[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

Paul Hoffman <paul.hoffman@icann.org> Mon, 17 June 2024 21:14 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 557B1C180B74; Mon, 17 Jun 2024 14:14:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6pNHefgJLYGb; Mon, 17 Jun 2024 14:14:21 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B69A4C15108B; Mon, 17 Jun 2024 14:14:21 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa3.lax.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 45HLEJ2V028684 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jun 2024 21:14:19 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Mon, 17 Jun 2024 14:14:18 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.034; Mon, 17 Jun 2024 14:14:18 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Joe Abley <jabley@strandkip.nl>
Thread-Topic: [DNSOP] [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis
Thread-Index: AQHawPN3LE7kzIWEBUqIMfT0ktM467HM4FcAgAAJuoA=
Date: Mon, 17 Jun 2024 21:14:17 +0000
Message-ID: <41143965-0CA1-455E-8BF1-4DA8BD3FF195@icann.org>
References: <9DE49AD4-13B4-48DC-B68C-9172CB91F5F6@icann.org> <B7C5C05C-100D-4F7A-9FA6-49126A10ED62@strandkip.nl>
In-Reply-To: <B7C5C05C-100D-4F7A-9FA6-49126A10ED62@strandkip.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C3CE1905C0167648BC29AA4C760D7F14@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-17_14,2024-06-17_01,2024-05-17_01
Message-ID-Hash: 26P36Q633T7ZA5CTDIVZTOV4NJLZITK7
X-Message-ID-Hash: 26P36Q633T7ZA5CTDIVZTOV4NJLZITK7
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UPKuVQqiZ2jSuupnvApH3lzVgbs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Jun 17, 2024, at 13:39, Joe Abley <jabley@strandkip.nl> wrote:
> 
> Hi Paul,
> 
> On 17 Jun 2024, at 21:18, Paul Hoffman <paul.hoffman@icann.org> wrote:
> 
>> The paragraph reads:
>> 
>> If the "root-servers.net" zone is later signed, or if the root servers are named in a
>> different zone and that zone is signed, having DNSSEC validation for the priming queries
>> might be valuable.
>> The benefits and costs of resolvers validating the responses will depend heavily on
>> the naming scheme used.
>> 
>> It is still accurate as it stands, does not lead to an assumption of what name would be signed and, more importantly, strongly indicates that the name that eventually gets signed might be different than root-servers.net. I'm not sure why we would want to remove that.
> 
> It might be technically true (although I could still nitpick about the assumption that the root server names must necessarily live in a zone other than the root) but I don't think it's useful.

I find it useful, but I see that it is also off-topic for current priming. Please note that the first sentence was actually part of RFC 8109, and I don't remember people objecting to it then. 

--Paul Hoffman