[DNSOP] Re: [Ext] Working Group Last Call for draft-ietf-dnsop-rfc7958bis
James Mitchell <james.mitchell@iana.org> Wed, 26 June 2024 20:31 UTC
Return-Path: <james.mitchell@iana.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33C11C14F5FF; Wed, 26 Jun 2024 13:31:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.107
X-Spam-Level:
X-Spam-Status: No, score=-4.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A4h56iI15B8G; Wed, 26 Jun 2024 13:31:53 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F2BEC14F5FA; Wed, 26 Jun 2024 13:31:52 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa4.dc.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 45QKQJJQ021430 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 26 Jun 2024 13:26:20 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Wed, 26 Jun 2024 13:31:49 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.034; Wed, 26 Jun 2024 13:31:49 -0700
From: James Mitchell <james.mitchell@iana.org>
To: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] Working Group Last Call for draft-ietf-dnsop-rfc7958bis
Thread-Index: AQHawmZ+G5hvhFwE+EaUkwEVgD1sRrHaivCA
Date: Wed, 26 Jun 2024 20:31:49 +0000
Message-ID: <879F4E56-9939-4C57-A597-9BB113F92C0D@iana.org>
References: <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com>
In-Reply-To: <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: multipart/alternative; boundary="_000_879F4E5699394C57A5979BB113F92C0Dianaorg_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-26_13,2024-06-25_01,2024-05-17_01
Message-ID-Hash: GOCUWKLV7JOEIBNXWGLT6WYIXFZUZDS7
X-Message-ID-Hash: GOCUWKLV7JOEIBNXWGLT6WYIXFZUZDS7
X-MailFrom: james.mitchell@iana.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop-chairs <dnsop-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Working Group Last Call for draft-ietf-dnsop-rfc7958bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_7iRnVZS4PHPvE0hpr33soOCjLE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
All, Please find my comments below. The draft introduces a new optional field PublicKey without providing a versioning mechanism - both current and new formats are retrieved from the same path. I have reviewed a few publicly available parsers and did not identify any obvious issues that could arise following the addition of the PublicKey element (implementations appear to key of element/tag names, concerns if any, could be memory management with the larger and unused PublicKey CDATA). I do not believe versioning is required on the understanding that IANA may revert to the previous version if necessary - there appear to be a few clients with operational dependencies on the file. Looking ahead to the addition of the PublicKey element, we discussed whether to publish the PublicKey element for historical TAs and whether we would remove the PublicKey for future-historical TAs. While we have not formalized plans, can we assume these are operational decisions to be made by IANA? If so, does the draft require text to clarify that the PublicKey may be present for some KeyDigests and that the element may be removed if previously present? A few editorial comments: The introduction says: This document describes the formats and distribution methods of DNSSEC trust anchors that have been used by IANA for the root zone of the DNS since 2010. This is not quite true given a format with the publicKey element was not possible back in 2010. The following sentence is difficult to read: If the relying party is using a trust anchor that has a KeyDigest element that does not have a validUntil attribute, it can change to a trust anchor with a KeyDigest element that does have a validUntil attribute, as long as that trust anchor's validUntil attribute is in the future and the DNSKEY elements of the KeyDigest are the same as the previous trust anchor. I think it can be removed entirely - text regarding duration of use is covered in a prior sentence - and I'm not sure what it adds. My problems with this are: 1) one does not "change to a trust anchor" following the addition of a (future?) validUntil attribute - it is the same trust anchor; 2) the "it" in "it can change" is difficult to understand, in part because of the prior issue and because it is the validUntil that is changing; 3) DNSKEY elements is not defined - it should not be the (optional) PublicKey which is most definitely a DNSKEY element. Section 2.4 Converting to DNSKEY records - A DNSKEY constructed from the KeyDigest will fail to match a published DNSKEY when the REVOKE bit is set - this doesn't create an issue for this protocol but may cause confusion during a rollover. It might be clearer to say something to the effect of the file does not provide values for DNSKEY protocol or flags - for the purpose of this mechanism, clients can assume valid trust anchors will be for protocol 3 and that the ZONE and SEP flag bits will be set. Thanks, James Mitchell Director IANA Technical Services From: Tim Wicinski <tjw.ietf@gmail.com> Date: Wednesday, June 19, 2024 at 9:34 AM To: dnsop <dnsop@ietf.org> Cc: dnsop-chairs <dnsop-chairs@ietf.org> Subject: [Ext] [DNSOP] Working Group Last Call for draft-ietf-dnsop-rfc7958bis All The authors have updated the document based on some early reviews. Since this is an update from the original RFC7958, I urge folks to take a look at the diff from the original: https://author-tools.ietf.org/iddiff?url1=rfc7958&url2=draft-ietf-dnsop-rfc7958bis-02&difftype=--html [author-tools.ietf.org]<https://urldefense.com/v3/__https:/author-tools.ietf.org/iddiff?url1=rfc7958&url2=draft-ietf-dnsop-rfc7958bis-02&difftype=--html__;!!PtGJab4!-2_NDARJKP32eDL1vVFs5XXCAM9r8FoSOQvGTWqEgZO2-MrAcn2mKA-1O1nu3UJgSeAoYSvJyIIL8HJ0J_VJGUcACAA$> This starts a Working Group Last Call for: draft-ietf-dnsop-rfc7958bis "DNSSEC Trust Anchor Publication for the Root Zone" Current versions of the draft is available here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/ [datatracker.ietf.org]<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/__;!!PtGJab4!-2_NDARJKP32eDL1vVFs5XXCAM9r8FoSOQvGTWqEgZO2-MrAcn2mKA-1O1nu3UJgSeAoYSvJyIIL8HJ0J_VJ2oggHbI$> The Current Intended Status of this document is: Informational Benno will be the document shepherd Please review the draft and offer relevant comments. For WGLC, we need positive support and constructive comments; lack of objection is not enough. So if you think this draft should be published as an RFC, please say so. If you feel the document is *not* ready for publication, please speak out with your reasons. This starts a two week Working Group Last Call process, and ends on: July 3rd, 2024 thanks tim
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- [DNSOP] Re: [Ext] Working Group Last Call for dra… James Mitchell
- [DNSOP] Re: Working Group Last Call for draft-iet… Tim Wicinski
- [DNSOP] Re: [Ext] Working Group Last Call for dra… Paul Hoffman
- [DNSOP] Re: Working Group Last Call for draft-iet… John R Levine
- [DNSOP] Re: Working Group Last Call for draft-iet… Florian Obser
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Ben Schwartz
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: [Ext] Working Group Last Call for dra… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: Working Group Last Call for draft-iet… Tim Wicinski
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Peter Thomassen
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman