmsfiXddF3B2aIWVRG eUPInM3WoYQcS2seKlnUjw+30FJTS3GeogwijPPVqFTiHqrobPnYqkkE8f8YVBL9dg5r 1VhJDHDDUIOfADUVKKiSoUcqqrBBWXznpJ7Laqy1VCiTc4av6oEOmJ4VZ7daZQw91O2Y lW0EqUEMtBRG3Xwx2B1QhniiFxVk5aecNldmbScWFrVFkU2V0X/7yBLALLDFojow3Fjt IESKO2ke/gpCEqc/lUBJSeNZ4aEK7yuoch6PaVwpT5bwWbo4MzR5YmRJ5hIXSIQ7to/+ qHyg==
X-Gm-Message-State: ALoCoQm+R2kBwPhFGRLgKoM1rjRpHv4zy1XcCViex7kkt1zNTC/yXJTGsv75/zvL15WwZf4BJ5Ni
X-Received: by 10.50.39.105 with SMTP id o9mr21200381igk.39.1433863757512; Tue, 09 Jun 2015 08:29:17 -0700 (PDT)
Received: from [199.212.92.103] (135-23-68-43.cpe.pppoe.ca. [135.23.68.43]) by mx.google.com with ESMTPSA id o9sm4103347ioe.35.2015.06.09.08.29.16 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 09 Jun 2015 08:29:16 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
To: ietf@ietf.org
Date: Tue, 09 Jun 2015 11:29:16 -0400
Message-ID: <BE1C09F7-B143-48E3-B6D5-A291B1BEE0E6@hopcount.ca>
In-Reply-To: <20150609125826.2862.7677.idtracker@ietfa.amsl.com>
References: <20150609125826.2862.7677.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_4BABFC18-513F-4ADC-9AA1-91E1439F4E90_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/O-sdrdIMw0xHLcrZn4uIFKvD0gI>
Cc: dnsop@ietf.org, IETF-Announce <ietf-announce@ietf.org>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-negative-trust-anchors-10.txt> (Definition and Use of DNSSEC Negative Trust Anchors) to Informational RFC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2015 15:29:20 -0000

On 9 Jun 2015, at 8:58, The IESG wrote:

> The IESG has received a request from the Domain Name System Operations WG
> (dnsop) to consider the following document:
> - 'Definition and Use of DNSSEC Negative Trust Anchors'
> <draft-ietf-dnsop-negative-trust-anchors-10.txt> as Informational RFC

I have read this document. The topic under discussion is a useful one, it is described clearly and well, and I support this document proceeding. I have some minor suggestions for improvement, but nothing substantial.

In section 1, the document uses normative-sounding language ("should not") and seems to direct the IANA not to do something. The normative-sounding direction is further extended to all other organisations. I understand the intent here, but the advice seems a little jarring; any IETF document can provide advice and recommendations without enforcement (informational documents arguably more so). Perhaps this could be rephrased to make it clear that the document is providing recommendations about how to implement and manage negative trust anchors rather than laying down the law.

In section 1.2 the document refers to a "domain administrator", when in the context of DNSSEC I think it means a "zone administrator".

In section 7 the document refers to "dnscheck", which I understand is no longer being maintained and has been replaced with "zonemaster". See <http://www.zonemaster.fr>, for example.


Joe