IETF Logo Mail Archive

Re: [DNSOP] Making draft-ietf-dnsop-kskroll-sentinel apply to all zones

Geoff Huston <gih@apnic.net> Wed, 20 December 2017 18:30 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F63B1267BB for <dnsop@ietfa.amsl.com>; Wed, 20 Dec 2017 10:30:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dZ98KzQSqlvi for <dnsop@ietfa.amsl.com>; Wed, 20 Dec 2017 10:30:52 -0800 (PST)
Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-hk2apc01on0046.outbound.protection.outlook.com [104.47.124.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C22A1241FC for <dnsop@ietf.org>; Wed, 20 Dec 2017 10:30:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=20RAzL7Aq8I9HqOSalFtK48emwgjEBZpl0/ZB+a1DJ0=; b=k74rt8onTxVgdAYlkgUlioOJ9aRjx/1eQXrqL5ruXybIQK9LlJSlO4N+rMn3Ae2A78DVzi1jZSC4hI+BYkQyrfcfC3fx7io4ZkZ3CrSRmOpAp1194KDiL57fMw/TWsqes2ph5+kD76rbGbGRoKY202u7UcpszAe8C/yZr7zc744=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from 2001-44b8-1121-1a00-dcc1-842d-fce2-c598.static.ipv6.internode.on.net (2001:44b8:1121:1a00:dcc1:842d:fce2:c598) by SIXPR04MB0699.apcprd04.prod.outlook.com (2a01:111:e400:51ed::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.9; Wed, 20 Dec 2017 18:30:42 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <AD804DDC-774C-41AA-AB8E-411A63D54A15@hopcount.ca>
Date: Thu, 21 Dec 2017 05:30:28 +1100
Cc: dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D65E3FF3-E02E-4472-8178-7659F6599E91@apnic.net>
References: <FE393168-BE0E-41E2-BA27-89A3D2DA4790@vpnc.org> <5E1FF941-C80D-442C-ABB5-6C81F3B1A149@apnic.net> <A6465B30-EC72-4282-8600-5B850E67D7BA@vpnc.org> <AD804DDC-774C-41AA-AB8E-411A63D54A15@hopcount.ca>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.3445.5.20)
X-Originating-IP: [2001:44b8:1121:1a00:dcc1:842d:fce2:c598]
X-ClientProxiedBy: SG2PR0302CA0002.apcprd03.prod.outlook.com (2603:1096:3:2::12) To SIXPR04MB0699.apcprd04.prod.outlook.com (2a01:111:e400:51ed::15)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 372e09f4-2844-4b26-cbc4-08d547d7c86a
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603307)(7153060); SRVR:SIXPR04MB0699;
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0699; 3:o1Nkwc5vdfX3y/A9SbcM/P5WAF8+jbI+SK82qErOUtS4pUa/yBXkgrUpmRX2c52H3PvG33/t42QGdgA7p9/p/9SX5om9rF5ys+vXK9bomXd+L28+B3JxnbQwlii+NXmvJbpXlhPKI0v7+aCU0kNmZe5mP/CeNu5LL3465jUjBAaYdqDYoAo49nIBJQSzbR8vcvhOOatzgVUHL143v5peMbSFBxm24AT0CVseJ4DfdRV6B3BfTUwL72YBVXO6I3tb; 25:ofTLMQvTlf1HQG0WocSD10pcl3kOnE/R5bb/frPaLoMnXR9FKxcsmLDvUmSKpk1bQMEQTtJsOBL2tCyoi3+DTeuFnJOkB3fBihnvOmDruIgNEL+blADe2+UhXagj/LqoVopsKnQfd2fVsgwhOu7VkOjIWRi/8Z7rIvPbtZ2ZNEXdo/5cWC7G7laWyVP29LGQLpuac5HRN3TsM6+Tkvr7g27ZUNVQhBLv35s6IOnIX3lrnSL7XTjzGKA7VaA2/pxebnMTAcx/djsEz5N8u2Y7xMjWlh7tl+sP21jfnXcGrQsQYY8ztZO6xbdJnu5VK+VYw5hRwgNexR37juriS+WsTCQmoFvL0ZcJRHEJNBoyZxA=; 31:qGFnllEsp2X+yN/6ZYHdExs1xWqgQ4dZ3dklnM9TKd576IgUECaDsHBqTtDsXaJjmn7dkt9pbeto8iVba3zYb46Ix3RAx/actjo+8PHpZ+jKiD12GL5pCjCRGdHuZ9BFCHJbD/Ej1Sq2OLs0nHNnMAdjoAH5Gdy9JfgQGzYDOKrDy5e4HKJilYodFlAUoLxbKA0d2J1zmmZWCy4SYAfN6mQw07dfIMIB1bGi5pbCmNA=
X-MS-TrafficTypeDiagnostic: SIXPR04MB0699:
X-Microsoft-Antispam-PRVS: <SIXPR04MB069946CE1B3611F46429309BB80C0@SIXPR04MB0699.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(20558992708506)(35073007944872);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231023)(6041268)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:SIXPR04MB0699; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:SIXPR04MB0699;
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0699; 4:HhgImlLtw8yiR5vdHPzWgy+1UB8qGizXzMhQP/50S6o4QSW0BqRQrHduae4MNYiV+XiAzRd1AVAd4Jz2nSN4tlDqLJ0r7Hmi0vAapi39BDi2+99QlRfMfSg4SUPhlIFKmW+wHae4EGXR2eXDHri4SaC+t25uK3hm5EWLcy/XmsCz18tffMHtFIkDB0JcEn7A7umbAGtghUTF8xireyJ6DSiPLNEB0cVVkk1yuMIoxZ4EX1vS8uJ2x6qW2ftwoNL5dLaOtnHr5Np1dFqJcXm/OYiANRyPdkDF/um695ly6FuuV2pB6DTPng7Jbul/ux8fhHbypdqbu3dD6PQLTBpwhr0vE8Gld2QAATRmtKeBVzE=
X-Forefront-PRVS: 0527DFA348
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(366004)(376002)(346002)(396003)(39840400004)(39380400002)(199004)(189003)(24454002)(25786009)(2906002)(68736007)(50226002)(6666003)(7736002)(4326008)(6486002)(230783001)(8936002)(386003)(8746002)(23676004)(305945005)(53936002)(47776003)(83716003)(229853002)(52396003)(52146003)(53546011)(8676002)(6506007)(52116002)(76176011)(6246003)(6512007)(81156014)(82746002)(478600001)(81166006)(2486003)(50466002)(93886005)(36756003)(97736004)(106356001)(105586002)(57306001)(6116002)(316002)(2950100002)(6916009)(5660300001)(33656002)(86362001)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:SIXPR04MB0699; H:2001-44b8-1121-1a00-dcc1-842d-fce2-c598.static.ipv6.internode.on.net; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;SIXPR04MB0699;23:OSMhkIPsNG1CPQODYqGKy834E0awF0NLhBIzX3jHI5m4jY11Y564Bx2sinhWCqrGpddBKTl6O8QLXiFi9WpRmxJ46jpngS4Fp4zYzCDAEtHd9m4tWbbSEF0LHyFdrD3u3s4hZAR6atu63yPah55ZD6e6dN4fTKFnp8FDqXfEmiZxglYZ45AQ2aNCNz+Wb4qZeTpcin7xjNXB8qOXKFoWfYIhIQzZHJ/uIffeniW41huYgMQXIiSw9E8M2vIg8GEu81uXDzEazwkc/Xnyre4EBY1/VtcwRFP2D1dkmqcPXNu40Y1pMAZGIbUeuRu83DSEESQA1oD5coZOVsq5w2Ma1/IgsV/O57JCBVd926ZkGnm85Bp9/rkW2PQPC/pgxnvZoDf6mVtQkNVdBYkt2j9WE6pOaubg8efXBYbiQVicQLSWaMG+krw0PSGEhDPqP0ea0dyBoaL7MA0+0JWJbc9aP3aAUU4T4FVOD8mAR43sULDw2q81jS9lXt6cXXBC1BWEqfOQeMhoclCL8quTPQjeb1gn0jTQv4r57JMrClvfNfr/IR5BVlGSUWd7sdaRdEJJSfJtuAlsB1QiZRfYdC5kmRkaBbws+9Okw9lrNBFSUfDbclLhytqtsGkR7TYLM1JE+w1RLFP0EyM3t5YDPgETgKYXU1P0a00SPkSqLBzUTBu2AYEt3C4TGxhmFxlIvGjbBtTIvnwxVm6y4giiZAGhESreP2x0JUBz5SN9I8Bp3gZCjGih4TJEV7tArXsTwSeBu3YnqkeaFdpp6MJE0lggYyeGzGuh6PfKIDqv80Ijf2t/M8rQUnDILiPFK4IGtq6MdVNt/7L8IXpd6rQAc7NYzt9t6FVYyJH2uNfYfz2ZRUdRykEDAjv7EGqvz44ytUIcNhJhMpR8vTWsLFNkT4eHSXJVQDDg971AoywlS8VzeOIzDtJyMeTXnhngBQKvMgWCeqjlBWQ0R10sMc2QoAzY3fMqZ6gaZMaNEOrMrbe21nHkqT/poepPRsNcgCWXI0On3Wn49UzRF0MAwatBTdHudYm1E0w7SB77kx1r+55eMdFKLQ0xRrm7WZm35zs6uhtON5FjGC+qk7iFcUXymwzQJEl+vWGS8EnQixjyoK5j+6eyxredxurGIidALbg7V4UJ6F5BKwywLAkNmpPZvS4Tv/YxWf4niHd5/ivjt4gfARee6gTHxy4BqGnNKCwQXed1KSu/XPCrSGINdvbXlj1J9VRiUeWAzDOZJBy7np1olUE195znL0LjhIRnzJKolzajQzFw35NxY78vDTFbskMyvg==
X-Microsoft-Exchange-Diagnostics: 1; SIXPR04MB0699; 6:zY90VaVaxd0QZCDvbZ338hThhWsCnlACjFjj4uy/JwGTqP9v8kbCcNTcOzK98nZ2A2Cee08lJAItDl2J9D6cDH6x1FWNd9iGDVLzKYt8MX7laGgbQRmj5lGs1QUMs8fnGXF3MWu1mbgWzNthKpZKwh5oyD+yvqntI2foEQ8CI2zq7gUgY+1rAaURXzRw7L2JrW3xl2X5CSVNLoMX5bVxpzAuv+NJY+B1XV8YdNSIJTVjmgCfl1e24m1j7FWLaPoK+Zmc5geN4fo0ey2LpyoYedZ1iRYYkBt/s2gG/95zECXxGmCO7D/9c3zp8sgaowUx9PcBC9bgQGsAKWqSYx5urn4Q2T//bmCifCRGD0bX8K4=; 5:1AeM/JuZTG+HCWrIxZs0AQ8ciATYHhZwRcoCgAk5qZf8jW5Uow2E0qAHhVQZhr11S4lK2+pQ7az2rIKZqThI+cdnxdkpyKME27+/HVw0vOzOxoV6UqYOg0eIUQzXihE/2z6YAN1DKzY8bbpiqasJM6vJvoUYdSfEpL0yLoMUKEQ=; 24:U4HvvmVeUGBXlWDjibkaI5ZMENaq1Tc0V+JNMRHltvHljsET5rjKDcIHf9XNJsGMavfHMH8OVb5gPcEY+/qnGduoa30rfhiE18wIWXW00Hg=; 7:uuZtsC7GUx8YZ/HwK+gvp9b5RYmLWHYLqMddF/GozkglJny0mXR+tEoX3ICwBF5GQ2BmLaQQ96ndjkkei2EPm/hqxBPw8h+tM/qoeoUMMag6MzYN0vs7UrpIp6SkKiZE9HB81WtJTKWyR6KeiSYzu3EhCbib3IW3U3PqNnboPLOT1/30+tU5Rh9/diDlrQVLCoUxz+lXNub7OBqzmJTs2R/e6SyU5O6d3glb2H4yV3QY+/Kv9s8UXnXMdOHRbwr+
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Dec 2017 18:30:42.4712 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 372e09f4-2844-4b26-cbc4-08d547d7c86a
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SIXPR04MB0699
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UEz2Ea46gzXlJ83gt003-DOB_Iw>
Subject: Re: [DNSOP] Making draft-ietf-dnsop-kskroll-sentinel apply to all zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2017 18:30:56 -0000


> On 16 Dec 2017, at 2:37 am, Joe Abley <jabley@hopcount.ca> wrote:
> 
> On 15 Dec 2017, at 10:31, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
>> On 14 Dec 2017, at 21:45, Geoff Huston wrote:
>> 
>>> I agree the mechanics of the change in the text, and even in the code for support this are pretty minor, but I am slightly worried about the intended generality of the proposed change being a small step too far, so I am curious to understand why you are advocating this change.
>> 
>> Because the root zone is not special for DNSSEC.
> 
> I agree with that philosophically, but not practically.
> 
> In practical terms anybody who has a non-root trust anchor installed has a bidirectional operational relationship with the people who publish it. Synchronising that trust anchor, with the glorious benefit of a full list of relying parties and knowledge of how to interact with them, is a far cry from the situation we find ourselves in with the root zone.
> 
> While it's conceptually elegant to have this mechanism easily available to the operator of nameservers for any zone, it's not clear to me that this is supported by a tangible use case.
> 
> If changes motivated by this desire for elegance weaken support for the one use case we have, they seem like a bad idea. (Not saying they do; I haven't thought about them that hard and in any case I am not an implementor.)
> 

I share Joe’s concern here - I prefer the option of a simple, focussed mechanism that reports on a resolver’s root Zone KSK trust state. 

I’ll leave this open, but will not incorporate Paul’s proposed changes into the WG draft unless I see some further WG comments in favour of making this proposed change.


regards,

   Geoff

v2.23.0 | Report a Bug | By Email