IETF Logo Mail Archive

[DNSOP]Re: [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)

"libor.peltan" <libor.peltan@nic.cz> Wed, 08 May 2024 17:41 UTC

Return-Path: <libor.peltan@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66446C1840CC for <dnsop@ietfa.amsl.com>; Wed, 8 May 2024 10:41:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bTx67qGw-czK for <dnsop@ietfa.amsl.com>; Wed, 8 May 2024 10:41:04 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49C64C17A743 for <dnsop@ietf.org>; Wed, 8 May 2024 10:41:03 -0700 (PDT)
Received: from [IPV6:2a00:1028:8384:7a:f2a9:cc53:f134:e0c0] (dynamic-2a00-1028-8384-007a-f2a9-cc53-f134-e0c0.ipv6.o2.cz [IPv6:2a00:1028:8384:7a:f2a9:cc53:f134:e0c0]) by mail.nic.cz (Postfix) with ESMTPSA id 014011C1381; Wed, 8 May 2024 19:40:59 +0200 (CEST)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=libor.peltan@nic.cz smtp.mailfrom=libor.peltan@nic.cz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1715190060; bh=ua2dpSS+Fqz+4EgxgSUA/qca7Y41apbezgp8Zl8ajRA=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Reply-To: Subject:To:Cc; b=sthhZqjs/tiJXfV7Ry02n6sx7qWTfze4CR7Uigf4ElhLLXcpX6SDORr61+TcpXEkc 7bale1Cr1teA2fxc2NcrKESLhzH7hEEzbq4rqzDskXl3NLe+Xrp2QBtD69iqzeFQNO s1+ecDUWMnmmWZqJnb6d3rsodh0yHljtpE1ac7Pk=
Message-ID: <f9a72bf1-d09d-414d-a0ff-46cefd9907cd@nic.cz>
Date: Wed, 08 May 2024 19:40:59 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Paul Wouters <paul@nohats.ca>, Peter Thomassen <peter@desec.io>
References: <rt-5.0.3-225992-1713566832-1739.1362913-9-0@icann.org> <647558F8-2FEF-4418-AE1C-3BDC3B22A89B@nohats.ca> <1cb4663f-9502-47db-a099-ce5147bb733e@desec.io> <94ea3a71-6c1c-10af-a71f-7cee34e8d0d4@nohats.ca>
Content-Language: en-US
From: "libor.peltan" <libor.peltan@nic.cz>
In-Reply-To: <94ea3a71-6c1c-10af-a71f-7cee34e8d0d4@nohats.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.103.10 at mail
X-Virus-Status: Clean
X-Spamd-Bar: -----
X-Spamd-Result: default: False [-5.09 / 20.00]; BAYES_HAM(-5.00)[100.00%]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; RCVD_COUNT_ZERO(0.00)[0]; RCPT_COUNT_SEVEN(0.00)[9]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:5610, ipnet:2a00:1028::/32, country:CZ]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; NEURAL_HAM(-0.00)[-0.817]; FUZZY_BLOCKED(0.00)[rspamd.com]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_SOME(0.00)[]
X-Rspamd-Action: no action
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: 014011C1381
Message-ID-Hash: FRY4YJ42RR5OUVDYSPD3DTQKIIZCMMTI
X-Message-ID-Hash: FRY4YJ42RR5OUVDYSPD3DTQKIIZCMMTI
X-MailFrom: libor.peltan@nic.cz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: drafts-expert-review-comment@iana.org, nils@desec.io, dnsop@ietf.org, Oli Schacher <oli.schacher@switch.ch>, Q Misell <q@as207960.net>, Christian Elmerot <christian@elmerot.se>, Daniel Salzman <daniel.salzman@nic.cz>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP]Re: [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YOa7SeZObXLkHT4abPuHYpoZaII>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi all,

On the other hand, couldn't it actually be beneficial if the signalling 
zone name is generic enough, and if (in theory on the future) it is 
shared with possibly completely different signals, possibly unrelated to 
DNSSEC?

With this in mind, I support the signalling label _signal. Otherwise, I 
would prefer something of comparable (or even lower) length, not like 
_dnssec-signal.

Libor

Dne 21. 04. 24 v 1:38 Paul Wouters napsal(a):
> On Sat, 20 Apr 2024, Peter Thomassen wrote:
>
>> The authors certainly don't insist, but we'd need to pick a suitable 
>> replacement for the "_signal" label.
>>
>> John proposed "_dnssec-signal" elsewhere in this thread.
>>
>> The authors would like to note that adding "_dnssec-" eats up 8 more 
>> bytes, increasing chances that bootstrapping will fail due to the 
>> _dsboot.<domain-name>._dnssec-signal.<nsname> length limitation. 
>> Other than this (unnecessary?) use case narrowing, this choice seems 
>> fine.
>>
>> That said, does this choice address your concerns?
>
> It would, but I would also be okay if it is just _dnssec.
>
>> The main question then is to get implementations updated. I'm thus 
>> copying a few implementers so they can comment w.r.t. making this 
>> change in their implementation. I suppose that barring their 
>> objections, it's fine to go ahead?
>
> I feel less sympathy there because I brought this up a long time ago :)
> But also, implementations are all young and new and I think it is still
> pretty easy to change.
>
> Paul
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.30.2 | Report a Bug | By Email | System Status