IETF Logo Mail Archive

[DNSOP]Re: [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)

Peter Thomassen <peter@desec.io> Tue, 14 May 2024 09:04 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79D15C14F6FA for <dnsop@ietfa.amsl.com>; Tue, 14 May 2024 02:04:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1t_jQSTjhYEb for <dnsop@ietfa.amsl.com>; Tue, 14 May 2024 02:04:36 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0907DC14F6F1 for <dnsop@ietf.org>; Tue, 14 May 2024 02:04:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References: To:Subject:From:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=p4hKS1usN4ZkhgSAPna3dPGMjc2gS1SYC+tnlzWu0iE=; b=oevpW4ed7dCmcoodUsbDhOH97j xTfkafZtPvg9qeoXohKKMRucKLi7MxBsrcdxA4fITiwvs1DiRj7Qq3z/n1aE6SRN6se/iFPVDrP1g ivLGFvoDPZF5Dh2wveEbbiuHSSfNr7qGLkKwFGsmpRZcxgLUJU2eXwgiKWux7wGq8EvUWtujOlkYu 0UUyMmbAcCMJCcAg/1IMqsK9YWRqRcCA2KmhHlp8IVyXs1peT5LyW3FYudGTcR/dVFGl5iCyXrFhb sl6buzUzSJ7191psB4IvHureLrzOBlCsNmCiaUKwU2nT/1LRe0uJm+B3su34ssz19o/34Sk5/ZYvb iqmvcZWw==;
Received: from [2a02:8109:9283:8800:585c:d0b2:318c:57b9] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1s6o5H-00HU76-Uk for dnsop@ietf.org; Tue, 14 May 2024 11:04:32 +0200
Message-ID: <ea4eb191-f22b-4ca9-9fe3-45c98839016c@desec.io>
Date: Tue, 14 May 2024 11:04:31 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Peter Thomassen <peter@desec.io>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
References: <RT-Ticket-1362913@icann.org> <rt-5.0.3-225992-1713566832-1739.1362913-9-0@icann.org> <647558F8-2FEF-4418-AE1C-3BDC3B22A89B@nohats.ca> <1cb4663f-9502-47db-a099-ce5147bb733e@desec.io> <94ea3a71-6c1c-10af-a71f-7cee34e8d0d4@nohats.ca> <F21226BA-266A-4BF8-AD17-0D908B10AC54@nist.gov> <rt-5.0.3-189191-1713786135-470.1362913-9-0@icann.org> <rt-5.0.3-1375868-1714672753-112.1362913-9-0@icann.org>
Content-Language: en-US
In-Reply-To: <rt-5.0.3-1375868-1714672753-112.1362913-9-0@icann.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: NN6WEZRCNWBIXYBO755LEUJD2HNNZPTX
X-Message-ID-Hash: NN6WEZRCNWBIXYBO755LEUJD2HNNZPTX
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP]Re: [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XobU0tgxTlRaGc2LsUJP-pYADNg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

[reposting as it looks like this did not get delivered during Mailman transition last week; original message sent on May 7]


Hi,

On 5/2/24 19:59, David Dong via RT wrote:
> Following up on this; does the group agree that "_dnssec" is OK?

Looking at what's been said in this thread:
- Two people have proposed to change the label, current proposal: _dnssec
- Two implementers have said they'd make the change but don't seem convinced
- The authors (hats off, but also implementers and authors of current drafts using the mechanism) are not convinced

The authors don't feel comfortable declaring consensus in either direction (neither do we know whether that's our role), and we're not sure how to proceed. Perhaps the DNSOP chairs could weigh in, as the discussion is happening on the WG list although the document is technically out of the door ...


I've been reluctant adding the following argument as to not seem insisting; OTOH it may have its own technical merit, so here is.

The "_dnssec" label implies that the mechanism is not suitable for signaling unrelated to DNSSEC. That's an artificial limitation, and it's unclear why to impose the restriction. An operator could very well want to publish other things, like

- TXT at _abuse.example.com._signal.ns1.provider.net for an abuse address,
- PTR at _catalog.example.com._signal ... for catalog zone membership,
- ...

If the signaling method is generic, I believe it should have a short generic label. Any specificity to determine the kind of signal can go into the first label.

I have no specific preference for "_signal" other than I don't know what a good alternative would be. Narrowing the scope with "_dnssec" doesn't seem to improve the situation.

Thanks,
Peter
+ Nils (for the "we"/author statements)


> Thank you.
> 
> Best regards,
> 
> David Dong
> IANA Services Sr. Specialist
> 
> On Mon Apr 22 11:42:15 2024, scott.rose@nist.gov wrote:
>> On 20 Apr 2024, at 19:38, Paul Wouters wrote:
>>
>>> On Sat, 20 Apr 2024, Peter Thomassen wrote:
>>>
>>>> The authors certainly don't insist, but we'd need to pick a suitable
>>>> replacement for the "_signal" label.
>>>>
>>>> John proposed "_dnssec-signal" elsewhere in this thread.
>>>>
>>>> The authors would like to note that adding "_dnssec-" eats up 8 more
>>>> bytes, increasing chances that bootstrapping will fail due to the
>>>> _dsboot.<domain-name>._dnssec-signal.<nsname> length limitation.
>>>> Other than this (unnecessary?) use case narrowing, this choice seems
>>>> fine.
>>>>
>>>> That said, does this choice address your concerns?
>>>
>>> It would, but I would also be okay if it is just _dnssec.
>>>
>>
>> If the concern is that the label is too generic, “_dnssec” might be
>> too generic as well. If it is to be more precise, go with _ds-boot or
>> something more specific to the use case. I don’t have an
>> implementation in the mix, so it this isn’t a strong opinion.   If the
>> group agrees _dnssec is fine, then I am fine with it too.
>>
>> Scott
>>
>> =====================================
>> Scott Rose
>> NIST/CTL/WND
>> scott.rose@nist.gov
>> ph: 301-975-8439
>> GoogleVoice: 571-249-3671
>> =====================================
> 

-- 
Like our community service? 💛
Please consider donating at

https://desec.io/

deSEC e.V.
Kyffhäuserstr. 5
10781 Berlin
Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525

v2.31.3 | Report a Bug | By Email | System Status