IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

神明達哉 <jinmei@wide.ad.jp> Tue, 12 May 2015 17:55 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C6131ACDCF for <dnsop@ietfa.amsl.com>; Tue, 12 May 2015 10:55:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yIZ3jndUKBil for <dnsop@ietfa.amsl.com>; Tue, 12 May 2015 10:55:15 -0700 (PDT)
Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 346951ACDCB for <dnsop@ietf.org>; Tue, 12 May 2015 10:55:15 -0700 (PDT)
Received: by iebpz10 with SMTP id pz10so8778514ieb.2 for <dnsop@ietf.org>; Tue, 12 May 2015 10:55:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ZZqI/wc/OmunKgyMFdz7rQ3bVDwu3IUMG1DflvkxVHg=; b=Iw9oBxk9zv8VpBpmc3n4ApbNNc6sSxPIDf6RiuJqYiz+oTi68VIP2LrchElFHaXe7s t3F38NtXAni0fe7gnIVmNp6yOyUnOL8Fcs71BVQZ4EUELQQnui3Ig5lYPCkDkc+dSkaG eY4TtewR/CdhkmqBWTT6o7wa5FeK6bNHxWQCbaIHxx+C7+D6Er/XUuFwwMwQNwetcZQL +5W4BQJuP5v/W5Itird1+qYuLFXv2IZn4SeG22nZxIDpoX2OgHMqMzDt+y0Ck12Ls1pB sBiYBN1p/AAVnveSPrtMSz5Uktp5RbIPZCDmbZhFydZA3hujzL0j00ANm7frzCe2vefQ 5mkw==
MIME-Version: 1.0
X-Received: by 10.107.10.201 with SMTP id 70mr1007512iok.0.1431453314660; Tue, 12 May 2015 10:55:14 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.50.80 with HTTP; Tue, 12 May 2015 10:55:14 -0700 (PDT)
In-Reply-To: <CAHw9_iK+0HO13dFuaMppGFvtNbKHqRxF6AQDp9=fj6dQRAGuPg@mail.gmail.com>
References: <553EBF02.3050703@gmail.com> <CAJE_bqc-T75k3sQZKtAF1VHp49biGn+Es5v5FivNSz5e3oB-Cg@mail.gmail.com> <CAHw9_iL9RLp0jynT0m_D6dGZYhmdonvBC-5ifTdB63eh5gvBeg@mail.gmail.com> <CAJE_bqesFPG6d3UsFmtFRjUBQqfifHkaBMR0sXAaNKuN10HL4A@mail.gmail.com> <CAHw9_iLbx_soi1+LaSwMKarLcT1kBCrFdaX8diwMVZp70KeePA@mail.gmail.com> <20150509185028.GB74933@isc.org> <CAJE_bqcJN+RL8NF5NoLTL2y6-mpC1Maf8y_msie7MgYxkV4B3A@mail.gmail.com> <CA+nkc8A7SgQS6FNaXOGx1f4qKhSYTsGvR2keTWiksB6H47J=AQ@mail.gmail.com> <20150511172610.GB7209@isc.org> <CAHw9_iK+0HO13dFuaMppGFvtNbKHqRxF6AQDp9=fj6dQRAGuPg@mail.gmail.com>
Date: Tue, 12 May 2015 10:55:14 -0700
X-Google-Sender-Auth: KZJ7KhpA5AbkoSePSlO3A4-srU4
Message-ID: <CAJE_bqcis+FXMPYEwntVrZeyyXWNx3CjiGyHyzm4TF5eSuUVfw@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Warren Kumari <warren@kumari.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Ta6NhW7zrZC0DeDoNIIgymDMafg>
Cc: Evan Hunt <each@isc.org>, Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, Bob Harold <rharolde@umich.edu>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 17:55:16 -0000

At Tue, 12 May 2015 11:44:28 +0200,
Warren Kumari <warren@kumari.net> wrote:

> > In BIND, NTA's are set by an rndc command, but in other implementations
> > they might be set up in a config file. If you have both a TA and an NTA
> > for the same node in the same configuration, that would be sensible to
> > warn about; it's the sort of oddity that might have been unintentional.
>
> "An NTA placed at a node where there is a configured positive trust
> anchor MUST take precendence over that trust anchor, effectively
> disabling it. Implementations SHOULD issue a warning or informational
> message when this occurs, so that operators are not surprised when
> this happens."

In the sense of (my understanding of) Evan's point, it would probably
be even better if we explicitly clarify the coexistence of positive
and negative anchors should be allowed.  So how about:

   An implementation that supports NTA SHOULD allow users to configure
   both positive and negative trust anchors for the same name at the
   same time.  In this case, the NTA MUST take precedence over that
   positive trust anchor, so the NTA can be used as a way to disable
   DNSSEC validation for a specific name space temporarily.
   Implementations MAY issue a warning or informational message when
   this occurs, so that operators are not surprised when this happens.

(btw, my Emacs noticed a typo in the original text and I fixed it above:
 s/precendence/precedence
 this fix should be applied even if my proposed text is rejected)

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email