Re: [DNSOP] [Ext] additional documents for draft-ietf-dnsop-dnssec-bcp
Paul Hoffman <paul.hoffman@icann.org> Wed, 13 April 2022 21:36 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 050453A10B3 for <dnsop@ietfa.amsl.com>; Wed, 13 Apr 2022 14:36:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id duEc7RdBNB9H for <dnsop@ietfa.amsl.com>; Wed, 13 Apr 2022 14:36:35 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A402C3A10BA for <dnsop@ietf.org>; Wed, 13 Apr 2022 14:36:35 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa3.lax.icann.org (8.16.0.43/8.16.0.43) with ESMTPS id 23DLaYNZ003324 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dnsop@ietf.org>; Wed, 13 Apr 2022 21:36:34 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Wed, 13 Apr 2022 14:36:33 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0986.022; Wed, 13 Apr 2022 14:36:33 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: dnsop <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] additional documents for draft-ietf-dnsop-dnssec-bcp
Thread-Index: AQHYT36LOPl4P/slxk6IlztBV4Eg1A==
Date: Wed, 13 Apr 2022 21:36:33 +0000
Message-ID: <27038065-4FF1-4BDA-A443-FA00CC2DD102@icann.org>
References: <CADyWQ+EeM874PtfU+uBU4pe2HX5v-SGrGK6+Zx-o9kSc-sEiow@mail.gmail.com> <93145d8b-3f90-4acd-f56f-7eec2985114e@nohats.ca>
In-Reply-To: <93145d8b-3f90-4acd-f56f-7eec2985114e@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_5A3099C5-1C18-45EB-8E89-16D54C0610FD"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-04-13_04:2022-04-13, 2022-04-13 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/S3QM12X80jz9KZ2g9KiOMEM6GpU>
Subject: Re: [DNSOP] [Ext] additional documents for draft-ietf-dnsop-dnssec-bcp
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2022 21:36:40 -0000
On Apr 13, 2022, at 11:49 AM, Paul Wouters <paul@nohats.ca> wrote: > If we do it as both a reference of DNSSEC and a BCP, then I think we should add: > > RFC 8901 Multi-Signer DNSSEC Models > RFC 8027 a.k.a. BCP 207 DNSSEC Roadblock Avoidance > RFC 7583 DNSSEC Key Rollover Timing Considerations > RFC 7129 Authenticated Denial of Existence in the DNS > RFC 4470 Minimally Covering NSEC Records and DNSSEC On-line Signing > > I would not include these that you included: > > RFC 9157 Revised IANA Considerations for DNSSEC [It's IETF administrivia] > RFC 6014 Cryptographic Algorithm Identifier Allocation for DNSSEC [It's IETF administrivia] > RFC 5933 Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC [Algo is dead] > > Otherwise, I agree with you. I agree with PaulW's list of inclusions. I would say that RFC 9157 and RFC 6014 should still be in draft-ietf-dnsop-dnssec-bcp, but in a separate section for those readers who care about the IANA registries. RFC 5933 is not yet dead, but will be before draft-ietf-dnsop-dnssec-bcp is published. I would add the following that are listed as blank in Tim's chart: RFC 6975 Signaling Cryptographic Algorithm Understanding in DNS Security Extensions (DNSSEC) Relevant RFC 6725 DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates For the IANA-ish section I do not understand why the following and are listed as "No", given that they relate to the DNSSEC trust anchors, and thus are relevant to implementors. I would say they all should be listed: RFC 8509 A Root Key Trust Anchor Sentinel for DNSSEC RFC 8145 Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC) RFC 7958 DNSSEC Trust Anchor Publication for the Root Zone RFC 7646 Definition and Use of DNSSEC Negative Trust Anchors (I agree that RFC 4986 does not need to be in the draft because it is just requirements.) Because we are talking about this in light of adding a section to draft-ietf-dnsop-dnssec-bcp, the following can be excluded because they are already in the draft: RFC 9077 RFC 8624 RFC 8198 RFC 8078 RFC 7344 RFC 6840 RFC 6781 RFC 5702 RFC 5155 RFC 5011 RFC 4509 RFC 4035 RFC 4034 RFC 4033 --Paul Hoffman
- [DNSOP] additional documents for draft-ietf-dnsop… Tim Wicinski
- Re: [DNSOP] additional documents for draft-ietf-d… Paul Wouters
- Re: [DNSOP] [Ext] additional documents for draft-… Paul Hoffman