Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
神明達哉 <jinmei@wide.ad.jp> Mon, 04 May 2015 18:25 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43A461ACD2E for <dnsop@ietfa.amsl.com>; Mon, 4 May 2015 11:25:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sY-qusLmG9te for <dnsop@ietfa.amsl.com>; Mon, 4 May 2015 11:25:39 -0700 (PDT)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 711FE1ACD3B for <dnsop@ietf.org>; Mon, 4 May 2015 11:25:39 -0700 (PDT)
Received: by igblo3 with SMTP id lo3so89333963igb.0 for <dnsop@ietf.org>; Mon, 04 May 2015 11:25:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=AZrGdMrmn78jTY0D1/1P2oQtsswembMKJCG2N0eKKpI=; b=ajkPXMbn9jjL6h8aYjiEcx2v1PRl2Yzs75mXio0AQ5ezxAsxQ9vjHca06FuQNU/7K6 HY8GlaBSjH8+/l3XCpqkU33N1l9Be7FNVMpR+/qo9VEWpNaLnzyiYweDIni/LC6QRd3F SuQdIXPWDX0xpISH1CeVZ42S0AkrAvi4mboE1n829fSIMKS7STy9tfDQ0PZO2hbiIS0n torGJaRLTJaOgFPZirwP13YBwxI6xronFPtA5uAeyQwDEoejS1icEBA90cPIUORZqUOs /oURDa9gq/sQtHuwDRdtJlu66/BuuPukPjCqclU23X4IWBfIpNvvI9DrCu2s99xhfBmo jZBA==
MIME-Version: 1.0
X-Received: by 10.50.62.148 with SMTP id y20mr339022igr.17.1430763938784; Mon, 04 May 2015 11:25:38 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.50.80 with HTTP; Mon, 4 May 2015 11:25:38 -0700 (PDT)
In-Reply-To: <553EBF02.3050703@gmail.com>
References: <553EBF02.3050703@gmail.com>
Date: Mon, 04 May 2015 11:25:38 -0700
X-Google-Sender-Auth: 2IDdn__ud4tG6iG1HG8FWy9NDfk
Message-ID: <CAJE_bqc-T75k3sQZKtAF1VHp49biGn+Es5v5FivNSz5e3oB-Cg@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Tim Wicinski <tjw.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/PrFiyZPTRNMD-qIMEybTBE9MgfQ>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 18:25:41 -0000
At Mon, 27 Apr 2015 18:58:10 -0400, Tim Wicinski <tjw.ietf@gmail.com> wrote: > This starts a Working Group Last Call for Adoption for > draft-ietf-dnsop-negative-trust-anchors (I guess this is "for Publication", not "for Adoption"). Also, have we decided to publish it as an Informational document? I'm not opposed to it, but this document contains some normative text and affects inseparability in some sense, so a standard truck seems to be a more appropriate choice for me. > Current versions of the draft is available here: > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-negative-trust-anchors/ > > https://tools.ietf.org/html/draft-ietf-dnsop-negative-trust-anchors-04 > > Please review the draft and offer relevant comments. Also, if someone > feels the document is *not* ready for publication, please speak out with > your reasons I do not think it's ready for publication yet. I'd like to see a discussion on whether it really makes sense that an NTA for a domain name even disables a positive trust anchor below the name. I made more specific comment on this in a separate message: http://www.ietf.org/mail-archive/web/dnsop/current/msg14170.html (with some other comments on the 04 version of the draft). I also think Appendix B needs more editorial cleanups. Those editorial matters may not be a showstopper by themselves, but I guess it's better to fix them before sending it to the IESG. A couple of other comments on version 4: - Section 4: It is therefore recommended that NTA implementors should periodically attempt to validate the domain in question, for the period of time that the I guess this 'recommended' may be better RFC2119 capitalized, i.e., "RECOMMENDED". Not a strong opinion, but it seems to me to be more aligned with general tone and other usage of RFC2119 keywords of this section. - Section 4: likewise, maybe s/should/SHOULD/ When removing the NTA, the implementation should remove all cached entries below the NTA node. Editorial and minor comments: - Section 3: there's an awkward blank line (and spaces) before the reference: names for a Negative Trust Anchor. For example, Unbound calls their configuration "domain-insecure." [Unbound-Configuration] - Section 7.1: s/has have/has/ Thus, there may be a gap between when a domain has have been re- - Appendix B: s/servers/server's/ (?) domain is consistency and history. It therefore is good if you have the ability to look at the servers DNS traffic over a long period of - Appendix B: s/them install/install them/ most of these tools are open source so you can them install locally if you want. - Appendix B: this sentence doesn't parse well to me... Using the tools over the Internet has the advantage though that as these are not located in the same part of the network you already will have more than local view by using different tools. - Appendix B: s/server.s/servers./ consistently around the world and from all authoritative server.s Use - Appendix B: s/an guarantee/a guarantee/ attack, although that is not an guarantee. Also if the output from - Appendix B: it's now a dnsop wg document EDNS0 client subnet (draft-vandergaast-edns-client-subnet) applied to the domain. - Appendix B: this sentence doesn't parse well to me... Again if the data is the same this is an indication that the error is operator caused not an guarantee. - Appendix B: s/parents/parent's/ (or "parent zone's ?) o DNSKEYs in child zone don't match parents zone DS record. There - Appendix B: these two sentences seem too informal grammatically, if not broken: Has the existed before and was used? Was there a change in the DNSKEY RRSet recently (indicating a key rollover) and of course has the actual data in the zone changes. - Appendix B: o Data in DS or DNSKEY doesn't match the other. This is more common in initial setup when there was a copy and paste error. Again checking history on data is the best you can do there. It's not possible to give a checklist just to run through to decide if a domain is broken because of an attack or an operator error. Is the "It's not possible..." sentence supposed to belong to the bullet? This sentence seems to talk about something general, and seem to make more sense if it's part of the sentence that follows: All of the above is just a starting point for consideration when having to decide to deploy or not deploy a trust anchor. -- JINMEI, Tatuya
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Olafur Gudmundsson
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Rose, Scott W.
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Dan York
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉
- Re: [DNSOP] Working Group Last Call for draft-iet… Bob Harold
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… Ralf Weber
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Warren Kumari
- Re: [DNSOP] Working Group Last Call for draft-iet… 神明達哉