Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

Warren Kumari <warren@kumari.net> Mon, 26 March 2018 20:46 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A076312DA2B for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 13:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kG-xMe0oZc8X for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 13:46:46 -0700 (PDT)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EBE2127909 for <dnsop@ietf.org>; Mon, 26 Mar 2018 13:46:43 -0700 (PDT)
Received: by mail-wm0-x232.google.com with SMTP id h76so17877619wme.4 for <dnsop@ietf.org>; Mon, 26 Mar 2018 13:46:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=95KUyoRRyD5FGi1PRA6/VG9TdWkRIVISCqruSFwmhr0=; b=zwKoa4ltqZrXcEKrbuqSDvZR9sLapwEw47HhDx4ZeWgRUmq77wcw66+qn2AybNfgsA Cukgp8LKUOJE4QMhjTSwb7rikQMwmzFbx9XKOO6kVJvvfPGsJ2lXJI+sbB5HpyniAL7x cgkulQKuZTVidQYwMmcQMOM9AbYG4CDxPBbeTos7aGzu09VjuHd/WqRb2Ux05FH7kU7c H/CTt4RcYv93WJBqQZIv2waGMKgMgi0I2NsA8zyD+zTqLtT9flyFvGgnJB7v16zw41TA dCEI/YunmavJMpp4z9r3Hb/lwDZnHAeimBgU6ZrkAdB5C6bwZc412yVwYMjgpZPbT4Qe Fgwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=95KUyoRRyD5FGi1PRA6/VG9TdWkRIVISCqruSFwmhr0=; b=WtNxFDDx1JTunhlIA3e1pejKZPfeJEhoQKdmmzrJzMbRl4CrqHo3DnObk5l91SDoCU a9jZ4Tog1oDHzQN9airXjUd1pOkGY0kQ9TvNBHzKoYGTsJPZLfpybliLCka12klwCVCx PkixyfnkTcbThrYqdN1KZUeOug70f5sraDpS6/pO62/iMn31STBzuxxVaDL6uSWjYrw5 cNswkBIeELEfM8mQ+vYClQsqGFlzhIgws0N5XphbTc5ep6v66/+2q+aYDcti65UgylUV WsjQt8OFb9aPN15nCsBTFHeh8Z6uc23awb7ZtuG6teQtCev4ZskXpM09O28T+SPKTcyy kRGg==
X-Gm-Message-State: AElRT7EeyTnexFAbTSEOYFSeg/VWzp38CA8TzU6O90KbGUQpad9uQ1QF eV9RlG85WlVnCGLa4ImF40gvpx/dVeXWY+fdyYGR8g==
X-Google-Smtp-Source: AG47ELv+1ha2Xkt86T8locdQmT6/Un+v8QVNtcCdvuvnRWGDkF0kly0udclMIX/HaFefz26iIyxE0qzlI7GoIZBqJvc=
X-Received: by 10.28.191.138 with SMTP id o10mr15936445wmi.26.1522097200794; Mon, 26 Mar 2018 13:46:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.226.76 with HTTP; Mon, 26 Mar 2018 13:46:00 -0700 (PDT)
In-Reply-To: <f487d60c-6240-e464-90cf-482c74cc8a9d@nic.cz>
References: <83786E94-ABCA-43F9-A038-F8F61C93E797@isc.org> <CA011081-234B-4D9D-A400-EE637141CDEC@isc.org> <CAHw9_i+EYXLtK+iexYMdOzggPiiwiz=QTpeZbWOCfpCJR+g6JA@mail.gmail.com> <58FAD0D6-38F1-4EFD-8E44-278DFA86DA78@isc.org> <20180326100421.GA11169@larwa.localdomain> <d603111e-aaf3-3387-4a6d-1c778d6cd3e4@nlnetlabs.nl> <f487d60c-6240-e464-90cf-482c74cc8a9d@nic.cz>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 26 Mar 2018 21:46:00 +0100
Message-ID: <CAHw9_iJgqXOt=i_JPKpX5oDoXb2FWiK3f1hjR5=U+vsdDx0ujA@mail.gmail.com>
To: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= <petr.spacek@nic.cz>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_MActItrFqXIN4-dTj4x2qVnozE>
Subject: Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 20:46:52 -0000

On Mon, Mar 26, 2018 at 12:13 PM, Petr Špaček <petr.spacek@nic.cz> wrote:
> On 26.3.2018 12:35, Ralph Dolmans wrote:> On 26-03-18 12:04, Michał
> Kępień wrote:
>>>> What is the expected behaviour given
>>>> example.net CNAME kskroll-sentinel-is-ta-<key-tag>.example.com
>>>> when you query for example.net when the key-tag does not match
>>>> a root TA? etc.
>>>
>>> This question is still outstanding as of version -08 of the draft.
>>
>> It is indeed, and it is a question that needs to be answered before it
>> is possible to properly implement the sentinel.
>>
>> For the sake of simplicity I prefer that the *original* QNAME should
>> match the special label.
>
> Meaning of QNAME is (re)defined here:
> https://tools.ietf.org/html/draft-ietf-dnsop-terminology-bis-09#page-10
> Let's be explicit and use "QNAME (original)".


Thank you, I've made this, and incorporated a few other edits (thanks
to Paul Hoffman for the PR) and posted a new version (-09)

W



>
> --
> Petr Špaček  @  CZ.NIC
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf