IETF Logo Mail Archive

[DNSOP] More comments on draft-wessels-edns-key-tag-00

Edward Lewis <edward.lewis@icann.org> Tue, 24 November 2015 17:00 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A05A1B2D18 for <dnsop@ietfa.amsl.com>; Tue, 24 Nov 2015 09:00:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.006
X-Spam-Level:
X-Spam-Status: No, score=-4.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeK7FQBxFb9K for <dnsop@ietfa.amsl.com>; Tue, 24 Nov 2015 09:00:05 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB7BD1B2C62 for <dnsop@ietf.org>; Tue, 24 Nov 2015 09:00:05 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Tue, 24 Nov 2015 09:00:02 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1044.021; Tue, 24 Nov 2015 09:00:02 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: "Wessels, Duane" <dwessels@verisign.com>
Thread-Topic: More comments on draft-wessels-edns-key-tag-00
Thread-Index: AQHRJtmPXkdjXahmsEiTn01cYVzaVQ==
Date: Tue, 24 Nov 2015 17:00:02 +0000
Message-ID: <D279FE55.117EB%edward.lewis@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.8.151023
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3531211198_10020438"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/X9d7au8u6BXi7HnDRtv0kQhS2P0>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: [DNSOP] More comments on draft-wessels-edns-key-tag-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 17:00:07 -0000

One of the concerns in the document is "when to send the option."

I'll state the assumption that this is most useful for RFC 5011
["Automated Updates of DNS Security (DNSSEC) Trust Anchors"] situations.
Perhaps it is not exclusively use to that, but I'll presume that for this
suggestion.

In RFC 5011, section 2.3 "Active Refresh" there is this plus more detail:

"A resolver that has been configured for an automatic update of keys
   from a particular trust point MUST query that trust point (e.g., do a
   lookup for the DNSKEY RRSet and related RRSIG records)..." (yadda,
yadda, yadda)


In the sense that there's a concern about a resolver exposing the keys it
has, if the option is only to be attached to the queries done to satisfy
that requirement above I think the problem is simplified.  In this case,
the resolver will know that it "needs to know" and it knows where the
trust anchors are "homed."  I.e., if the resolver cannot directly query
the source, then all bets are off, RFC 5011-wise.

Now, if my assumption is incorrect, I'd still recommend that the option be
added to RFC 5011, section 2.3 mandated queries.  Beyond that, I'm not
sure what is the appropriate general case for "revealing" ones' configured
trust anchors.  There'd be no need for "union-ing" the response (section
5.2.1).  The temptation to scope creep this is curtailed if this is an
"extension" of RFC 5011 as opposed to a general EDNS option.  Any network
management reason for this would be available through the means the
operator does other network maintenance (use of tools to inspect, etc).

v2.23.0 | Report a Bug | By Email