IETF Logo Mail Archive

[DNSOP] Re: draft-ietf-dnsop-ds-automation-05 ietf last call Dnsdir review

Peter Thomassen <peter@desec.io> Sun, 10 May 2026 11:30 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C55E8EC0D108; Sun, 10 May 2026 04:30:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778412645; bh=QW3hiqHeN4cCtEYs3hizz3B5iQtUHD9oXvihZzW4B3E=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=SAH3kDOdRY994Euz3gw7Oxj8YRWzH4dWkOQ0/3I7mW8OH9KjQ5QhMIQn3AkUYRM1c 3xVm91GSiuRXn4OBM3RybXdH+UEWVm8x5HWdXZ2Ws47tz+TLYfPG8qTHbJWYnN/1Jh lu7P4Qm5312J2br0H7WWTHOtSEfr3XsPcKiZqTb4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c_dDGlyx4F-W; Sun, 10 May 2026 04:30:41 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E6E21EC0D0B4; Sun, 10 May 2026 04:30:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=esc1hSNCtDv51hYRLCQTqp14U0dEsci5cbiuLPydMfY=; b=TTWgFHZHMrgBis8RzZftxm3Qa+ 1JQFEgLnde46YVNunswXT9Muc1flaKTsCjycvZb6dpczMIsMq7lgxF+CtYoAWYJ9Jz2WWvCnTGgVH yLQhWx1xtUTQCTtJaZD8ivVO/PunTsjbjXNqEcufk+dREh3NQmlWKjcyq+afHhlSKcC6xyfp2PsVx 43l6IG6fDC+YM3X6XadkMnf5QsF4wklcp1IOfA7+OpyeQGF45yJFNghbJSbuQXhivOc2McMo6ujUc aUZK3Wg43BJmudnKUIxbTif8EsTcxvspJMCHEE4vzQQRPeSCZzpZ8CutcTIYyvrtdBFbPQvodiHhi 4X7o/nHw==;
Received: from [2001:9e8:16dc:d300:5f2:7fc5:684:f030] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97) (envelope-from <peter@desec.io>) id 1wM2Mf-00000001N2R-00Uy; Sun, 10 May 2026 13:30:29 +0200
Message-ID: <60cf7de5-bf5e-498f-a230-65e8630b05e1@desec.io>
Date: Sun, 10 May 2026 13:30:27 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Peter van Dijk <peter.van.dijk@powerdns.com>, dnsdir@ietf.org
References: <177809300034.1107395.2856001612682696117@dt-datatracker-787b78d5f6-p2rl2>
Content-Language: en-US, de-DE
From: Peter Thomassen <peter@desec.io>
Autocrypt: addr=peter@desec.io; keydata= xsFNBFRjVn0BEADXqtra70yxQrT4MQ9DEhN0mxG6XRAOHE6nP18mqxwSlcET7D6w+z3h4ole v0tyvUU02c2wg04X8WVfjoHnAvIa1dfUcNpB1+QmfFsw0xIJlbT1ogHkMiPQqR4ChDvE3ND/ 6YCS5+HT6hY+tfU+hpLsKw4l+u1Pg2NPVLYosET1jU84b7xhFnoicnCV3kUNltLtxLKSBAfk AXtp1AWWKJbfCr3y0qKElMriicoe5DUZfLrZK2iPcWBxh+n7KMO2g7aqx3aQqwW1+S7Sq7Is l6iSurYfIcHb4AfUy4o5nPB8kKACR6BuJmkEQ5WLuTGruWA2fcxaNpICmolMinTzW1CrIjgN PoskMYCNIZ2uWxS6LN8hBiGCRL4h9aL4wuT09SvR13oAPI1HD5ph+mH6wD37/ONBXrdjcFNb 1l/uVkHU/SwwcKDJOsX18T60Ao00fciTbFHgmKtFube0xGK/vjh461TyU+xKD8Orvyeovvxy MzCwM3UVq/dkdG2Ys/7Qy/4bUC1nJEwKlLv7ZTdtSckdoU2M6JpPX6i4KDB2YCMbwtqJ842z 8A/UuE2bL9aDimh/sF8WgPIhlxqF1STNqW1JTIbDPv8HeZnM4nyJOUWStj4uRiETQhBClPLz YWtnR+EUsfbSLy81vfupbMqRasDlt6aASobgn+K7Rb1Xs/mDnwARAQABzSBQZXRlciBUaG9t YXNzZW4gPHBldGVyQGRlc2VjLmlvPsLBeAQTAQIAIgUCVGNWfQIbIwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQ79YUOj7yLS88Dg//SbHnFGrtaImEiM69wyj4GzWnuGk9/upCym/R