IETF Logo Mail Archive

Re: [DNSOP] Fracturing the protocol - was Re: Updated cheese-shop.

Warren Kumari <warren@kumari.net> Mon, 29 February 2016 16:13 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 210271B353A for <dnsop@ietfa.amsl.com>; Mon, 29 Feb 2016 08:13:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2zg0z5bQhiv for <dnsop@ietfa.amsl.com>; Mon, 29 Feb 2016 08:13:39 -0800 (PST)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 578731B3537 for <dnsop@ietf.org>; Mon, 29 Feb 2016 08:13:39 -0800 (PST)
Received: by mail-yw0-x22d.google.com with SMTP id h129so124830299ywb.1 for <dnsop@ietf.org>; Mon, 29 Feb 2016 08:13:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TZyUozjA0+NPIg0I0Gbau5HAoQLUYwr/DyVf/hT+EKw=; b=UEDeQ7o5TmpdYxi2bgwRDQXrKO8ODFQNf/mCuCKwAuzRK3RCHlIKjEgtvWr3B3iaCg iGPkxXoyX3GRue2YcBuhabDHrhYmMo/4nibNpKUflOPtYfKXKCBna9aqW9jiGm+9i11T NqYuw4274W33pBZ6SmSK8l2oqdcTwwJpP5B0tszJSFywYNtNTHzsu3WsTdZEQ5BBgtF0 QSum4OmLjBuYkM91wnpW2aVpAJC0fyUGy3ULrjmKTQtnioEBYG+mMAcw/lKAXfh/9PEg eQoAaKzL61D8sHDG31PEkYL4v/CjLpeIp5DbrF4hpdBvcND5RNaIM9qeetvtHFTGfQ6p yeYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TZyUozjA0+NPIg0I0Gbau5HAoQLUYwr/DyVf/hT+EKw=; b=Nm24Xdn2qHIanW8ihOsIKhgyZBF+nBBMhI8fjbdZ9HzZ7qZANIKaQnBzXqB0QArSsd G80CIvTURzAGiVU28LVCGR6KvTVcYc3UKoDgMBz5nJxBdlwm2kvMDtQCn8SX4Vna0xLv WCkh1bqmUyz8VgjugJcIcRdXbneiCDAGW1Gx9dD+242Eg0T6JZAi2XC8iukwjcPCwCSv xA7GMTphxhkNXSRl0WG3nI0Gkx3fy6dBOwNU1cjK+VLp4+wA8QW1PLwONlDObXgO7BlK Sf8h3p1YetEV+wM2ioVHOXQE/z73KN/oCrxLkMXNCilv3luHI/Rhj6SVFl7XN5X+W1bb oy/A==
X-Gm-Message-State: AD7BkJIxIc2Yc0Wbxj1wX+J3T2+YuV9EVcXeLLaYCzLesHmirIow/fOHpxr/gOYk7HhqFntuVE33E3onuHYzSin1
X-Received: by 10.13.210.67 with SMTP id u64mr8867689ywd.42.1456762418534; Mon, 29 Feb 2016 08:13:38 -0800 (PST)
MIME-Version: 1.0
References: <D2F9A5BA.13FE2%edward.lewis@icann.org> <20160229151220.7d7e9643@pallas.home.time-travellers.org>
In-Reply-To: <20160229151220.7d7e9643@pallas.home.time-travellers.org>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 29 Feb 2016 16:13:29 +0000
Message-ID: <CAHw9_iKHYr9_FvkuKVoU_3QKHKwdEBE1wbcSdJv0y7y_g8wVmQ@mail.gmail.com>
To: Shane Kerr <shane@time-travellers.org>, Edward Lewis <edward.lewis@icann.org>
Content-Type: multipart/alternative; boundary="001a114e7e307acdf7052ceaee72"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/UumKlnXrfOJVc4dvqcgyna0Ry5Y>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Fracturing the protocol - was Re: Updated cheese-shop.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 16:13:41 -0000

On Mon, Feb 29, 2016 at 9:12 AM Shane Kerr <shane@time-travellers.org>
wrote:

> Ed,
>
> At 2016-02-29 12:51:16 +0000
> Edward Lewis <edward.lewis@icann.org> wrote:
>
> > On 2/25/16, 17:58, "DNSOP on behalf of Warren Kumari"
> > <dnsop-bounces@ietf.org on behalf of warren@kumari.net> wrote:
> >
> > >We have recently updated "Believing NSEC records in the DNS root"
> > >(https://tools.ietf.org/html/draft-wkumari-dnsop-cheese-shop-01).
> >
> > My objection to this document is based on the draft's proposal to specify
> > a change to the protocol based on the data being carried in one
> particular
> > deployment of the protocol.
>
> Interesting concern, although I don't see how it can be otherwise. We
> don't know what the properties of future protocols will be, so I don't
> know how we can specify the behavior of resolvers using such protocols
> would be.
>
> > If the DNS is built to assume that the root zone is DNSSEC signed with
> > NSEC records and this is then "burned into software" the other
> > inter-networks will be given the choice of having to turn on DNSSEC and
> > NSEC for their root zone or developing other software.  (Or...other
> > inconvenient mitigations.)
>
> Can't a couple sentences address this concern?
>
> "If the root zone is not DNSSEC signed with NSEC records then the
> Cheese Shop is closed and this document does not apply. Resolvers MUST
> continue to work in such an environment."
>


I *think* that the document / proposal implicitly handles this case already.

If the root (of whatever tree / name resolution system you have) is not
DNSSEC signed, you do not get back valid NSEC records. If you do not get
back valid NSEC records, there is no work to do.
I guess I could sprinkle "DNS" all over:
"The scope of this document is limited to the special case of recursive
DNSSEC validating resolvers querying the root zone.", e.g
"The scope of this document is limited to the special case of recursive
DNSSEC validating resolvers querying the IANA administered DNS root zone."

I'm (as always) happy to accept text - I've tossed Shane's in to make it
clearer (?) - editor copy:
https://github.com/wkumari/draft-wkumari-dnsop-cheese-shop

I also have some comments from Jinmei (thanks!) to incorporate, hopefully
later this afternoon.

W


>
> Cheers,
>
> --
> Shane
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email