Re: [DNSOP] WGLC for draft-ietf-dnsop-zoneversion

George Michaelson <> Thu, 27 April 2023 04:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0C30DC1519AE for <>; Wed, 26 Apr 2023 21:30:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iWHnC-i4F2Hp for <>; Wed, 26 Apr 2023 21:30:04 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::c35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 3868CC15154D for <>; Wed, 26 Apr 2023 21:30:03 -0700 (PDT)
Received: by with SMTP id 006d021491bc7-541b60e0a7fso4315224eaf.1 for <>; Wed, 26 Apr 2023 21:30:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20221208; t=1682569802; x=1685161802; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=XvKJwAXkt7MpMEErBMNudMt1KsZBqrS8lb7yGsgpAFE=; b=b9ZV49dJmHrAhSqJBergiU29WG/L26ZzugzqgaJxVGdhUJhjW/0FnsJ5eIYLV9wJyG Y4S6qlTKjjudcump+sa/7mOmEeuznqNAA/KqpZBgT313WKqoQNfbhNp6nix+SF0bIQkJ oUdAAMD0sQgwUoB1BTFQDBrGZLZf1SGX1bubH3obFQeepirr6ZM/43lv0oipcvcZ5Sre ktJDqt+jyFnERlMivh4EPwWi9H0HcFL75TshNH2oWBm6J4r+VRHRoyteJKeVlskhR4ry p2Pa+qUAj0vrLKXTqKcuNbz/9mnJU3TgJ73qqDs6ZNg1w2AlEhDdLmACjtaykopnzAEn 5MIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20221208; t=1682569802; x=1685161802; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XvKJwAXkt7MpMEErBMNudMt1KsZBqrS8lb7yGsgpAFE=; b=bk6Q1FUyB7jYJUJC+YpdoSBO7D1zxMPVjAglWwuFxPMoB+8YnZxjc4kbg4w0XOR9Lq XY8qFV483XT86m6uY+M+aC73MavYDnsTqGDcbTibfcBc/IxtiRf4z6l9sNwYKklcJvY/ yfUqvlVE2Wtf2PmpVTTpZp3LSzsP/nW/SvMew1wsCX1jWYTiBb3tfqfo9PB6XBoQ81zg 5jwBFHHQ3O+v3XjjXN9goEjqylNT0XrpDoTG62Zi6vJZm3/PvaGq1GfeBsJjba1LOqI9 yEWWKyg1drhjxqtx+t4RS/+RCp6x0vDq8k/ZHlFPoPEkT+orkiAQyPBH6DBYOxxbPcbO qU8w==
X-Gm-Message-State: AC+VfDwVNa2eqZJlNrt6o1YqWvB6ji2+NO+3CbY7/pXdCTau4ZcOefR3 v5o+ZAok2bX1zJfMmGZ9kvZvsZfF0C+UUNVynvfTTVsCYId7YGMr
X-Google-Smtp-Source: ACHHUZ4DwdnF32wN14ht1JWJ1BJBMkmQCJ4EMOEU/hmF5PBxc3U7G9ybTI/isyY7+wc1bcgxoP86wclKUnWeIhINv2M=
X-Received: by 2002:a54:4403:0:b0:38d:e3dc:fd05 with SMTP id k3-20020a544403000000b0038de3dcfd05mr76457oiw.48.1682569801740; Wed, 26 Apr 2023 21:30:01 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: George Michaelson <>
Date: Thu, 27 Apr 2023 14:29:50 +1000
Message-ID: <>
To: dnsop <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-zoneversion
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Apr 2023 04:30:08 -0000

I've read this draft.

I think its a simple and straightforward proposal. It explicitly notes
the security issue that its not covered by DNSSEC, it has
implementations, and it had a good discussion run 2021/2022 which was
overwhelmingly positive.

I had no problems understanding the intent. its really clear and

It's a debug tool. It isn't going to be something I expect to use, but
I like the idea if something goes awry in the responses I am seeing I
can ask the authority to tell me what SOA serial I should expect to
see, that has the response state they're giving me for the specific
query. Thats distinct from ZONEMD which is a DNSSEC signed state of an
entire zone (assuming it can be done) which is a different class of
check on zone state related to serial. I like both. They're different.
That said, you COULD point to ZONEMD in this one in the security
considerations, but I wouldnt make it normative. It's just another way
to check the state of a zone.

The non-transitive thing is about the only point of "well...." -but
its unsigned data: how could you trust it, if you can't verify through
a third (transiting) party? And the draft says this: it's undefined

I truly think this is that very rare bird: "looks good to me ship it"
in 2 WG adopted draft edits.

On Thu, Apr 27, 2023 at 1:08 PM Suzanne Woolf <> wrote:
> Colleagues,
> This email begins a Working Group Last Call for draft-ietf-dnsop-zoneversion-02 (
> If you've reviewed this document and think it's ready for publication, please let us and the WG know, by responding on-list to this message. We particularly need to hear from implementers and operators whether this EDNS option is implementable and useful.
> If you don't think it's ready, and have specific concerns or suggestions, please let us know about those too.
> The Last Call will be two weeks, ending on Thursday 11 May.
> Thanks to everyone who's offered comments and suggestions on the draft to date.
> Suzanne, Tim, and Benno
> _______________________________________________
> DNSOP mailing list