Re: [DNSOP] Fwd: FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-07.txt

S Moonesamy <sm+ietf@elandsys.com> Sun, 24 March 2019 14:41 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 872851310F2 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 07:41:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=opendkim.org header.b=ajRMuKX7; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=elandsys.com header.b=fikWm4IL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgXF9Le_SIpV for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 07:41:15 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DBE61310AE for <dnsop@ietf.org>; Sun, 24 Mar 2019 07:41:15 -0700 (PDT)
Received: from DESKTOP-K6V9C2L.elandsys.com ([197.227.84.198]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id x2OEewoj022036 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 24 Mar 2019 07:41:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1553438470; x=1553524870; bh=el0V66QO6DaH0OCYemML27fyq8juKpJETuO9E+tSIVA=; h=Date:To:From:Subject:In-Reply-To:References; b=ajRMuKX7aD0h1BiISFNRuXtC7krx35ESChOXlSeFivjQqIR1/Wa44qNy00ESR1wPW 6cnuusg+Yr+/V3l2z5G+LIRSmvdwsHKRO78uLSzdLMvv7bz8I8sdTwg9VoHCg1JeHS xS9+eUD46GPCNYiLc0Gq/KVEu+3VKWC8xJsB7ghQ=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1553438470; x=1553524870; i=@elandsys.com; bh=el0V66QO6DaH0OCYemML27fyq8juKpJETuO9E+tSIVA=; h=Date:To:From:Subject:In-Reply-To:References; b=fikWm4ILTmAdKKGIY8GY2br1wzfurl0cA4/i/rKRrC1bm0OPMUbSRw+zOJrSrxwRC sE10H13Og9f3HM3Gl4JL9fvalEaUR03T3ZeMb5zBXjIYo3ksJTom/S25sTGbIKelvs 7vFggzUFm08Uztnb4GIKDjZ7g8A4jZ47hhS3qKBQ=
Message-Id: <6.2.5.6.2.20190324070321.0f9445e8@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Sun, 24 Mar 2019 07:38:52 -0700
To: Daniel Migault <daniel.migault@ericsson.com>, dnsop@ietf.org
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <CADZyTk=uhvqXYy_sVXD8_Svs3-e=zdxQpupo1X-7_9-QiLLHEQ@mail.g mail.com>
References: <154342814186.13692.7258212111896455439.idtracker@ietfa.amsl.com> <DM3PR15MB10029872937ACF23722DB328E3D10@DM3PR15MB1002.namprd15.prod.outlook.com> <CADZyTk=uhvqXYy_sVXD8_Svs3-e=zdxQpupo1X-7_9-QiLLHEQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/V52tY8wFKBLFbHuvvC7K1uZx8L8>
Subject: Re: [DNSOP] Fwd: FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-07.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 14:41:23 -0000

Hi Daniel,
At 07:10 AM 23-03-2019, Daniel Migault wrote:
>We would particularly appreciate to share your thoughts and discuss 
>the requirements to operate DNSSEC validators. In particular, feed 
>backs from operators or implementers would be more than welcome. 
>Please feel free to share your thoughts on the mailing list,

I took a quick look at the draft.  The reference for RFC 7598 might 
be a typo [1].

Section 6.1.1:

   "Because of this, it is recommended that implementations make the root
    zone trust anchor obvious to the operator while still enabling
    configuration of general trust points."

The meaning of "obvious" in the above sentence might not be that obvious.


Section 6.2 discusses about a data store and references RFC 5011 as a 
requirement [2].  I read a comment [3] about RFC 5011 in which one of 
the assumptions of that RFC is mentioned: "The resolver has access to 
persistent writeable storage that will work across reboots".  I am 
not sure whether that is usually the case for unmanaged devices.

Section 8:

   "In order to anticipate the sunset of one of the signature scheme,
    a DNSSEC validator may willing to estimate the impact of deprecating
    one signature scheme."

The sentence is not clear.

As an overall comment, I suggest considering whether the audience is 
the average working group participant only.  If that is not the case, 
the draft could do with an editorial pass.

Regards,
S. Moonesamy

1. I assume that it is RFC 7958.
2. The sentence actually makes a recommendation.
3. 
https://blog.cloudflare.com/its-hard-to-change-the-keys-to-the-internet-and-it-involves-destroying-hsms/