Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-bootstrap-validator-00.txt

tjw ietf <tjw.ietf@gmail.com> Mon, 19 March 2018 15:31 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03EED12D777 for <dnsop@ietfa.amsl.com>; Mon, 19 Mar 2018 08:31:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UxF9RuVtymfb for <dnsop@ietfa.amsl.com>; Mon, 19 Mar 2018 08:31:12 -0700 (PDT)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C69C3129C6B for <dnsop@ietf.org>; Mon, 19 Mar 2018 08:31:11 -0700 (PDT)
Received: by mail-wm0-x233.google.com with SMTP id h21so15932488wmd.1 for <dnsop@ietf.org>; Mon, 19 Mar 2018 08:31:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VpfGRaq9kW8NHFTFMGhzyMh7pp13reMwtoriKi5b0bM=; b=uZZKY7x/PRyMv0094UILORfwpktuX7l4cR1L0J+yJcpjnryTLrhdwX2HijWC3ppXhr B9mR8E6F7wMWov/4nZew48DRQ3TQBQAIhVy2oMu7gqzkpMXxdKR+D+awEDoytRMjk5/R 25K82ntcwQr7jhVP5JEV5HgeD/PEijEp+t4iZ5LBGfs+9/wBXIkNMoYNN52Q6ZdRveQ5 NLiXnpZK5n4LQbGWY2Arf5OuDlplzKyaS3GpIpJQZlatlrWwkQ+whQp8NJTt25FFmUL8 OJejTNZftXqyFtWNRwPr1rWYfauo8gSNjGB8Mae3QPJBnXE12E+gXI1RzsVVi+NwCVqF 7HKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VpfGRaq9kW8NHFTFMGhzyMh7pp13reMwtoriKi5b0bM=; b=MMOEVAMhvEbUh7WpuK3j1JewlNxEBBVxN7NMwki/327LBOLVk0Znt3BKxoYl7bNGhy uFUl6/boreL95zamhxG3QOBxgqs+eoFSp9A8kaHkdPUkGwCgFadCh1LzYFCPUCx8srI+ dXwe1HVkOB767yZOODMl6xz+w0kaLcAxT605nDpRoSZBp/oKzhIEu+yDIQjvrvbNKgSe H6XGjUFlCZLLnNJHmugAS95b8Inxw5fGPVAKtkxxGQ1gb1ghyrm5V0p10si97OR981SB 8pzVqPxsgPQ+dPPD7uRgxZTAdIYENDrbqPEP7X0d/Fk5q3YMMl4KJfEL+mVKCd/CO9jG RHrw==
X-Gm-Message-State: AElRT7ErLLfb5mDeNS27WpnuKSvSmATwcmN/YAAZcRMnmzrKiGLCHVAa R2YSrsANLTkK9tx2wGqJFLpdNa3UTi6RK4psefHQtQ==
X-Google-Smtp-Source: AG47ELu5BeNGerqCs+JG73uKWDbyN1DB3OtRIM7zqsVQxcCKItbZy6pbpLmMmejm7UniXpPMiPVObCLepOv57CBYa1o=
X-Received: by 10.28.181.83 with SMTP id e80mr8201732wmf.147.1521473470364; Mon, 19 Mar 2018 08:31:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.154.52 with HTTP; Mon, 19 Mar 2018 08:31:09 -0700 (PDT)
In-Reply-To: <B47F59A1-10B0-46AC-90D1-7C5EF4E4688F@hopcount.ca>
References: <152147159373.24266.10589533262224690425.idtracker@ietfa.amsl.com> <B47F59A1-10B0-46AC-90D1-7C5EF4E4688F@hopcount.ca>
From: tjw ietf <tjw.ietf@gmail.com>
Date: Mon, 19 Mar 2018 15:31:09 +0000
Message-ID: <CADyWQ+GM0JrL=ztGWhsR+j8d0AJSBVFMfhGY-jhuqVU4U20NHw@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a1148e3d8bc83900567c5a580"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/U5x1l1o7V_baL6mZ5ykMXaAqkxg>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-bootstrap-validator-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 15:31:23 -0000

I will say that I tolerate Joe's hand waving, I can't speak for my
co-chair.



On Mon, Mar 19, 2018 at 3:14 PM, Joe Abley <jabley@hopcount.ca>; wrote:

> Hi all,
>
> This draft from 2011 emerged blinking into the sunlight from the grave
> where it expired, growling something about KSK rollovers and brains. Dave
> and I promptly wrestled it to the ground and locked it in the datatracker
> where we can safely poke sticks at it through the reinforced metal bars.
>
> The original draft contained this prescient language:
>
>    The possibility remains, however, that [RFC5011] signalling will not
>    be available to a validator: e.g. certain classes of emergency KSK
>    rollover may require a compromised KSK to be discarded more quickly
>    than [RFC5011] specifies, or a validator might be off-line over the
>    whole key-roll event.
>
>    This document provides guidance on how DNSSEC Validators might
>    determine an appropriate set of trust anchors to use at start-up, or
>    when other mechanisms intended to allow key rollover to be tolerated
>    gracefully are not available.
>
> Dave and I imagine this kind of thinking might be relevant and timely. Tim
> and Suz have kindly tolerated my increasingly frantic handwaving on this
> subject and have offered me some minutes in the dnsop meeting tomorrow,
> where I intend to suggest that a specification along these lines is
> necessary and that the working group should take this on.
>
>
> Joe
>
> Begin forwarded message:
>
> *From: *internet-drafts@ietf.org
> *Subject: **New Version Notification for
> draft-jabley-dnsop-bootstrap-validator-00.txt*
> *Date: *19 March 2018 at 14:59:53 GMT
> *To: *"Joe Abley" <jabley@afilias.info>;, "Dave Knight" <
> dave.knight@team.neustar>;
>
>
> A new version of I-D, draft-jabley-dnsop-bootstrap-validator-00.txt
> has been successfully submitted by Joe Abley and posted to the
> IETF repository.
>
> Name: draft-jabley-dnsop-bootstrap-validator
> Revision: 00
> Title: Establishing an Appropriate Root Zone DNSSEC Trust Anchor at
> Startup
> Document date: 2018-03-19
> Group: Individual Submission
> Pages: 9
> URL:            https://www.ietf.org/internet-drafts/draft-
> jabley-dnsop-bootstrap-validator-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-jabley-
> dnsop-bootstrap-validator/
> Htmlized:       https://tools.ietf.org/html/draft-jabley-dnsop-
> bootstrap-validator-00
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-
> jabley-dnsop-bootstrap-validator
>
>
> Abstract:
>   Domain Name System Security Extensions (DNSSEC) allow cryptographic
>   signatures to be used to validate responses received from the Domain
>   Name System (DNS).  A DNS client which validates such signatures is
>   known as a validator.
>
>   The choice of appropriate root zone trust anchor for a validator is
>   expected to vary over time as the corresponding cryptographic keys
>   used in DNSSEC are changed.
>
>   This document provides guidance on how validators might determine an
>   appropriate trust anchor for the root zone to use at start-up, or
>   when other mechanisms intended to allow key rollover to be tolerated
>   gracefully are not available.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>