IETF Logo Mail Archive

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 16 May 2018 18:51 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD23B12D952 for <dnsop@ietfa.amsl.com>; Wed, 16 May 2018 11:51:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8SfVdo0Kn3Q for <dnsop@ietfa.amsl.com>; Wed, 16 May 2018 11:51:12 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B16541270B4 for <dnsop@ietf.org>; Wed, 16 May 2018 11:51:12 -0700 (PDT)
Received: from [10.200.0.109] (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id C8AEC7A3309 for <dnsop@ietf.org>; Wed, 16 May 2018 18:51:11 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <79f958bdf3f04d61b77b4f8632575cb1@cira.ca>
Date: Wed, 16 May 2018 14:51:10 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: dnsop <dnsop@ietf.org>
Message-Id: <89F528D6-ABC4-4374-9881-12209331C18D@dukhovni.org>
References: <20180515195719.CD6CF269B4C6@ary.qy> <4BE09A51-74F6-4B4F-873F-6ACEC2BF3572@dukhovni.org> <79f958bdf3f04d61b77b4f8632575cb1@cira.ca>
To: dnsop <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PUZ3XGJMp5cDchE7kMHt-pgqfE4>
Subject: Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2018 18:51:15 -0000


> On May 16, 2018, at 2:38 PM, Jacques Latour <Jacques.Latour@cira.ca> wrote:
> 
> The intent of the document at bootstrap is for the parent to perform sufficient tests to ensure they are conformable in bootstrapping the chain of trust, I agree with you that these tests and other could be performed by the parent to ensure the child/DNS Operator is "well behaved" and/or has "good DNSSEC hygiene".
> 
> I think defining the criteria for good DNSSEC hygiene is not in scope for this document, but this document could certainly reference something like https://tools.ietf.org/html/draft-wallstrom-dnsop-dns-delegation-requirements-03  with your details in section 8 "DNSSEC Requirements".
> 
> Also, I'm thinking at registration time to check immediately if the newly domain is suitable for DNSSEC bootstrapping, meaning the domain has a proper CDS or CDNSKEY and has good hygiene and all, so that when we publish the zone file with that new domain the DS record is included right away.  Any issues with that?

I am not a stickler for the means, so long as we achieve the same ends.
That is, provided the DNSSEC hygiene is somehow taken into account at
registration time, if this document points at some other document, that
may be OK.  My concern is only that not enough of the DANE-impacting
hygiene requirements may yet be written down.

I can make a list...  Should it go in this draft, or should I work with
Patrick Wallstrom to flesh out that draft?  Will this draft reference
the other one?

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email