Re: [DNSOP] I-D Action: draft-ietf-dnsop-delegation-trust-maintainance-01.txt

Matthijs Mekking <matthijs@nlnetlabs.nl> Tue, 07 January 2014 07:43 UTC

Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FF221AE4A6 for <dnsop@ietfa.amsl.com>; Mon, 6 Jan 2014 23:43:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.444
X-Spam-Level:
X-Spam-Status: No, score=-100.444 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XMqwY18yeLHJ for <dnsop@ietfa.amsl.com>; Mon, 6 Jan 2014 23:43:13 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id C9B7B1AE496 for <dnsop@ietf.org>; Mon, 6 Jan 2014 23:43:12 -0800 (PST)
Received: from [IPv6:2001:981:19be:1:6ca6:5301:c9ef:7ad] ([IPv6:2001:981:19be:1:6ca6:5301:c9ef:7ad]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.7/8.14.4) with ESMTP id s077gxrG079949 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT) for <dnsop@ietf.org>; Tue, 7 Jan 2014 08:43:01 +0100 (CET) (envelope-from matthijs@nlnetlabs.nl)
Authentication-Results: open.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Filter: OpenDKIM Filter v2.8.3 open.nlnetlabs.nl s077gxrG079949
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1389080583; bh=eF2VQGeCseVTt31FUYtHeLVyf96BVZlR5AM+hBDh5E0=; h=Date:From:To:Subject:References:In-Reply-To; b=oMVoTQSjSlwdYWrYaurZS6i2HhKVvv46itxpCXGK1A9TvVCVYaar06iLdKlOtdoNB b6P0MiKhPo1awSK6Xl6xDeW59ZxbfufC8JpD/IwDkCzlsrp8n8cLl8Xs1xDfc9sNKi 8f39VqKSPYy4LeaFMWNREnU1GpCMyYMWi6HrJId8=
Message-ID: <52CBB003.2060905@nlnetlabs.nl>
Date: Tue, 07 Jan 2014 08:42:59 +0100
From: Matthijs Mekking <matthijs@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: dnsop@ietf.org
References: <20140104204035.7446.24984.idtracker@ietfa.amsl.com> <CAHw9_iKbHbt7+j=C2ub=vRR+0rNgU+3P=WjnpV4gnY=y=q4xOQ@mail.gmail.com>
In-Reply-To: <CAHw9_iKbHbt7+j=C2ub=vRR+0rNgU+3P=WjnpV4gnY=y=q4xOQ@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Tue, 07 Jan 2014 08:43:01 +0100 (CET)
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-delegation-trust-maintainance-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2014 07:43:15 -0000

Hi,

About Child's CDS / CDNSKEY publication, I still think that it is too
strong that the Child DNS Operator SHOULD/MUST delete the CDS RRset when
the Parent DS is "in-sync". This should be a MAY.

As Joe Abley pointed out, keeping the CDS/CDNSKEY published is a nice
addition for debugging/monitoring purposes.

When the Parent sees that the CDS/ CDNSKEY RRset is empty, no action
should be taken. When the Parent sees that the CDS / CDNSKEY RRset is
already "in-sync", no action should be taken.

Best regards,
  Matthijs


On 01/04/2014 10:21 PM, Warren Kumari wrote:
> We think that this resolves the open comments and is ready for WGLC.
> 
> 
> 
> On Sat, Jan 4, 2014 at 3:40 PM, <internet-drafts@ietf.org
> <mailto:internet-drafts@ietf.org>> wrote:
> 
> 
>     A New Internet-Draft is available from the on-line Internet-Drafts
>     directories.
>      This draft is a work item of the Domain Name System Operations
>     Working Group of the IETF.
> 
>             Title           : Automating DNSSEC delegation trust maintenance
>             Authors         : Warren Kumari
>                               Olafur Gudmundsson
>                               George Barwood
>             Filename        :
>     draft-ietf-dnsop-delegation-trust-maintainance-01.txt
>             Pages           : 17
>             Date            : 2014-01-04
> 
>     Abstract:
>        This document describes a method to allow DNS operators to more
>        easily update DNSSEC Key Signing Keys using DNS as communication
>        channel.  This document does not address the initial configuration of
>        trust anchors for a domain.  The technique described is aimed at
>        delegations in which it is currently hard to move information from
>        the child to parent.
> 
> 
>     The IETF datatracker status page for this draft is:
>     https://datatracker.ietf.org/doc/draft-ietf-dnsop-delegation-trust-maintainance/
> 
>     There's also a htmlized version available at:
>     http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-01
> 
>     A diff from the previous version is available at:
>     http://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-delegation-trust-maintainance-01
> 
> 
>     Please note that it may take a couple of minutes from the time of
>     submission
>     until the htmlized version and diff are available at tools.ietf.org
>     <http://tools.ietf.org>.
> 
>     Internet-Drafts are also available by anonymous FTP at:
>     ftp://ftp.ietf.org/internet-drafts/
> 
>     _______________________________________________
>     DNSOP mailing list
>     DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>     https://www.ietf.org/mailman/listinfo/dnsop
> 
> 
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>