[DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.

Michael StJohns <msj@nthpermutation.com> Mon, 26 August 2024 11:52 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3651C169403 for <dnsop@ietfa.amsl.com>; Mon, 26 Aug 2024 04:52:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DeyupaMqG9pi for <dnsop@ietfa.amsl.com>; Mon, 26 Aug 2024 04:52:29 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89B82C169405 for <dnsop@ietf.org>; Mon, 26 Aug 2024 04:52:29 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id d75a77b69052e-44feaa08040so25313001cf.2 for <dnsop@ietf.org>; Mon, 26 Aug 2024 04:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1724673148; x=1725277948; darn=ietf.org; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=wbwCfa2RYPsUs9oE4yAFZGJ6+D4D8ZfGNJ9aVpffwd8=; b=qQ4is++xy6oZalHF/dVjRrX/Tvl7cc2vUUQZmv674eL7M5oAmf1Jd0nLCMU/cn4JWM UHm0Ld+hMtB/jkKAuV64tYmUUL+wNCTM0cZwKxNKViZdQ104RqJWPZXyS1TzsHn2aNKG 1mzo5/fr3xVYL2NxxcXuvB3NGyghHKvMvMLwiX97S9dSGqEIJdvC0trqrpFi8XZtGlEB k6mKXl9EppaUbBPYNjQcG9x9viXfkQX8y+F6WYxwMtjzggBiMjM28W4JALdQL9ltw2SV hnxGi08PWqVZWuKzMLpjtLlfldtjjaVwcDbvNuhCJAlEwo17JlGFt+3OO8jVCPbdghRA Y6Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724673148; x=1725277948; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=wbwCfa2RYPsUs9oE4yAFZGJ6+D4D8ZfGNJ9aVpffwd8=; b=FeGrBSVL6JilPa0nhHgyJDsIbdMNsIwxyFgxmuMig3XSydL41LGBRhfoY8VqLqLZEx p7PB2J2bRH7N/XQlPV9YxXkJk2xLtzxZET8LNVu9psWxPUgCBLJ4pqFBhG3DMCIaYls+ eoPIkh4YBki+22UpqgtnlJL8YFwTutWO2rNz72xoDWdqXvF7FeOZP3dYefC3DaIWhzk4 DY0RPBOavLH1IWl64EN+6TP400ISnlA6007cuMoe/qz3wfmMtE0oGHYuhelO2kfylJY9 2qkanpFi6HYYwFe/HFaSoxTRUGNf+fo1HOeadmPPtT4ZGkUA7AbfxRw75y2DKAEiJKe/ sBZw==
X-Gm-Message-State: AOJu0YwqU5spTaVCNI0M1GREH+NTBBjTFXp+F2f663QkYfdCk+7oSZ4E Qjkj+V0rch/E3N5KLaLekdTpQMvEoNPLxPSd8z/iUBmK2a68D64O9J0ARcRdLaeUqIMgnp+eIPA U
X-Google-Smtp-Source: AGHT+IHVAcgAT5QK5BCbFOxsBoIhfPhiLUmI86ywUHNnt31LMIKYuhEXJ5VsTdyx5pMT3xPdU/QRig==
X-Received: by 2002:a05:622a:5805:b0:454:e91d:486f with SMTP id d75a77b69052e-4550965d9e6mr130481811cf.29.1724673147527; Mon, 26 Aug 2024 04:52:27 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-454fe1cd19fsm41710631cf.97.2024.08.26.04.52.25 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Aug 2024 04:52:25 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------VD0G6qeXVTZ1OQoh90s0k0LI"
Message-ID: <0828625d-680c-4688-9085-9a4bb5dc25c5@nthpermutation.com>
Date: Mon, 26 Aug 2024 07:52:24 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: dnsop@ietf.org
References: <CAHw9_iL-ZwwA_pckR+=7SndOvqjfcNX9FjZ9Bim24uSYgTxkyw@mail.gmail.com> <98896B9D-259E-4E46-8DC7-E873D8B25F55@icann.org> <d9aed09d-b1c8-4ba1-9d4e-e83d504bfe40@nthpermutation.com> <65A596AD-1A4F-400A-9404-E2D60A54BE66@icann.org> <36118f44-d18d-443b-8aa8-007b8b62db3f@nthpermutation.com> <49523BCB-7747-44A2-97FA-8F46B238B4E0@icann.org> <6b19942a-1392-47ac-8a50-1520713f2140@nthpermutation.com> <3ABBFB63-4953-4F9D-97C7-A31276496200@gmail.com> <CAHw9_iJwnDS5APdk2-dHXSHW_UJaL0kqRbvTEzF3aXxwNFLmPw@mail.gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <CAHw9_iJwnDS5APdk2-dHXSHW_UJaL0kqRbvTEzF3aXxwNFLmPw@mail.gmail.com>
Message-ID-Hash: PCGMMKQXKIIH3PJ2IG2RCUFQYKCSKKWB
X-Message-ID-Hash: PCGMMKQXKIIH3PJ2IG2RCUFQYKCSKKWB
X-MailFrom: msj@nthpermutation.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Yfp8XMp3lBgjcQUsHPS84Ui9eI0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Warren -

