[DNSOP] Comments on mic comments, 5011 update's authorship

Edward Lewis <edward.lewis@icann.org> Wed, 15 November 2017 14:34 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6762A126B7E for <dnsop@ietfa.amsl.com>; Wed, 15 Nov 2017 06:34:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id MUAaa7TrKVy2 for <dnsop@ietfa.amsl.com>; Wed, 15 Nov 2017 06:34:15 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E148B127A90 for <dnsop@ietf.org>; Wed, 15 Nov 2017 06:34:13 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org ( by PMBX112-W1-CA-1.pexch112.icann.org ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 15 Nov 2017 06:34:12 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Wed, 15 Nov 2017 06:34:12 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Comments on mic comments, 5011 update's authorship
Thread-Index: AQHTXh7NpV2yHBaWTkKhad3Wpe/DFg==
Date: Wed, 15 Nov 2017 14:34:11 +0000
Message-ID: <121B74B2-A670-48E2-B4DF-09E02F376012@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3593583250_1014628276"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WFe7_Q7ChXSgUe4VsLDBkcaEjPI>
Subject: [DNSOP] Comments on mic comments, 5011 update's authorship
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Nov 2017 14:34:17 -0000

...From listening to the recording of the meeting on Monday, Nov 13,2017:

It seems that there is an impression that I feel the authors of the 5011-update draft are wrong choice to be documenting this.  This is not meant to be a personal attack on the authors but a blanket comment on seeing operator-focused documents being produced without operator involvement.  (Apologies if it is thought to be an ad hominum "attack".)

(Sub-point: It also seems that I've made the comment that ICANN hasn't been involved, which could be contradicted by messages I've sent, as well as Paul Hoffman.  ICANN people have been reading and commenting on the document.  What I'd like to stress is that ICANN has no special place regarding this document, I don't think that this document is something ICANN deserves "final" edit.  Why this confusion exists, I'll explain further on.)

Perhaps because I refrain from naming names of operators, my comments have been too vague.  From data (meaning what's at the apex of TLD zones) I've collected over many years, I observe that only a handful of TLD operators have ever published a DNSKEY record with the revoked bit set.  Within that handful, there are two operators (not two zones as each operator runs multiple zones) that publish a revoked key according to a detectable schedule, from this I have deduced that only two operators - at most - have *fully executed* Automated Updates in the course of normal operations.  I write "at most" because I have only asked one of the operators for confirmation and received it, the other I have not.

(Drilling deeper, with incomplete data on this, I have also polled delegations within ICANN-affliated TLDs and very rarely see revoked keys.  Of course, without a sufficient history of data, this data would only lead to an under count on operators.)

Related to my ICANN comment above, ICANN has not fully executed an Automated Updates key rollover yet.  We are in the middle of our first roll with STD 69 semantics in mind.

FWIW, I sent the names of the two operators in private email to Wes and Warren.  For the curious, the two operators are principally operating ccTLDs in east Asia, also operating IDN ccTLDs.  I.e., not ICANN is not one of them.

My criteria for 5011-update being "operator influenced" would be to have those operators (the confirmed and the other possible one) participate in the review.  They may not have a lot to say, but having an operator review and contribute to a document would go a long way to adding credibility in terms of "an operations document."  I've made the comment in other contexts - any operational document written by researchers would benefit from an experienced operator's review.

It isn't that Wes and Warren aren't qualified to write the document.  I'm commenting on the legacy of documents written by protocol designers that are passed off as operations guidance.

About 5 years ago, I did a study where I looked at DNSSEC operator guides (written by the IETF) versus parameter settings seen in the wild.  (Results presented at RIPE, NANOG in 2012.)  The comparison was interesting - some guidance in the document was followed, some was not.  Interviewing an operator, they said (to paraphrase) we don't read the RFCs, we use tools and rely on default settings.  This was an eye-opening moment for me.  Since then I wondered what could be done to improve the usefulness of RFCs to operators and why I have begun to think of "return on investment" of documents.  Is the IETF spending time (and the RFC editor) on documents that help the audience?  Will this document help the audience?