IETF Logo Mail Archive

[DNSOP][IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)

David Dong via RT <drafts-expert-review-comment@iana.org> Tue, 14 May 2024 22:03 UTC

Return-Path: <iana-shared@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9801CC1D4A62; Tue, 14 May 2024 15:03:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.927
X-Spam-Level:
X-Spam-Status: No, score=-2.927 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7P7zNxnWWB4W; Tue, 14 May 2024 15:03:51 -0700 (PDT)
Received: from smtp.lax.icann.org (smtp.lax.icann.org [192.0.33.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76059C1840F4; Tue, 14 May 2024 15:03:51 -0700 (PDT)
Received: from request6.lax.icann.org (request1.lax.icann.org [10.32.11.221]) by smtp.lax.icann.org (Postfix) with ESMTP id 3BCC1E1A92; Tue, 14 May 2024 22:03:51 +0000 (UTC)
Received: by request6.lax.icann.org (Postfix, from userid 48) id 286827F9F5; Tue, 14 May 2024 22:03:51 +0000 (UTC)
RT-Owner: david.dong
From: David Dong via RT <drafts-expert-review-comment@iana.org>
In-Reply-To: <rt-5.0.3-2156695-1715247569-1774.1362913-9-0@icann.org>
References: <RT-Ticket-1362913@icann.org> <rt-5.0.3-225992-1713566832-1739.1362913-9-0@icann.org> <647558F8-2FEF-4418-AE1C-3BDC3B22A89B@nohats.ca> <1cb4663f-9502-47db-a099-ce5147bb733e@desec.io> <94ea3a71-6c1c-10af-a71f-7cee34e8d0d4@nohats.ca> <F21226BA-266A-4BF8-AD17-0D908B10AC54@nist.gov> <rt-5.0.3-189191-1713786135-470.1362913-9-0@icann.org> <rt-5.0.3-1375868-1714672753-112.1362913-9-0@icann.org> <e8749688-39bc-4ba2-a4a0-659a81736f0c@desec.io> <rt-5.0.3-2156695-1715247569-1774.1362913-9-0@icann.org>
Message-ID: <rt-5.0.3-106980-1715724231-1490.1362913-9-0@icann.org>
X-RT-Loop-Prevention: IANA
X-RT-Ticket: IANA #1362913
X-Managed-BY: RT 5.0.3 (http://www.bestpractical.com/rt/)
X-RT-Originator: david.dong@iana.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Precedence: bulk
Date: Tue, 14 May 2024 22:03:51 +0000
MIME-Version: 1.0
Message-ID-Hash: AV6MKLQ36XCK6ICZIKFAL55O56VNSYIF
X-Message-ID-Hash: AV6MKLQ36XCK6ICZIKFAL55O56VNSYIF
X-MailFrom: iana-shared@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: scott.rose@nist.gov, nils@desec.io, dnsop@ietf.org, oli.schacher@switch.ch, q@as207960.net, christian@elmerot.se, daniel.salzman@nic.cz, paul@nohats.ca, johnl@taugh.com, draft-ietf-dnsop-dnssec-bootstrapping.all@ietf.org
X-Mailman-Version: 3.3.9rc4
Reply-To: drafts-expert-review-comment@iana.org
Subject: [DNSOP][IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QRSIMBAYZQTCNgHLJrs1EsKjuRY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi all,

Following up on this. Please let us know how we should proceed for this. Thank you.

Best regards,

David Dong
IANA Services Sr. Specialist

On Thu May 09 09:39:29 2024, peter@desec.io wrote:
> [another (last) attempt of reposting this as it did not get delivered
> to dnsop@ietf.org on May 7, as evidenced by the list archive]
> 
> 
> Hi,
> 
> On 5/2/24 19:59, David Dong via RT wrote:
> > Following up on this; does the group agree that "_dnssec" is OK?
> 
> Looking at what's been said in this thread:
> - Two people have proposed to change the label, current proposal:
> _dnssec
> - Two implementers have said they'd make the change but don't seem
> convinced
> - The authors (hats off, but also implementers and authors of current
> drafts using the mechanism) are not convinced
> 
> The authors don't feel comfortable declaring consensus in either
> direction (neither do we know whether that's our role), and we're not
> sure how to proceed. Perhaps the DNSOP chairs could weigh in, as the
> discussion is happening on the WG list although the document is
> technically out of the door ...
> 
> 
> I've been reluctant adding the following argument as to not seem
> insisting; OTOH it may have its own technical merit, so here is.
> 
> The "_dnssec" label implies that the mechanism is not suitable for
> signaling unrelated to DNSSEC. That's an artificial limitation, and
> it's unclear why to impose the restriction. An operator could very
> well want to publish other things, like
> 
> - TXT at _abuse.example.com._signal.ns1.provider.net for an abuse
> address,
> - PTR at _catalog.example.com._signal ... for catalog zone membership,
> - ...
> 
> If the signaling method is generic, I believe it should have a short
> generic label. Any specificity to determine the kind of signal can go
> into the first label.
> 
> I have no specific preference for "_signal" other than I don't know
> what a good alternative would be. Narrowing the scope with "_dnssec"
> doesn't seem to improve the situation.
> 
> Thanks,
> Peter
> + Nils (for the "we"/author statements)
> 
> 
> > Thank you.
> >
> > Best regards,
> >
> > David Dong
> > IANA Services Sr. Specialist
> >
> > On Mon Apr 22 11:42:15 2024, scott.rose@nist.gov wrote:
> >> On 20 Apr 2024, at 19:38, Paul Wouters wrote:
> >>
> >>> On Sat, 20 Apr 2024, Peter Thomassen wrote:
> >>>
> >>>> The authors certainly don't insist, but we'd need to pick a
> >>>> suitable
> >>>> replacement for the "_signal" label.
> >>>>
> >>>> John proposed "_dnssec-signal" elsewhere in this thread.
> >>>>
> >>>> The authors would like to note that adding "_dnssec-" eats up 8
> >>>> more
> >>>> bytes, increasing chances that bootstrapping will fail due to the
> >>>> _dsboot.<domain-name>._dnssec-signal.<nsname> length limitation.
> >>>> Other than this (unnecessary?) use case narrowing, this choice
> >>>> seems
> >>>> fine.
> >>>>
> >>>> That said, does this choice address your concerns?
> >>>
> >>> It would, but I would also be okay if it is just _dnssec.
> >>>
> >>
> >> If the concern is that the label is too generic, “_dnssec” might be
> >> too generic as well. If it is to be more precise, go with _ds-boot
> >> or
> >> something more specific to the use case. I don’t have an
> >> implementation in the mix, so it this isn’t a strong opinion.   If
> >> the
> >> group agrees _dnssec is fine, then I am fine with it too.
> >>
> >> Scott
> >>
> >> =====================================
> >> Scott Rose
> >> NIST/CTL/WND
> >> scott.rose@nist.gov
> >> ph: 301-975-8439
> >> GoogleVoice: 571-249-3671
> >> =====================================
> >

v2.31.3 | Report a Bug | By Email | System Status