IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt

Rubens Kuhl <rubensk@nic.br> Tue, 16 December 2014 19:06 UTC

Return-Path: <rubensk@nic.br>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 136271ACDEE for <dnsop@ietfa.amsl.com>; Tue, 16 Dec 2014 11:06:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.65
X-Spam-Level:
X-Spam-Status: No, score=-4.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_BR=0.955, HOST_EQ_BR=1.295, RCVD_IN_DNSWL_HI=-5, SPF_FAIL=0.001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltM3p0qfMAxI for <dnsop@ietfa.amsl.com>; Tue, 16 Dec 2014 11:06:37 -0800 (PST)
Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by ietfa.amsl.com (Postfix) with ESMTP id D1AD51ACDFB for <dnsop@ietf.org>; Tue, 16 Dec 2014 11:06:32 -0800 (PST)
Received: from clone.registro.br (localhost [127.0.0.1]) by clone.registro.br (Postfix) with ESMTP id D2D1024BD48; Tue, 16 Dec 2014 17:06:30 -0200 (BRST)
X-Virus-Scanned: amavisd-new at registro.br
Received: from clone.registro.br ([127.0.0.1]) by clone.registro.br (clone.registro.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHyhnNsqUICX; Tue, 16 Dec 2014 17:06:27 -0200 (BRST)
Received: from rubens.in.registro.br (3.195.net.registro.br [200.160.3.195]) by clone.registro.br (Postfix) with ESMTP id EA49924BD4E; Tue, 16 Dec 2014 17:06:27 -0200 (BRST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Rubens Kuhl <rubensk@nic.br>
In-Reply-To: <CAHw9_iJxKncf-zWKOZdXKdhCkrJiKjuzqWrG_r=SBNreKbn6UQ@mail.gmail.com>
Date: Tue, 16 Dec 2014 17:06:27 -0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <3E6A8E21-16D2-4E43-9021-B28CD4C20034@nic.br>
References: <20141216011517.21875.32371.idtracker@ietfa.amsl.com> <A086A53B-5187-4498-8BE3-117CFD203DC6@nic.br> <CAHw9_iJxKncf-zWKOZdXKdhCkrJiKjuzqWrG_r=SBNreKbn6UQ@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/WRtOZ_1S2DBNlrzx6aSWIwllfMw
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 19:06:38 -0000

> Em 16/12/2014, à(s) 15:54:000, Warren Kumari <warren@kumari.net> escreveu:
> 
> On Mon, Dec 15, 2014 at 9:17 PM, Rubens Kuhl <rubensk@nic.br> wrote:
>> 
>> My feedback to a possible -01 version is to add something related to not consider NTAs for the upper hierarchy of a failed DNSSEC domain. For instance, even if I see a good number of .gov domains failed DNSSEC, adding a NTA configuration for .gov would not be considered good operational practice, unless .gov itself starts failing DNSSEC validation.
>> 
>> I know no RFC can determine what ops really end up doing, but not being allowed to claim that as a prescribed practice has some value.
> 
> 
> We had tried to capture that with:
> "It does not and should not involve turning off validation more broadly."
> and
> "Finally, a Negative Trust Anchor SHOULD be used only in a specific
>   domain or sub-domain and MUST NOT affect validation of other names up
>   the authentication chain.  "
> 
> I thought that we also had some text that said that the NTA should
> cover the minimum necessary to fix the issue, but I cannot find that
> text at the moment - we may have removed it because it was very
> klunky. Anyway, do the above bits cover what you wanted, or do you
> think we need to be more explicit?


I think we need to be more explicit. Not from a formal perspective, which is truly addressed, but as a mean to say "don't use this RFC to justify adding .gov to NTA. Do that on your own and live with it.".


Rubens

v2.23.0 | Report a Bug | By Email