Inline -

On 8/21/2024 6:12 PM, Warren Kumari wrote:
>
>
>
>
> On Wed, Aug 21, 2024 at 10:28 AM, Edward Lewis 
> <eppdnsprotocols@gmail.com> wrote:
>
>     On Aug 20, 2024, at 20:42, Michael StJohns <msj@nthpermutation.com
>     <mailto:msj@nthpermutation.com>> wrote:
>
>     ... trimmed ...
>
>     But this document is not a pure protocol-defining document, it is
>     an operational process document. As such, it ought to be more
>     concrete. That is, if the goal is to describe the entirety of
>     distributing the trust anchors.
>
>
> I do not believe that that is the goal, nor should it be.

I don't believe the goal  of this document is  to describe the process 
that the IANA uses to create, service and revoke TAs, but to simply 
describe the format by which the public can be informed of a set of TAs 
that exist at a particular time.  Unfortunately, the content of the 
document does not limit itself to this.


>
> From the Abstract:
> "This document describes the format and publication mechanisms IANA 
> uses to distribute the DNSSEC trust anchors."
> and Introduction:
> "The publication of trust anchors for the root zone of the DNS is an 
> IANA function performed by ICANN, through its affiliate Public 
> Technical Identifiers (PTI). A detailed description of corresponding  
> key management practices can be found in [DPS].
>
> This document describes the formats and distribution methods of DNSSEC 
> trust anchors that is used by IANA for the root zone of the DNS.  
> Other organizations might have different formats and mechanisms for 
> distributing DNSSEC trust anchors for the root zone; however, most 
> operators and software vendors have chosen to rely on the IANA  trust 
> anchors.
>
> The formats and distribution methods described in this document are a 
> complement to, not a substitute for, the automated DNSSEC trust anchor 
> update protocol described in [RFC5011]."
>
> This document describes the "format and publication mechanisms IANA 
> uses", not "this is what we believe that the IANA should do" - there 
> are other venues for that discussion.
>
If only this were the case.  You've quoted the abstract - but it helps 
to get into the fine print.    This document goes past the "format and 
mechanisms" of publication and into directing behavior of both the 
recipients and the IANA.

First - there's this part of section 2.2.  Part of this was in RFC7958 - 
but has been rewritten in a manner that appears reflects IANA practice 
and not DNSSEC protocol behavior.  E.g.  the "change to a trust anchor" 
language here does not accurately reflect the DNSSEC protocol behavior. 
Relying parties can, may and do use any un-revoked trust anchor to chain 
signatures for current RR sets rather than changing from one TA to another.

As I mentioned in other emails, validFrom and validUntil should be read 
more as "we expect to start signing with this key on or about validFrom 
and continue to use this key until validUntil.  No language in this 
document should be read as prohibiting chaining to an unrevoked trust 
anchor key regardless of the relationship to the "validFrom" or 
"validUntil" dates.  In otherwords, someone reading this should take the 
information as a snapshot of what the IANA believes are the current set 
of trust anchors and what the public should understand about IANA's 
plans for those trust anchors.

>     The validFrom and validUntil attributes in the KeyDigest element
>     specify the range of times that the KeyDigest element can be used as
>     a trust anchor.
>
>     Note that the validUntil attribute of the KeyDigest element is
>     optional.  If the relying party is using a trust anchor that has a
>     KeyDigest element that does not have a validUntil attribute, it can
>     change to a trust anchor with a KeyDigest element that does have a
>     validUntil attribute, as long as that trust anchor's validUntil
>     attribute is in the future and the KeyTag, Algorithm, DigestType, and
>     Digest elements of the KeyDigest are the same as the previous trust
>     anchor.
>
>     Relying parties SHOULD NOT use a KeyDigest outside of the time range
>     given in the validFrom and validUntil attributes.

"can be used as a trust anchor" appears to be telling the relying party 
that irrespective of the live content of the DNS, keys must not be used 
outside of this range.  "SHOULD NOT" is a protocol directive, not merely 
a "here's what we're doing" note and should not be present in this 
document without a whole lot of other discussion on what it means to the 
relying parties.

Section 3.3 has this:

>     A KeyDigest element can contain both a Digest and a publickeyinfo
>     named pattern.  If the Digest element would not be a proper DS record
>     for a DNSKEY record represented by the publickeyinfo named pattern,
>     relying parties MUST NOT use that KeyDigest as a trust anchor.

