IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-roadblock-avoidance-02.txt

"Rose, Scott W." <scott.rose@nist.gov> Fri, 10 July 2015 18:00 UTC

Return-Path: <scott.rose@nist.gov>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 723811A19E3 for <dnsop@ietfa.amsl.com>; Fri, 10 Jul 2015 11:00:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TiatKXrUcMv3 for <dnsop@ietfa.amsl.com>; Fri, 10 Jul 2015 11:00:02 -0700 (PDT)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 408E71A0371 for <dnsop@ietf.org>; Fri, 10 Jul 2015 11:00:01 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.3.248.2; Fri, 10 Jul 2015 14:00:09 -0400
Received: from postmark.nist.gov (129.6.16.94) by WSXGHUB1.xchange.nist.gov (129.6.18.96) with Microsoft SMTP Server (TLS) id 8.3.406.0; Fri, 10 Jul 2015 14:00:00 -0400
Received: from 6-140.antd.nist.gov (6-140.antd.nist.gov [129.6.140.6]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id t6AHxvf8001878 for <dnsop@ietf.org>; Fri, 10 Jul 2015 13:59:58 -0400
Content-Type: text/plain; charset="windows-1252"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: "Rose, Scott W." <scott.rose@nist.gov>
In-Reply-To: <203540E9-EA8F-4196-A270-146636D28473@ogud.com>
Date: Fri, 10 Jul 2015 13:59:57 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <501C4619-EE58-4430-8BD3-0331F5F2AEF8@nist.gov>
References: <20150701124942.19096.25848.idtracker@ietfa.amsl.com> <CBCE3DD4-A5CA-4C54-8AB1-2AF3D6E28B43@ogud.com> <5593EBC0.9010106@gmail.com> <203540E9-EA8F-4196-A270-146636D28473@ogud.com>
To: dnsop <dnsop@ietf.org>
X-Mailer: Apple Mail (2.1878.6)
X-NIST-MailScanner-Information:
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/ZlwT62HByYzhNSqkmBBiJHLWE6g>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-roadblock-avoidance-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 18:00:06 -0000

In general I support this document, with some minor comments below:


Abstract:
s/approache/approach


Section 1.1
2nd paragraph:
s/recomendations/recommendations

"it" is repeated twice in the sentence starting: "While these recomendations
   are mainly aimed at Host Validators it it..."

s/Validatating/Validating

Last paragraph:
s/directy/directly

"...can not talk directy to a Resolver
   the tests below do not address how to overcome that."

missing a semicolon?  Or "...Resolver. The tests below..." Don't know for sure but sounds strange the way it is currently.

Also, the paragraph talks about users, but maybe applications may be more appropriate since the end user may not be aware of or care about proxies.  The meaning is clear though so I can live with the current wording.

Section 1.2.
2nd paragraph:
	s/digiest/digest

Section 3
Title: 
	s/Compilance/Compliance

2nd paragraph
	s/assumtption/assumption

3rd paragraph:
	not a huge fan of the salty language since the goal should be to fix broken middleboxes and not just call them crap and move on.  Also, might want to mention that middleboxes can also cause strange behavior with some authoritative servers but that this should not necessary change the rank/use of a recursive resolver.  In other words, just because some queries start returning bad or strange results, that should not be used to change the rank/preference of the recursive resolver unless it happens with multiple queries.

Section 3.1.5
While the test for the AD bit gives the host information about the validating status of the upstream resolver, it really doesn't give full information about what trust anchors are in use.  This might become an issue with split DNS, which isn't mentioned.  I know the authors don't want to get stuck in that quagmire, but it exists and will need to be acknowledged (since it can't be solved).


Scott


On Jul 1, 2015, at 10:12 AM, Olafur Gudmundsson <ogud@ogud.com> wrote:

>> 
>> On Jul 1, 2015, at 9:31 AM, Tim Wicinski <tjw.ietf@gmail.com> wrote:
>> 
>> 
>> Thanks Olafur.  The Workign Group should discuss this as it was originally planned to go into a Working Group Last Call.  It can still be taken in this direction.
>> 
>> tim
>> 
>> 
> Tim
> We request a WGLC on the document
> 
> 	Olafur
> 
>> On 7/1/15 8:52 AM, Olafur Gudmundsson wrote:
>>> This version is a final version from the editors.
>>> We explicitly punt on explaining how to overcome the situation when a ´proxy/forwarder’ “randomly” sends queries to
>>> Resolvers with different capabilities.
>>> 
>>> Olafur
>>> 
>>>> On Jul 1, 2015, at 8:49 AM, internet-drafts@ietf.org wrote:
>>>> 
>>>> 
>>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>> This draft is a work item of the Domain Name System Operations Working Group of the IETF.
>>>> 
>>>>       Title           : DNSSEC Roadblock Avoidance
>>>>       Authors         : Wes Hardaker
>>>>                         Olafur Gudmundsson
>>>>                         Suresh Krishnaswamy
>>>> 	Filename        : draft-ietf-dnsop-dnssec-roadblock-avoidance-02.txt
>>>> 	Pages           : 16
>>>> 	Date            : 2015-07-01
>>>> 
>>>> Abstract:
>>>>  This document describes problems that a DNSSEC aware resolver/
>>>>  application might run into within a non-compliant infrastructure.  It
>>>>  outline potential detection and mitigation techniques.  The scope of
>>>>  the document is to create a shared approache to detect and overcome
>>>>  network issues that a DNSSEC software/system may face.
>>>> 
>>>> 
>>>> The IETF datatracker status page for this draft is:
>>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-roadblock-avoidance/
>>>> 
>>>> There's also a htmlized version available at:
>>>> https://tools.ietf.org/html/draft-ietf-dnsop-dnssec-roadblock-avoidance-02
>>>> 
>>>> A diff from the previous version is available at:
>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dnssec-roadblock-avoidance-02
>>>> 
>>>> 
>>>> Please note that it may take a couple of minutes from the time of submission
>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>> 
>>>> Internet-Drafts are also available by anonymous FTP at:
>>>> ftp://ftp.ietf.org/internet-drafts/
>>>> 
>>>> _______________________________________________
>>>> DNSOP mailing list
>>>> DNSOP@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>> 
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

===================================
Scott Rose
NIST
scott.rose@nist.gov
+1 301-975-8439
Google Voice: +1 571-249-3671
http://www.dnsops.gov/
https://www.had-pilot.com/
===================================

v2.23.0 | Report a Bug | By Email