RzdBALCYHU9FUFFHwusiO9A0pnO8qv/GEtqqTHrcL205a6FTivkdZmOsWuN4oo7r4HBc/taI FLLUDg2wd8q4m4387sYEqrc3olGfyRB6hrMtEWVJLXHJmpcrxAaI1F2QO4Bu7kcdTnyGFz/p ZD8XAof2TWHqJb2ux69DFhiAJeAZlV+h9QrxTedL84l4hq3x1VWsnOEFaCJiThDX920kTnhJ ijrDocgAbmQBCniPACpPHYhBhmCJxfVqgfMuLMNsukOmKxsGcGV6rO1zB5ZUhm3O/Ixk6ow3 6FDKALWihg6Z4P/cJYySMn0iqvHkO8ryT9oJKX//mKaYoF6henXDRLCcRjKwGxFQTEgX+6yc pjgvX3rlypjkPT5ho4yEc5ePkQ2gIIHhvZburm1Zr4nDPx6v8+3XUjpXBRTWQ8/0/h0rtLJe yOPwGJxcfKf/GutTCqiio0mS01mIY9c2i7JWcljlIuSEUit6CHotc5lBOm2GJwguRJG6cXPY SQecwBdcjH3RTzBOv/DN6xWAIV7BmbX/e7DSGAc60mBO1/M0ut+a6CkxRQK8TaE3B3zh1/QO nG0XvtZfIY8ZYdTrdEDSV1Pj5pof/fqhhegHRxN2qi4qIuVcrW0jsUsx10IgAynHR7qQKsvO wU0EVGNWfQEQAPBA8iPCS4ZRX8stW0WuW7579axSq/Luyik4MWDFalt68lzvUbV0f6faN15+ aV7VwMTw3rSa2tP0U8crYAAAZ5NrRHXlYms5BK9vsi1322dAvhyNRawdprP627SO+Ez/84tY xz1X3M9esbN7gpJtHP6mHW76zYpT447v6c2qlbldjobZTDb6kKSGFCIrPJz9M4jVfya+ovxe 2Ab7hn2R0CcyMHATV5g1Ry0XXaj5y3bWypActbG9nflRn3NjhHZynu+WEPDUJCO8kNVNYKOw HObNTeaLvgvU0ONB8pYJv35kDXMhZLwo5MJuJd5i54CXwpo9mECwLJT1RpJi7u98nBrWyyaH s2brG9LPCRKBKOhiHFu57H+cElh+kOvehuS7DFTzjqDwJlkQzP5Hq0G++hZxfdYocKdcdFoh RP3dtDAe+Lfiy9qzJicZ6ACbzoQIN58xj0VWAn1W7SuMErOjv84D/FiXHD2Kxtx09wQl8vH0 Nbh9UgyDBNupToM0ixT+8Ko8eBuYHR53RPxshQhFw4EMIhXiOaxNe1W2Z95QPnYhUGOMoy3I v4fxMQUHa4kZSF2qxsFB1Cxol/aBPGwkwoqUvzp23pLQtJ6youYXtLgvx3pR4L52Q5CUzHMa HvM67XWgW1KqtnvNBXN9PwtDz/a9fQX1YO4CegrXv8C9Ro+LABEBAAHCwV8EGAECAAkFAlRj Vn0CGwwACgkQ79YUOj7yLS8rXA/9EGX2QRfJS94JTdtseu7saTK9a3IKwk6E33GpfXyUVpMt sOqV756XQwULZSWoxInRQtWojA8pQxDUYrbA4MpX0Efr2Dx1xIsJ5F3JajOqViB1SbOD2m0f bxXbcoWKitsKoag2SlvNOd8rD9FcgDvrkacnaQZcZE8DyyGx0JU451tfoD/igu85NZpTDaWG 6fth7QRlxmdGWrGXRdXAP29jq1n0I1wIyF/bXlZ7MXjOSsfyPddzsnHFTvNMZKps0QXNF+hi ESg9chIeo/IFDDVu6pCtm6mftojx84rczTZiNk8r2T3TU4N8uwWtXn/nj9xd61pnxD0xkTPH zxJrCs59WSfYqj3aFNkWO3Lg0/HGnO9wHQKMXcGPsnKITHVzxCNBQtVHomNA7ds6Kt3/WJgS pU2ciICvrpvKgPNWQ0d/SeY3vYIRvDLZ12Svx6M3eXDrsgZOT5be7kGVr3t7dBOYKcRHkZUq kU1kCcgp0vetISVDOc5fkpdUkAtd5/13pIpz4ikVR3OM4Br4XMVShm6RvoP4pyA+ftCi1+bw 0UbRCrnHgnG+wtCf5nMDGVLc04vITnII+ESZqlF02a1IFj0Z2MuQK2Oszl2Nsx/LG60G1e/R pzKEXIIJgHfbwUCWtV1zQu6v9Ng5H8EqVeWcdaPUwSQMGcDg/sPa4s/OxhgrYBg=
In-Reply-To: <177809300034.1107395.2856001612682696117@dt-datatracker-787b78d5f6-p2rl2>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 2SOQI3V4F2PNANBS37RN7KY6EDEWZOC2
X-Message-ID-Hash: 2SOQI3V4F2PNANBS37RN7KY6EDEWZOC2
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: draft-ietf-dnsop-ds-automation-05 ietf last call Dnsdir review
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/aJdt4qhM-iPu6hM__iqrj0ZaOAo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Peter,

Thank you very much for your review!

On 5/6/26 20:43, Peter van Dijk via Datatracker wrote:
> This is a solid document. My concerns are tiny. Please find them below.
> 
> ```
> Parent (DNS operator):  The DNS operator responsible for a Parent
>        zone and, thus, involved with the maintenance of the delegation's
>        DNSSEC parameters (in particular, the acceptance of these
>        parameters and the publication of corresponding DS records).
> ```
> 
> The Parent (the party responsible for the Parent zone) is the Registry. The
> Registry is not necessarily the DNS operator ("entity responsible for running
> DNS servers", RFC9499), so "DNS operator" seems wrong to me here.
> 
> In other places in the document, DNS Operator is also used to refer to the
> manager of the child zone. This also seems wrong to me.
> 
> I note that the title of 9615 uses "Zone Operator" which seems right to me. I
> also note that the body of 9615 consistently uses "DNS Operator". It seems this
> ship may have sailed.

The "Child DNS Operator" language comes from RFC 7344 which started the CDS/CDNSKEY work. I believe it is best to stick to the established terminology.

This argument does not apply to "Parent (DNS Operator)". I've changed it to just

NEW
    Parent:  The operator responsible for a Parent zone and, thus,
...

> ```
>     2.  Parent-side entities (such as registries) SHOULD reduce a DS
>         record set's TTL to a value between 5–15 minutes when the set of
>         records is changed, and restore the normal TTL value at a later
>         occasion (but not before the previous DS RRset's TTL has
>         expired).
> ```
> 
> Why is the previous TTL relevant to deciding how long to wait?

The thinking is that, when the previous DS TTL has not yet expired, you may not have been able yet to observe failures from the new RRset as it might now have been used for DNSSEC validation. Once the DS TTL has expired and you've seen no issues, there's reasonable assurance all is fine, and the TTL reduction starts being superfluous.

As usual, that's rough guidance and there is no perfect time. However, if the DS TTL is 86400, it would not make much sense to set the TTL to 300 after a change, and then return to 86400 when the reduction was in effect for only an hour or so.

> ```
>     3.  Child DNS operators SHOULD be notified using a report query
>         [RFC9567] to the agent domain as described in Section 4 of
>         [RFC9859].
> ```
> 
> Does 9567 apply only in error cases, or also in success cases?

Notifications to the Child DNS operator are about error conditions only (see the paragraph starting with "For error conditions"). There are no situations described in the draft where the Child DNS Operator would be informed of a success. So, while RFC 9567 appears to only apply in error cases, that's not a restriction to this use case.

To remove the potential confusion, I've changed "notified using a report query" to "notified of errors using a report query" in the recommendation you quoted above.

>     thus being ignored.
> 
> I suggest "causing all of them to be ignored"

Thanks, done. (Without "all of", as that could be misread as affecting other children as well.)

> Section 5.2 lists "situations of particular interest" and "conditions worthy of
> being reported". Then, "justified to attempt communicating" is linked to
> "reportworthy cases". If this indeed is meant to refer to only cases 3 and 4, I
> recommend being more explicit than repeating the term "reportworthy cases". If
> it is supposed to refer to the entire set, repeating the term is confusing.

It's meant to refer to error conditions (cases 3 and 4) only, as those definitely are reportworthy, whereas successful operations (bootstrapping or disabling DNSSEC) are "only" interesting but don't require any follow-up.

Accordingly, I've clarified by replacing the repetition of "For these reportworthy cases" with "In these latter two cases" (and the two cases immediately precede that sentence). Thanks for catching the ambiguity!

> I only mention section 6 to point out how well-considered all the reasoning in
> it is. Very good work.

<3

The commit addressing your feedback is here: https://github.com/desec-io/draft-ietf-dnsop-ds-automation/commit/a1c9f3c0b11f8c96e4a7246fc958a59be182c2f7

Best,
Peter

v2.46.0 | Report a Bug | By Email | System Status