The MUST NOT here is misleading and confusing and under described.  For 
example, what happens if these disagree, but then we start seeing 
something that matches the public key in the root DNSKEY RRSet?  Or we 
see a valid public key in the DNSKEY RR set that chains to the hash?  
The language for the new element needs work to clarify what happens if 
IANA gets this wrong.   Instead: "It is IANA's intent that these two 
values should match.  Please notify IANA if you find any mismatch in 
these related items in a published file."  is probably what should be 
here rather than the above.


Lastly - section 5 has this as new text differing from the previous RFC:

>     When a trust anchor that was previously published is no longer
>     suitable for use, IANA MUST update the trust anchor document
>     accordingly by setting a validUntil date for that trust anchor.  The
>     validUntil attribute that is added MAY be a date in the past or in
>     the future, depending on IANA's operational choices.

This seems to be creating a pseudo-revocation mechanism by overloading 
what they originally meant by "validUntil".   As mentioned above, this 
is directive both to the IANA and has protocol implications related to 
the section 2.2 text.   If you want to signal revocation of a TA in this 
file, use the 5011 mechanism and provide a signed revoked key here 
instead of this.

  Finally, section 2 needs:

"Unless there are countervailing operational needs, IANA plans to 
include in the published XML file all trust anchors for the root zone 
that are currently under management by IANA as of the time of 
publication of that file instance."    Right now, this is a collection 
of data points lacking some context of how they were selected for the file.

And perhaps:

"IANA intends on updating this file at least annually, and in any case 
at least 6 months in advance of signing with a new trust anchor key."


>     The document could be here to just present the marshaling of the
>     trust anchor materials - describing the syntax as it does -
>     leaving the interpretation up to the writer (IANA) and reader
>     (relying parties).
>
>     Maybe this document ought to just describe what’s in the file.
>     Maybe this document ought to expand to include rules for relying
>     on the document as Mike suggests.
>
>
> This is a -bis to RFC7958, and the changes are intentionally 
> relatively minor - see Section "1.2.  Changes from RFC 7958".  A 
> document  providing more rules and checks and processes and algorithms 
> and advice for implementers and operators ingesting the trust anchors 
> would be a fine document to write — but it is (to me) clearly a 
> different document to this one.
> Just like RFC7958 this has some operational warnings, but does at it 
> says "A validator operator can choose whether or not to accept the 
> trust anchors described in this document using whatever policy they want."
>
> This is just a cleanup document - let's get this shipped so that the 
> IANA can publish new TAs in a better format.

See above - it really has greater operational implications than just 
cleanup.

I'd be happy if they backed out all of the MUST or MUST NOT guidance and 
left this solely as a data format document with some clarification for 
the meanings as above.  But it needs work before publication. Even the 
escape clauses conflict!

Later, Mike

  ps - one last question.  Does the IETF publish XML schemas for easy 
retrieval?  If so, it might be useful to do so with this schema and 
reference it from within the TA xml document.


>
>     I’m not decided on this, frankly I need to go over the thread
>     again. But its going to be a debate over whether this document is
>     only about marshaling the trust anchors or it is about managing
>     the trust anchors.
>
>
> Managing the trust anchors is (luckily!) not this documents purpose. 
> The TA's management is IANAs job, and it's a hairy one — this document 
> isn't the place to do it…
>
> My initial email in this thread said:
> "As this required a change to the XML syntax, I'd like to get the 
> DNSOP WGs review / feedback on these changes.
>
> The IANA is eagerly awaiting this becoming a standard so that they can 
> update their trust anchor with the DNSKEY material - so, if you have 
> any strong objections to these changes, please let me know by end of 
> day (anywhere!) on Aug 18th."
>
> I encourage people to write an "implementation considerations for 
> trusting a new TA" document, and / or advice to the IANA on managing 
> the TA(s), succession planning, etc… but again, that is not this 
> document. It **could** even be a rfc7958bis-bis, but I feel it is a 
> much larger topic and would start from scratch.
>
> I think that we are falling into the perfect becoming the enemy of the 
> good enough. We can always bis this document in the future and / or 
> publish a more comprehensive document, but for now I think that this 
> is good enough to progress.
>
> Thank you very much everyone for the review and feedback,
> W
>
>
>
>
>     _______________________________________________
>     DNSOP mailing list -- dnsop@ietf.org <mailto:dnsop@ietf.org>
>     To unsubscribe send an email to dnsop-leave@ietf.org
>     <mailto:dnsop-leave@ietf.org>
>
>
>
>
> _______________________________________________
> DNSOP mailing list --dnsop@ietf.org
> To unsubscribe send an email todnsop-leave@ietf.org