IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

神明達哉 <jinmei@wide.ad.jp> Mon, 04 May 2015 18:25 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43A461ACD2E for <dnsop@ietfa.amsl.com>; Mon, 4 May 2015 11:25:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sY-qusLmG9te for <dnsop@ietfa.amsl.com>; Mon, 4 May 2015 11:25:39 -0700 (PDT)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 711FE1ACD3B for <dnsop@ietf.org>; Mon, 4 May 2015 11:25:39 -0700 (PDT)
Received: by igblo3 with SMTP id lo3so89333963igb.0 for <dnsop@ietf.org>; Mon, 04 May 2015 11:25:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=AZrGdMrmn78jTY0D1/1P2oQtsswembMKJCG2N0eKKpI=; b=ajkPXMbn9jjL6h8aYjiEcx2v1PRl2Yzs75mXio0AQ5ezxAsxQ9vjHca06FuQNU/7K6 HY8GlaBSjH8+/l3XCpqkU33N1l9Be7FNVMpR+/qo9VEWpNaLnzyiYweDIni/LC6QRd3F SuQdIXPWDX0xpISH1CeVZ42S0AkrAvi4mboE1n829fSIMKS7STy9tfDQ0PZO2hbiIS0n torGJaRLTJaOgFPZirwP13YBwxI6xronFPtA5uAeyQwDEoejS1icEBA90cPIUORZqUOs /oURDa9gq/sQtHuwDRdtJlu66/BuuPukPjCqclU23X4IWBfIpNvvI9DrCu2s99xhfBmo jZBA==
MIME-Version: 1.0
X-Received: by 10.50.62.148 with SMTP id y20mr339022igr.17.1430763938784; Mon, 04 May 2015 11:25:38 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.50.80 with HTTP; Mon, 4 May 2015 11:25:38 -0700 (PDT)
In-Reply-To: <553EBF02.3050703@gmail.com>
References: <553EBF02.3050703@gmail.com>
Date: Mon, 04 May 2015 11:25:38 -0700
X-Google-Sender-Auth: 2IDdn__ud4tG6iG1HG8FWy9NDfk
Message-ID: <CAJE_bqc-T75k3sQZKtAF1VHp49biGn+Es5v5FivNSz5e3oB-Cg@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Tim Wicinski <tjw.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/PrFiyZPTRNMD-qIMEybTBE9MgfQ>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 18:25:41 -0000

At Mon, 27 Apr 2015 18:58:10 -0400,
Tim Wicinski <tjw.ietf@gmail.com> wrote:

> This starts a Working Group Last Call for Adoption for
> draft-ietf-dnsop-negative-trust-anchors

(I guess this is "for Publication", not "for Adoption").

Also, have we decided to publish it as an Informational document?  I'm
not opposed to it, but this document contains some normative text and
affects inseparability in some sense, so a standard truck seems to be
a more appropriate choice for me.

> Current versions of the draft is available here:
>
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-negative-trust-anchors/
>
> https://tools.ietf.org/html/draft-ietf-dnsop-negative-trust-anchors-04
>
> Please review the draft and offer relevant comments. Also, if someone
> feels the document is *not* ready for publication, please speak out with
> your reasons

I do not think it's ready for publication yet.

I'd like to see a discussion on whether it really makes sense that an
NTA for a domain name even disables a positive trust anchor below the
name.  I made more specific comment on this in a separate message:
http://www.ietf.org/mail-archive/web/dnsop/current/msg14170.html
(with some other comments on the 04 version of the draft).

I also think Appendix B needs more editorial cleanups.  Those
editorial matters may not be a showstopper by themselves, but I guess
it's better to fix them before sending it to the IESG.

A couple of other comments on version 4:

- Section 4:
   It is therefore
   recommended that NTA implementors should periodically attempt to
   validate the domain in question, for the period of time that the

  I guess this 'recommended' may be better RFC2119 capitalized, i.e.,
  "RECOMMENDED".  Not a strong opinion, but it seems to me to be more
  aligned with general tone and other usage of RFC2119 keywords of
  this section.

- Section 4: likewise, maybe s/should/SHOULD/
   When removing the NTA, the implementation should remove all cached
   entries below the NTA node.

Editorial and minor comments:

- Section 3: there's an awkward blank line (and spaces) before the
  reference:
   names for a Negative Trust Anchor.  For example, Unbound calls their
   configuration "domain-insecure."

   [Unbound-Configuration]

- Section 7.1: s/has have/has/
   Thus, there may be a gap between when a domain has have been re-

- Appendix B: s/servers/server's/ (?)
   domain is consistency and history.  It therefore is good if you have
   the ability to look at the servers DNS traffic over a long period of

- Appendix B: s/them install/install them/
   most of these tools are open source so you can them install locally
   if you want.

- Appendix B: this sentence doesn't parse well to me...

   Using the tools over the Internet has the advantage though that as
   these are not located in the same part of the network you already
   will have more than local view by using different tools.

- Appendix B: s/server.s/servers./
   consistently around the world and from all authoritative server.s Use

- Appendix B: s/an guarantee/a guarantee/
   attack, although that is not an guarantee.  Also if the output from

- Appendix B: it's now a dnsop wg document
   EDNS0 client subnet (draft-vandergaast-edns-client-subnet) applied to
   the domain.

- Appendix B: this sentence doesn't parse well to me...

   Again if the data is the same this
   is an indication that the error is operator caused not an guarantee.

- Appendix B: s/parents/parent's/ (or "parent zone's ?)
   o  DNSKEYs in child zone don't match parents zone DS record.  There

- Appendix B: these two sentences seem too informal grammatically, if
  not broken:
      Has the existed before and was used?
      Was there a change in the DNSKEY RRSet recently (indicating a key
      rollover) and of course has the actual data in the zone changes.

- Appendix B:
   o  Data in DS or DNSKEY doesn't match the other.  This is more common
      in initial setup when there was a copy and paste error.  Again
      checking history on data is the best you can do there.  It's not
      possible to give a checklist just to run through to decide if a
      domain is broken because of an attack or an operator error.

  Is the "It's not possible..." sentence supposed to belong to the
  bullet?  This sentence seems to talk about something general, and
  seem to make more sense if it's part of the sentence that follows:

   All of the above is just a starting point for consideration when
   having to decide to deploy or not deploy a trust anchor.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email