Re: [DNSOP] fragile dnssec, was Fwd: New Version

"John R Levine" <johnl@taugh.com> Fri, 18 August 2017 01:13 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1E1F1326D7 for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 18:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=iecc.com header.b=N7oSv9aw; dkim=neutral reason="invalid (public key: not available)" header.d=taugh.com header.b=ogV3IGMT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QweknxsC2BUA for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 18:13:48 -0700 (PDT)
Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5366F132677 for <dnsop@ietf.org>; Thu, 17 Aug 2017 18:13:48 -0700 (PDT)
Received: (qmail 10233 invoked from network); 18 Aug 2017 01:13:46 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=27f7.59963f4a.k1707; bh=mtamhDemHpUL+6LjxGASGHtnIBDAnZsQU9dc8HhXXhg=; b=N7oSv9awrFnaFNqSm/NYtKD2i0OFxNN24tkD3Nxx/hnWGDMed7uolicm9soSvFRWRSFJAVmAGed3zjOJEShYaMasytHbmI36c51yrjQc4Rw3/QIl0a+lpo6o09DCUd03Amuv+sYrvYbiBHRl3AE0fXbajpixDEFtI4rr6pLszpzqcraoYomBK305sUpdrGRGo8vs3l9Fb3UB+qwCxnTDDkZZ/RHhF24+7f8KN1rtNrzTyohB7EHcQpOd3qsN1p1b
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=27f7.59963f4a.k1707; bh=mtamhDemHpUL+6LjxGASGHtnIBDAnZsQU9dc8HhXXhg=; b=ogV3IGMTJ+UlxRysuxBIptVr6lwGdRVxE6iUKFkcH+sc2V7c/jFXTxhXfrxctAOBS0/008SFCY4do3/dG0rmJn3swlFRE+YXAmHvTajKf6WZCbHfJXFvXowI1UaWF2EdN6jdfPeWyYoU1VOaG6AWs/8X5xeX1M9BGFGD8P3J0NNI5v/Bl87/bBBRABJFz+NzJ6JzCvlSqSkGMe3fqrRS5/3qbRVtVcbfFglERoBDhXo7dflOytplNIzTOoj4JH5p
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 18 Aug 2017 01:13:46 -0000
Date: Thu, 17 Aug 2017 21:13:45 -0400
Message-ID: <alpine.OSX.2.21.1708172112530.64140@ary.local>
From: John R Levine <johnl@taugh.com>
To: Mark Andrews <marka@isc.org>
Cc: dnsop@ietf.org
In-Reply-To: <20170818001153.37E9082B0500@rock.dv.isc.org>
References: <20170816230917.4475.qmail@ary.lan> <20170817034747.0F82D8298B68@rock.dv.isc.org> <alpine.OSX.2.21.1708171013140.63290@ary.local> <20170818001153.37E9082B0500@rock.dv.isc.org>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PNb-LDx5ZK4bIg-qJ-ejylCWyHg>
Subject: Re: [DNSOP] fragile dnssec, was Fwd: New Version
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 01:13:50 -0000

On Fri, 18 Aug 2017, Mark Andrews wrote:
>>> Or you can have credentials to allow the hoster to update the DS
>>> records alone.
>>
>> Of course, but that's independent of how you present the updates to the
>> registry or registrar.
>
> Yet, you chose to attempt to shoot down the proposal based on the
> premise that you would be giving up full control.

You appear to be responding to someone else.  My point is that in 
practice, registries do not provide credentials for DNSSEC updates only, 
regardless of how they're presented.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly