Re: [DNSOP] [Ext] Working Group Last Call - draft-ietf-dnsop-rfc5011-security-considerations

Edward Lewis <> Fri, 20 October 2017 16:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 93937134211 for <>; Fri, 20 Oct 2017 09:39:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uWX13nJwsycQ for <>; Fri, 20 Oct 2017 09:39:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BF899132D67 for <>; Fri, 20 Oct 2017 09:39:55 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 20 Oct 2017 09:39:53 -0700
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Fri, 20 Oct 2017 09:39:53 -0700
From: Edward Lewis <>
To: tjw ietf <>
CC: dnsop <>
Thread-Topic: [Ext] [DNSOP] Working Group Last Call - draft-ietf-dnsop-rfc5011-security-considerations
Thread-Index: AQHTSAKiAPrVc0Gd3keOQWiaZ8psOKLtaW4A
Date: Fri, 20 Oct 2017 16:39:52 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="B_3591337192_1784542923"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Working Group Last Call - draft-ietf-dnsop-rfc5011-security-considerations
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Oct 2017 16:39:57 -0000

On 10/18/17, 04:17, "DNSOP on behalf of tjw ietf" < on behalf of> wrote:

>This starts a Working Group Last Call for: draft-ietf-dnsop-rfc5011-security-considerations

I outright oppose publishing this document.

One, the audience of this document (namely the targetted operators) has not participated in the review of the document.  I should perhaps add "sufficiently" as I have made comments and my personal observation is that the document isn't all that helpful. No other operator, so far as I know (big caveat), has commented.

Two, the document perpetuates the mis-use the term "trust anchor".  To point to a specific place in the document:

## 3.  Terminology
##    Trust Anchor Publisher  The entity responsible for publishing a
##       DNSKEY that can be used as a trust anchor.

That is not a term I'd define.  Trust is gained, not read.  One cannot
"push" trust via publishing something.  What is published are secure
entry point keys:

>From "DNSSEC Resource Records", section "The Flags Field":

"Bit 15 of the Flags field is the Secure Entry Point flag, described
in [RFC3757]"

Note that it is not the "Trust Anchor flag."  I don't think that the working group should progress documents that lead to terminology confusion.

Three, the document beings to co-mingle validation with trust anchor management, which are two different concepts:

##    RFC5011 Validating Resolver  A DNSSEC Validating Resolver that is
##       using the RFC5011 processes to track and update trust anchors.
##       Sometimes referred to as a "RFC5011 Resolver"

Automated Updates is not part of the validation process, it is a part
of the trust anchor management function.  Whether the set of trust anchors
are managed in accordance to Automated Updates or not, the validation process
is the same.

Four...well, as I said, it's hard to justify spending time on a document that has a low ROI.  The equation for timing, which is the highlight of the document, is too complicated and includes an unsupported "safety margin."  The latter element throws out the window any reason to be so precise up to that point.

I appreciate the document's desire.  But it would be better written if it came from operator experience in implementing a key management scheme that is compatible with what is described in the Automated Updates of DNSSEC Trust Anchors document.  And it would be less harmful if the terminology stuck to the language used in developing the protocol, as opposed to the colloquial use that has emerged.  (Such as the notion that trust anchors "are published".)

The reason I'm opposing going forward without providing new text is that I don't feel that I can give new text until completing a process designed to be compatible with "Automated Updates".  I could envision a "Recommended Management of Secure Entry Points for Compatibility with Automated Updates" coming in the future, but not yet.