Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
神明達哉 <jinmei@wide.ad.jp> Mon, 11 May 2015 16:10 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20C101A90FF for <dnsop@ietfa.amsl.com>; Mon, 11 May 2015 09:10:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKvmWisyxAnX for <dnsop@ietfa.amsl.com>; Mon, 11 May 2015 09:10:36 -0700 (PDT)
Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D0C51A90A9 for <dnsop@ietf.org>; Mon, 11 May 2015 09:10:36 -0700 (PDT)
Received: by igbyr2 with SMTP id yr2so74404375igb.0 for <dnsop@ietf.org>; Mon, 11 May 2015 09:10:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=57gIBnBl+s/KYWa/LU/Ago2YUb9loJKfA8WC1MnY7cI=; b=NyYhftVlImQh0/aH4HQkD9XnTvSHlbZ5norGbAgtl7c08Pi9qfths1B9SGobJfwGOA opYrYYfMl0pkiVgNchXfndnkg7Wdpy3CZsWen/ObtHWAdCeaS7raSMMKc79TeY0Sd1sg NzxUVT5GLlyhg0P83pNSquH1TU1EaKDNGVVwuM7ke2ufJ7TB2yoAVaF2nD5Ovye09DYs OYtLt3PnLT6noOjYQuQMw9I2MVwRjMzr6XhAyvoi/MREhqT9u7uJmCnqIIQNKOu2ZnLT 9klxKd743raLNCXVi0d8Le3YtYrGbQVWnTH3Y1V3rYVuNe4UjR2gJveUCtFOhnTlnWCY V7wQ==
MIME-Version: 1.0
X-Received: by 10.107.10.201 with SMTP id 70mr13835415iok.0.1431360635574; Mon, 11 May 2015 09:10:35 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.50.80 with HTTP; Mon, 11 May 2015 09:10:35 -0700 (PDT)
In-Reply-To: <20150509185028.GB74933@isc.org>
References: <553EBF02.3050703@gmail.com> <CAJE_bqc-T75k3sQZKtAF1VHp49biGn+Es5v5FivNSz5e3oB-Cg@mail.gmail.com> <CAHw9_iL9RLp0jynT0m_D6dGZYhmdonvBC-5ifTdB63eh5gvBeg@mail.gmail.com> <CAJE_bqesFPG6d3UsFmtFRjUBQqfifHkaBMR0sXAaNKuN10HL4A@mail.gmail.com> <CAHw9_iLbx_soi1+LaSwMKarLcT1kBCrFdaX8diwMVZp70KeePA@mail.gmail.com> <20150509185028.GB74933@isc.org>
Date: Mon, 11 May 2015 09:10:35 -0700
X-Google-Sender-Auth: SwQ_lSBygCbapNsIddRqBTglvH8
Message-ID: <CAJE_bqcJN+RL8NF5NoLTL2y6-mpC1Maf8y_msie7MgYxkV4B3A@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Evan Hunt <each@isc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/PdTsVo0dKjYz98wQr6Nigxr53Io>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2015 16:10:37 -0000
At Sat, 9 May 2015 18:50:28 +0000, Evan Hunt <each@isc.org> wrote: > Actually, weirdly enough, after I implemented NTA's in BIND, one of the > very first applications somebody came up with for them was to temporarily > disable DNSSEC validation by setting an NTA for ".". This was seen as > better than "rndc validation off" because he didn't have to send "rndc > validation on" afterward; it would just quiety switch itself back on > after a minute. It's... actually a pretty clever hack, and I don't > really want to disable it. > > May I suggest: "An NTA placed at a node where there is a configured > positive trust anchor takes precendence over that trust anchor, effectively > disabling it. Implementations MAY issue a warning when this occurs." Does this mean: A: All implementations that conform to this document should prefer the NTA over the positive anchor in such a case, or B: This is implementation-dependent, but if an implementation allows the coexistence of positive and negative anchors, it should prefer the NTA, or C: something else? I don't have a strong opinion between A and B, but I'd like this document to be clear on this. And, if it means A, I'd use an RFC2119 keyword (it's probably a SHOULD). -- JINMEI, Tatuya
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Olafur Gudmundsson
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Rose, Scott W.
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Dan York
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… Bob Harold
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Ralf Weber
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