[DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
Edward Lewis <eppdnsprotocols@gmail.com> Wed, 21 August 2024 14:28 UTC
Return-Path: <eppdnsprotocols@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10F3AC14F696 for <dnsop@ietfa.amsl.com>; Wed, 21 Aug 2024 07:28:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.609
X-Spam-Level:
X-Spam-Status: No, score=-1.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLBS7SEJiJZu for <dnsop@ietfa.amsl.com>; Wed, 21 Aug 2024 07:28:29 -0700 (PDT)
Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AD8AC14F5F8 for <dnsop@ietf.org>; Wed, 21 Aug 2024 07:28:29 -0700 (PDT)
Received: by mail-qt1-x843.google.com with SMTP id d75a77b69052e-45019dccc3aso38108291cf.1 for <dnsop@ietf.org>; Wed, 21 Aug 2024 07:28:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724250508; x=1724855308; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=opgx0WxROGtnuyECaTa0yh9qUCScNYDcQVkMLxKfI74=; b=bLbMZTDyCee9dhdS06kG/Uzy0QVcBkjkMpr8EHExR9/B+j0XjiPyhZ41eALvGGTfwK 562nhzzbPNUJLkA3AZB59SFzX1t7HExXI6+GrXLZZilZhnY61EnXZnJ0M+cckeXKZiH3 Fy10CvqeOFQX32ZH6H/iqG29qQ0dI4tajYXrvfzxZEfj9Gf4SGAMot/qU++C0scbLiKE dKpolaDaS03mPTsItq0u8DjhJYrlCY8IlLKceVWPuzGg15NFdpXZMSJNvThGxa2yDp6/ yskJhmzffrGQj+zO5cQ4rYUiiLYvfjQJvytaol7WmCuEj6BhH+Dbww3L1Gji6oyNGgi/ slzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724250508; x=1724855308; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=opgx0WxROGtnuyECaTa0yh9qUCScNYDcQVkMLxKfI74=; b=H4Qowrm6YaKZYWi5vNk09OYzaUaxJ3q7VNBK9L0cykYw9DVldW4QOLwouqMh6juYfh TlFdCjPNlpHFwBUhAf1sYxTAC40TrMYj8Jg3X5gFX18TQdAZJ0cyeSEymSkC4rZ+gLzC Uddvm/cEcbN+e8ETiGsJprR9evCyp82lc8ASJX03l0KDTM94R/hMSR1saJN9wNOR+4wZ l6gqfg41LbPyNXSBaECU1WZyzToheuAHN6POcQrwVeaoLj3rwi88k0X4qR79v5CB79N4 lgSgjH1/h6+mHSh5Nv1zf8/ykoqwUqjJaDz07gOQ3JjBD5WGWFLuJHM0eCWOvdXHN5iZ 0gcQ==
X-Gm-Message-State: AOJu0Yw9syEOzQC4i4HzuI4gPVgi9/9giBzoVezHUkONpKG61o+E69RJ 07hI1/rWfYpLEthh+KGHTZTi1oldMhXiLO/Yin3UGqp1JyQ/6cp0qRb/bccfs00=
X-Google-Smtp-Source: AGHT+IGaGobbsex0ll5ujurbxHBv8iMWaxVCl5Rldy4m8+/ZCR7axO3sWVQDwpz1t0XpgNLoBxjTfw==
X-Received: by 2002:a05:622a:4109:b0:446:63e9:dc81 with SMTP id d75a77b69052e-454f26ba1aamr20260711cf.63.1724250508424; Wed, 21 Aug 2024 07:28:28 -0700 (PDT)
Received: from smtpclient.apple (pool-96-255-253-89.washdc.fios.verizon.net. [96.255.253.89]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45369ff6e07sm59552011cf.38.2024.08.21.07.28.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Aug 2024 07:28:28 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
From: Edward Lewis <eppdnsprotocols@gmail.com>
In-Reply-To: <6b19942a-1392-47ac-8a50-1520713f2140@nthpermutation.com>
Date: Wed, 21 Aug 2024 10:28:27 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <3ABBFB63-4953-4F9D-97C7-A31276496200@gmail.com>
References: <CAHw9_iL-ZwwA_pckR+=7SndOvqjfcNX9FjZ9Bim24uSYgTxkyw@mail.gmail.com> <98896B9D-259E-4E46-8DC7-E873D8B25F55@icann.org> <d9aed09d-b1c8-4ba1-9d4e-e83d504bfe40@nthpermutation.com> <65A596AD-1A4F-400A-9404-E2D60A54BE66@icann.org> <36118f44-d18d-443b-8aa8-007b8b62db3f@nthpermutation.com> <49523BCB-7747-44A2-97FA-8F46B238B4E0@icann.org> <6b19942a-1392-47ac-8a50-1520713f2140@nthpermutation.com>
To: dnsop <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Message-ID-Hash: S442UBQLI676TJPOLC5NY2L7LNZNPL7M
X-Message-ID-Hash: S442UBQLI676TJPOLC5NY2L7LNZNPL7M
X-MailFrom: eppdnsprotocols@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Edward Lewis <eppdnsprotocols@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QUiqGHcUPGPa8W6xG_s66r04Xpc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On Aug 20, 2024, at 20:42, Michael StJohns <msj@nthpermutation.com> wrote: > > Hi Paul - > > I'm confused from your responses below - is this a WG document where the WG gets to decide, or is this an IANA document (like the one it was replacing) where IANA gets to decide? I *think* I saw you argue both ways in your response below. This question interests me. When DNSSEC was designed, there was a decision to treat all zones the same. The fear was large delegated zones (COM) would need special treatment, we didn’t want the protocol to different per zone for that. We didn’t address the uniqueness of the root zone though, specifically in distributing the trust anchor for it. This left a gap we’ve never addressed. IANA has addressed this for the DNS running on the global public Internet. Said in the sense that there is one DNS protocol and possibly many instantiations of a running DNS system. (I knew of a non-Internet DNS at one time, operating on a separate, private inter-network. It may not be around any more, on the other hand, when it comes to the inter-planetary work, there may be a DNS system per, say, planet.) This document is addressing how IANA is, has, and will be distributing the trust anchor for the root zone they manage. On the one hand, IANA wants to do what is in the best interests of the global public Internet and as such, seeks expert opinions of which this document is an example. The WG can’t materially change the document - without convincing IANA to alter something operational. This doesn’t make WG review futile, a “rubber stamp” step, IANA is listening to the feedback. OTOH, I wonder if this is truly a WG document or something that is best through the Independent stream but reviewed by the DNSOP WG. I doubt there is enough energy for the WG to design a “standards based” means for root zone trust anchor management and distribution that is out of band, despite the gap, as there is only one working example (IANA’s) and IANA has its methods (including this document) in place. “Automated Updates of DNSSEC Trust Anchors” is the WG’s in-band mechanism. A while ago I wrote a replacement for that to address issues uncovered in looking at a root zone DNS Security Algorithm change but abandoned the work once I realized the only operational deployment of it would be for the root zone, which isn’t enough to justify the standards work. The root zone implementation of Automated Updates isn’t precisely “by the RFC” but it works and for any change to the DNS Security Algorithm, it’ll be “made to work”, an alternate approach isn’t worth pursuing. > Syntax is easy. Semantics are hard and this document has a bit too much ambiguity for a naive relying party. Strangely, if this were simply a signed file of hashes with a time associated with it indicating the IANA's current view (at time of publication) of the trust anchor set, I'd have a lot less to argue about. Someone tried to do too much I think. Protocol-defining IETF documents are meant to spur implementations, seeing multiple independent implementations interoperate is the goal. As a result, the documents often leave details up to the reader/implementer. But this document is not a pure protocol-defining document, it is an operational process document. As such, it ought to be more concrete. That is, if the goal is to describe the entirety of distributing the trust anchors. The document could be here to just present the marshaling of the trust anchor materials - describing the syntax as it does - leaving the interpretation up to the writer (IANA) and reader (relying parties). Maybe this document ought to just describe what’s in the file. Maybe this document ought to expand to include rules for relying on the document as Mike suggests. I’m not decided on this, frankly I need to go over the thread again. But its going to be a debate over whether this document is only about marshaling the trust anchors or it is about managing the trust anchors.
- [DNSOP] Request: Review changes - draft-ietf-dnso… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Request: Review changes - d… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: Request: Review changes - draft-ietf-… Andres Pavez
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Peter Thomassen
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Edward Lewis
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Edward Lewis
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns