[DNSOP] draft-yoneya-dnssec-kskro-failure-recovery-01
Michael StJohns <msj@nthpermutation.com> Wed, 05 September 2012 17:20 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACD9F21F8661 for <dnsop@ietfa.amsl.com>; Wed, 5 Sep 2012 10:20:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8p-OOc2czZyB for <dnsop@ietfa.amsl.com>; Wed, 5 Sep 2012 10:20:15 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2A43A21F84DE for <dnsop@ietf.org>; Wed, 5 Sep 2012 10:20:14 -0700 (PDT)
Received: by ieak13 with SMTP id k13so1726048iea.31 for <dnsop@ietf.org>; Wed, 05 Sep 2012 10:20:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding:x-gm-message-state; bh=3WSE6ZtAY+zH0e2r+vXZeEVbZQG189O9cSC0GzaZkm0=; b=LyLeT1M2noZH8zSBg4Q/DxxFCoK1vFkM9H856eJmvJWkzgjhJ+5+OL6MSXMBwNnNJH 4NTQcYy7yE5iOyWQd29EEvg22A2TwerKDMwTU+6asovhegpXAvsh6f/cAITf01zND/uY MqW9VUuks1Q3AlWqKmbxjkAk+Q+7QbZwyiuPXlJvu01YpVjqHfB6i09Y7ZtV6jRWWFqA KC0cHhNYusk7t2w9PYONz0UBzlge8Km0Jsq/uG1YqU3rmSGSm1HBGXfK76VFujbWex2o TPYyRYrd+Kqwajk0Nh7OCu7mQxSBfrygzX0S7ZaqM0X7dbkpZmv0LDmle1njSe7Ayl4v pq9Q==
Received: by 10.42.85.69 with SMTP id p5mr22037020icl.24.1346865614192; Wed, 05 Sep 2012 10:20:14 -0700 (PDT)
Received: from [192.168.1.106] (c-68-83-222-237.hsd1.md.comcast.net. [68.83.222.237]) by mx.google.com with ESMTPS id p5sm16690716igm.13.2012.09.05.10.20.10 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 05 Sep 2012 10:20:12 -0700 (PDT)
Message-ID: <504789CA.6040703@nthpermutation.com>
Date: Wed, 05 Sep 2012 13:20:10 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120824 Thunderbird/15.0
MIME-Version: 1.0
To: dnsop@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQnQPmU/GmxfkpHX6jXn85wUJpBhseCSXkKbVr39FK3SiOSKy6D6yml2Q0A5bFuhGEYLfDM2
X-Mailman-Approved-At: Wed, 05 Sep 2012 10:26:46 -0700
Subject: [DNSOP] draft-yoneya-dnssec-kskro-failure-recovery-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Sep 2012 17:20:15 -0000
Hi - As the subject document seems to describe an operations problem rather than a protocol problem, I'm going to use the dnsop mailing list to post some comments. While I haven't completely internalized this document, I'm pretty sure it's addressing the wrong problem. The issue is not that there are too many DS in the parent zone as compared to DNSKEY in the child. It's actually perfectly correct to publish a DS record in advance of publishing the related DNSKEY. I *think* the issue they may be concerned with is a complete disjunction between the parent DS and child DNSKEY RRSets. But that's not what the document says. Case 1 - there is no such thing as a failing DS. There is a DS that does not currently match a child DNSKEY, but that is not necessarily a "fail". Case 1 - the appropriate problem is "no matching DS for zone DNSKEYs" - the resolution is "add a matching DS to the parent zone, or deploy a DNSKEY that matches an existing DS". Case 2-5 seem to be the same problem as case 1, rather than separate problems - but the title of the cases does not reflect this. In any event, "removal" of data is mostly not going to help the problem - you need to "add" the appropriate links in the trust chain. Data that does not provide a link in a trust chain is just extraneous and may be safely ignored until it can be removed with normal practices. At best this is an incomplete ID (and I'd recommend not posting something this incomplete), at worst it's headed in the wrong direction. Mike
- [DNSOP] draft-yoneya-dnssec-kskro-failure-recover… Michael StJohns
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Yoshiro YONEYA
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Phil Regnauld
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Paul Wouters
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Yoshiro YONEYA
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Yoshiro YONEYA
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Paul Wouters