Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14
Edward Lewis <Ed.Lewis@neustar.biz> Fri, 24 August 2012 17:55 UTC
Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C00721F85AF for <dnsop@ietfa.amsl.com>; Fri, 24 Aug 2012 10:55:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.916
X-Spam-Level:
X-Spam-Status: No, score=-102.916 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bZ-70uaNlYx5 for <dnsop@ietfa.amsl.com>; Fri, 24 Aug 2012 10:55:07 -0700 (PDT)
Received: from smtp125.dfw.emailsrvr.com (smtp125.dfw.emailsrvr.com [67.192.241.125]) by ietfa.amsl.com (Postfix) with ESMTP id 7D08921F85A8 for <dnsop@ietf.org>; Fri, 24 Aug 2012 10:55:07 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp12.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 001513C03A3; Fri, 24 Aug 2012 13:55:06 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp12.relay.dfw1a.emailsrvr.com (Authenticated sender: edlewis-AT-ogud.com) with ESMTPA id 64A2B3C0201; Fri, 24 Aug 2012 13:55:06 -0400 (EDT)
Mime-Version: 1.0
Message-Id: <a06240805cc5d682257a0@[10.33.203.101]>
In-Reply-To: <20120823214924.GL30725@x28.adm.denic.de>
References: <20120823214924.GL30725@x28.adm.denic.de>
Date: Fri, 24 Aug 2012 13:54:54 -0400
To: IETF DNSOP WG <dnsop@ietf.org>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: ed.lewis@neustar.biz
Subject: Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Aug 2012 17:55:08 -0000
At 23:49 +0200 8/23/12, Peter Koch wrote: >Dear DNSOP WG, > >this is to initiate a working group last call (WGLC) for > > "DNSSEC Key Timing Considerations" > draft-ietf-dnsop-dnssec-key-timing-03.txt > <http://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-key-timing/> First, my blanket objection to the draft, which isn't meant to be an insult to the effort that has gone into it. The draft is too detailed. Ok, I get that that is the purpose. And it achieves that, and probably should be lauded for that and be published for that. But, as an operator/implementor, the draft doesn't cut to the chase. I first mentioned this a long time ago, and usually would just let it drop. But in the last few weeks a senior developer said the same to me - it's really well detailed, but very complex. He also added that our design complied with it in a very simplified form. I replied that that was no accident. ;) So - I admire this draft, but wish there was a Gerber-ized version. (Gerber being a brand of baby food.) To give a concrete example of what I mean by too detailed - Dprp (propagation delay) is something that can be ignored with the advent of NOTIFY and IXFR. Theoretically it is there, practically it isn't there. Some specific comments: Section 2.1 # Of three methods, Double-Signature is conceptually the simplest - # introduce the new key and new signatures, then approximately one TTL # later remove the old key and old signatures. Pre-Publication is more Which TTL? The TTL of the DNSKEY set, the TTL that is the largest value of all the TTLs in the zone, etc.? Because of that question, I disagree that double signature is the simplest. (I'm just sayin', that's my opinion.) I think pre-pub is simpler because I know what TTL is involved (DNSEKEY). For signatures, the TTL might vary through the set. Section 2.3 # +------------------+------------------+-----------------------------+ # | ZSK Method | KSK Method | Description | # +------------------+------------------+-----------------------------+ # | Pre-Publication | (not applicable) | Publish the DNSKEY before | # | | | the RRSIGs. | Why is this "not applicable" for KSK? A KSK can be listed before it is used as one. Perhaps it isn't "not applicable" but "not realistic/sensible/practical". # | (not applicable) | Double-DS | Publish DS before the | # | | | DNSKEY. | This one is non-sensical for KSK. As an operator, I'd want to test locally before involving another party. I guess my notes here reflect that I see this document as helping operations as opposed to being an analysis of the protocol engineering. Section 4. # The aim of the emergency rollover is to allow the zone to be re- # signed with a new key as soon as possible. As a key must be in the # ready state to sign the zone, having at least one additional key (a # standby key) in this state at all times will minimise delay. I disagree with that goal. In designing emergency key changes, we realized the goal is to minimize operational disruption, not minimize time until a new key is "in place." In some cases, a key "break" might be a local event, local in the sense of the target name or the target of the poisoning. With this in mind, the only difference between a scheduled key change and an emergency key change is whether it is planned or not (;)) and how much more you pester the parent for the DS change (if needed). And the latter sentence might be countered with - having a standby key is a tradeoff against having smaller responses. (The same old "time vs. space" tradeoff.) Here, it's a matter of optimizing for the sunny day or the cloudy day. Section 6 # The reader is therefore reminded that DNSSEC is, as of date of # publication, in the early stages of deployment, and best practices # may further develop over time. This is true. I wish this would be emphasized in the earlier parts of the document. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 2012...time to reuse those 1984 calendars!
- [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-0… Peter Koch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Edward Lewis
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Johan Ihrén
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Yuri Schaeffer
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Andrew Sullivan
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Olafur Gudmundsson
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Peter Koch