IETF Logo Mail Archive

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

Shumon Huque <shuque@gmail.com> Sun, 19 January 2020 01:43 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 707F012003E; Sat, 18 Jan 2020 17:43:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Kqqv236LAfi; Sat, 18 Jan 2020 17:43:05 -0800 (PST)
Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4B78120025; Sat, 18 Jan 2020 17:43:04 -0800 (PST)
Received: by mail-oi1-x22a.google.com with SMTP id p125so25689953oif.10; Sat, 18 Jan 2020 17:43:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Yxa76mXyFu+HPjpDX2RQCs+siY7FcMPUUvVN/VNAu9M=; b=JXs9q9DNJaNqWw1FUFFqTYpnmmjP8QfT5m6dzbN7lH84EZU+CtMY8+4mFkqM6B5vpG c4zeCEEBZQSeZdJsa+4gTK7G2U2Np7TOnxTTEBKRzJQ6Zd8mI7bXNaY5S5r6pfyQfrI5 OI/tpRa1vZOR/AHqTNNGmJOdjV2/h9mX/8K/fdrz7TD+oRdPzMrf9Mw3NkFDIRbKH1Wp /+LySxyFcTZAwUqinflGMkEF3fgHJg1T9KIH5LTDz0i5B/UjEMFigOdc6eVW8OKD24c5 doEqmu0XWLIhVi9RjSpepzB0Sj/mTsj7Gu8DPhe62SRyLYq/7jAPJJTPDEdKuDNsv2HZ yw/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Yxa76mXyFu+HPjpDX2RQCs+siY7FcMPUUvVN/VNAu9M=; b=uhw2aki3wKRKsauKd49nG870Dd5CrrdSuF/S+7zwl1beaxIk39wWN07GrTLkUb9Aa0 mS/vzPymu8KEUjoFcsQtZ/hfy1EBE9QqxHw5JhGSfI9xPOOz//1YPZdZS8WY+Z+XaBzW 3qqQjd6Ys9ZR9FY1sg53HXQL0G2onbOiOhy+7T3IMf0zOhigGQ9wnknsYj1Za/G229AR 8C5GOkXC9gbbcDVIx1eOXiPHXgjar/bku1JQGgH5O8we+5+v4cPf+v+8LfXUS9ITmMUM j81nhdAqM0SHP0aTLZh0iTmrbhOt4MBNvh96SrS+DCvHRJKvKUJgi3Mi42HWg7etjRI7 W+yg==
X-Gm-Message-State: APjAAAWhmnEug+29awwdg3qtWLu8kGOhmY5NlMjcjlhMLNURjeuBcABK hQWn5yNT2YzDvQrWJU3cR8mZxDDQHFkQxlsGEjQ=
X-Google-Smtp-Source: APXvYqyQx7KFslHx/DUKESuog0cTwoEesroH6NuZ1xcl2dHDb9ZgkOdyWHX42Bv1P5XwkjPvnnfkNSPMUEHvZnebgEk=
X-Received: by 2002:a05:6808:8d0:: with SMTP id k16mr8723157oij.68.1579398183426; Sat, 18 Jan 2020 17:43:03 -0800 (PST)
MIME-Version: 1.0
References: <CAHw9_iLFuSbdA2TFS4Qd2dAzDFJyJgfQGY1+T2c2JQZ3WTat_A@mail.gmail.com> <CAHw9_iJJx3nJx8tZABXkJMnuoS+ALAoSq6q98JT2SOR-1uAPxw@mail.gmail.com>
In-Reply-To: <CAHw9_iJJx3nJx8tZABXkJMnuoS+ALAoSq6q98JT2SOR-1uAPxw@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Sat, 18 Jan 2020 20:42:52 -0500
Message-ID: <CAHPuVdV=XDKNPv+hjhncqo_vdGtgnZc=sHHCL_4fipBT6kKZcA@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: draft-ietf-dnsop-multi-provider-dnssec@ietf.org, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aea277059c744b7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XdIBu_NcQyczKHWpRUkvWM_EFNc>
Subject: Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jan 2020 01:43:10 -0000

Hi Warren,

Sorry for the delay - I just got back from a vacation, and am catching up
with email.

I will respond to your comments in the next day or two. Thanks for your
patience!

Shumon.

On Sat, Jan 18, 2020 at 5:58 PM Warren Kumari <warren@kumari.net> wrote:

> Checking in again...
> W
>
> On Sun, Jan 12, 2020 at 9:23 PM Warren Kumari <warren@kumari.net> wrote:
> >
> > Hi there,
> >
> > Firstly, thank you for a well written and easy to understand document.
> >
> > I have some comments which I think should be addressed before I start
> > IETF LC, but they are small enough that if you'd much prefer you can
> > just address them after during / after LC (if changes are needed), or
> > during IESG review.
> > Please let me know LOUDLY which you'd prefer.
> >
> > 1: Section 3: 3. Validating Resolver Behavior
> > I think it would be very useful to mention that this document doesn't
> > require any changes to the behavior of validating resolvers
> > themselves. It might also be worth mentioning somewhere that this is
> > also largely true for authoritative servers - this isn't really a
> > protocol change, rather an operational / process set of changes.
> >
> > 2: " Zone owners will want to deploy a DNS service that responds as
> >    efficiently as possible with validatable answers only, and hence it
> >    is important that the DNSKEY RRset at each provider is maintained
> >    with the active ZSKs of all participating providers."
> > This is somewhat ambiguous - it sounds like the zone owner may want to
> > deploy a service that is only efficient with verifiable answers (and
> > might be inefficient with bogus ones :-))
> >
> > 3: A question -- "Authenticated Denial Considerations"
> > Some CDNs and similar do funny things with e.g CNAMEs, or may do
> > something like generate ACME records or similar. What happens if
> > provider A creates e.g _acme-challenge.example.com (or www.example.com
> > IN 600 CNAME some-long-account-number.cdn.net) and doesn't tell
> > provider B? I understand that the owner names *should* be consistent,
> > but I think it is worth adding some text here along the lines of "here
> > be dragons" or similar...
> >
> > 4: The document uses one inceanse of RFC2119 language (RECOMMENDED) -
> > please either drop this, or add the 2119 / 8174 boilerplate.
> >
> > Again, I'm willing to start IETF LC, or wait till you've posted a new
> > version, but please let me know.
> > W
> >
> >
> > --
> > I don't think the execution is relevant when it was obviously a bad
> > idea in the first place.
> > This is like putting rabid weasels in your pants, and later expressing
> > regret at having chosen those particular rabid weasels and that pair
> > of pants.
> >    ---maf
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf
>

v2.23.0 | Report a Bug | By Email