IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

神明達哉 <jinmei@wide.ad.jp> Mon, 11 May 2015 16:10 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20C101A90FF for <dnsop@ietfa.amsl.com>; Mon, 11 May 2015 09:10:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKvmWisyxAnX for <dnsop@ietfa.amsl.com>; Mon, 11 May 2015 09:10:36 -0700 (PDT)
Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D0C51A90A9 for <dnsop@ietf.org>; Mon, 11 May 2015 09:10:36 -0700 (PDT)
Received: by igbyr2 with SMTP id yr2so74404375igb.0 for <dnsop@ietf.org>; Mon, 11 May 2015 09:10:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=57gIBnBl+s/KYWa/LU/Ago2YUb9loJKfA8WC1MnY7cI=; b=NyYhftVlImQh0/aH4HQkD9XnTvSHlbZ5norGbAgtl7c08Pi9qfths1B9SGobJfwGOA opYrYYfMl0pkiVgNchXfndnkg7Wdpy3CZsWen/ObtHWAdCeaS7raSMMKc79TeY0Sd1sg NzxUVT5GLlyhg0P83pNSquH1TU1EaKDNGVVwuM7ke2ufJ7TB2yoAVaF2nD5Ovye09DYs OYtLt3PnLT6noOjYQuQMw9I2MVwRjMzr6XhAyvoi/MREhqT9u7uJmCnqIIQNKOu2ZnLT 9klxKd743raLNCXVi0d8Le3YtYrGbQVWnTH3Y1V3rYVuNe4UjR2gJveUCtFOhnTlnWCY V7wQ==
MIME-Version: 1.0
X-Received: by 10.107.10.201 with SMTP id 70mr13835415iok.0.1431360635574; Mon, 11 May 2015 09:10:35 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.50.80 with HTTP; Mon, 11 May 2015 09:10:35 -0700 (PDT)
In-Reply-To: <20150509185028.GB74933@isc.org>
References: <553EBF02.3050703@gmail.com> <CAJE_bqc-T75k3sQZKtAF1VHp49biGn+Es5v5FivNSz5e3oB-Cg@mail.gmail.com> <CAHw9_iL9RLp0jynT0m_D6dGZYhmdonvBC-5ifTdB63eh5gvBeg@mail.gmail.com> <CAJE_bqesFPG6d3UsFmtFRjUBQqfifHkaBMR0sXAaNKuN10HL4A@mail.gmail.com> <CAHw9_iLbx_soi1+LaSwMKarLcT1kBCrFdaX8diwMVZp70KeePA@mail.gmail.com> <20150509185028.GB74933@isc.org>
Date: Mon, 11 May 2015 09:10:35 -0700
X-Google-Sender-Auth: SwQ_lSBygCbapNsIddRqBTglvH8
Message-ID: <CAJE_bqcJN+RL8NF5NoLTL2y6-mpC1Maf8y_msie7MgYxkV4B3A@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Evan Hunt <each@isc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/PdTsVo0dKjYz98wQr6Nigxr53Io>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2015 16:10:37 -0000

At Sat, 9 May 2015 18:50:28 +0000,
Evan Hunt <each@isc.org> wrote:

> Actually, weirdly enough, after I implemented NTA's in BIND, one of the
> very first applications somebody came up with for them was to temporarily
> disable DNSSEC validation by setting an NTA for ".".  This was seen as
> better than "rndc validation off" because he didn't have to send "rndc
> validation on" afterward; it would just quiety switch itself back on
> after a minute.  It's... actually a pretty clever hack, and I don't
> really want to disable it.
>
> May I suggest: "An NTA placed at a node where there is a configured
> positive trust anchor takes precendence over that trust anchor, effectively
> disabling it.  Implementations MAY issue a warning when this occurs."

Does this mean:

A: All implementations that conform to this document should prefer the
   NTA over the positive anchor in such a case, or
B: This is implementation-dependent, but if an implementation allows
   the coexistence of positive and negative anchors, it should prefer
   the NTA, or
C: something else?

I don't have a strong opinion between A and B, but I'd like this
document to be clear on this.  And, if it means A, I'd use an RFC2119
keyword (it's probably a SHOULD).

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email