Re: [DNSOP] Definitions of basic DNSSEC terms
william manning <chinese.apricot@gmail.com> Tue, 09 August 2016 21:56 UTC
Return-Path: <chinese.apricot@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D62AC12D098 for <dnsop@ietfa.amsl.com>; Tue, 9 Aug 2016 14:56:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YUZOPQehFmhJ for <dnsop@ietfa.amsl.com>; Tue, 9 Aug 2016 14:56:21 -0700 (PDT)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E33B712B069 for <dnsop@ietf.org>; Tue, 9 Aug 2016 14:56:20 -0700 (PDT)
Received: by mail-io0-x229.google.com with SMTP id 38so24756767iol.0 for <dnsop@ietf.org>; Tue, 09 Aug 2016 14:56:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OsUsFwFzefGJ6qr/KOvD+da4VDp0+PBZZHzJRQj67RQ=; b=A+wbbOIz6uUU2jFynIpY8qWnfevjIfQMmhXzQQ7/uvK4tOpG81FphuesbT6g2+Sxgx vM2q8fvo30mKLw7+QaXegfDfCooAJMokVgYxnREn0m79VmafOVbi5LprjwSvVZLOwWtR x13jrQcSDjQI69WOx7yiLsAXv+1OiQbq1PWvyFDI4bGADeeBnEUVDBGubSiSAlE9jkHz QdsV15uSFyJqGrWO64e2VQZsyy6eU/1r9I76Wf14qMcTaB3BbEockYkTOZDMDcE4xhrR /5mpd4QAlZLBtatgPdsrpely0o3qB8P274Mz7FINSsvhis7G/Ke/fdFVS+zBqSocE8S4 M4ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OsUsFwFzefGJ6qr/KOvD+da4VDp0+PBZZHzJRQj67RQ=; b=HBpDfu5k5puGce8odxH3M/f8Mo34DvqsJ4VNLhRyi0JO44lYmHTAugj8JzQoMGBQB7 VmdpdXfNHozOvqRd24FeQhwwZdXAPgAAKWwm7Ai2WffEnG8RdJa9VDAIHFwSUrjHlVnz 96Oeo+ZGBnNKr7racxhBRnmKVlIFr0lj/ZGlDWYa0zlV3o/AsKIfk9UIs7Ua+jC7gsU1 MjbQ1isVmM4s/sLy6u0Ybj31DujjcR6l6xaXQI/VfgsZVs8qFFEmsUfgS1nPPBMVKilL x/uIS3hOzKNEiX/HP6V22mdDVBRtJBY2+HrDysm+JdavtJjbIkYV9C/igQCErG+SkG1P m50Q==
X-Gm-Message-State: AEkooutFP//ubIqZJKflmTbCxmx9DFQRsxYTkKGRkPqml7Jh79o9Sj4CTP2TYINOJCHvgYvN0K+3F51JXRTCMw==
X-Received: by 10.107.27.144 with SMTP id b138mr1503198iob.163.1470779780152; Tue, 09 Aug 2016 14:56:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.35.213 with HTTP; Tue, 9 Aug 2016 14:56:19 -0700 (PDT)
In-Reply-To: <C85EB98D-91A1-4857-BAE2-F12905F64800@icann.org>
References: <29ED2792-2055-45DC-9715-1D576D96DC23@vpnc.org> <C85EB98D-91A1-4857-BAE2-F12905F64800@icann.org>
From: william manning <chinese.apricot@gmail.com>
Date: Tue, 09 Aug 2016 14:56:19 -0700
Message-ID: <CACfw2hg_YFadaDh-HzzGgr49k-Qzj=+WPh2KW+HVdyh_uZ7vRA@mail.gmail.com>
To: Edward Lewis <edward.lewis@icann.org>
Content-Type: multipart/alternative; boundary="001a11409f9a56c1ed0539aa9a92"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/aoBiOFnYpH4kSQplFV13tkaZ8Vc>
Cc: dnsop WG <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] Definitions of basic DNSSEC terms
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2016 21:56:23 -0000
must be mass hallucination. My memory concurs with Ed on the history. If you MUST define authentication, validation, and verification, I would place them under, "local policy" /W On Tue, Aug 9, 2016 at 3:55 AM, Edward Lewis <edward.lewis@icann.org> wrote: > On 8/4/16, 10:16, "DNSOP on behalf of Paul Hoffman" < > dnsop-bounces@ietf.org on behalf of paul.hoffman@vpnc.org> wrote: > > Greetings again. There are six terms that are commonly used when we > talk > about DNSSEC: > - validation and validate > - authentication and authenticate > - verification and verify > Are they defined in any RFCs that we can use for the terminology-bis > document? As far as I can see (but I could be blinded), they are not > defined in RFC 403[3-5]. > > Suggestions? > > Writing based on possibly undocumented (read: oral) history, those terms > fell under the category of "local policy" in the earlier DNSSEC documents > (such as "Domain Name System Security Extensions" [RFC 2535]). > > When the first proof-of-concept DNSSEC validator was written there was a > definite and deterministic set of tests implemented but there was no > intention to codify that into an IETF document for a number of reasons. At > the time the documents had a goal of defining what was needed for > interoperability, as opposed to be prescriptive. And it wasn't clear that > local matters of what an instantiation would trust would necessarily be > significant to what another instantiation would choose. > > There once was a long thread on whether an authoritative server should > perform cryptographic checking of all loaded signature before adding in the > AD bit. Ultimately it was decided to not require that (because, for one, > load time was too long for large zones). Authenticated Data meant "the > server is happy with the data" and not that any level of computation > (signature checking) had been done. The result of this is in "Redefinition > of DNS Authenticated Data (AD) bit". > > > > > ---------- Forwarded message ---------- > From: Wes Hardaker <wjhns1@hardakers.net> > To: Terry Manderson <terry.manderson@icann.org> > Cc: "tjw.ietf@gmail.com" <tjw.ietf@gmail.com>, "dnsop-chairs@ietf.org" < > dnsop-chairs@ietf.org>, Wes Hardaker <wjhns1@hardakers.net>, " > dnsop@ietf.org" <dnsop@ietf.org>, " > draft-ietf-dnsop-dnssec-roadblock-avoidance@ietf.org" < > draft-ietf-dnsop-dnssec-roadblock-avoidance@ietf.org>, Spencer Dawkins at > IETF <spencerdawkins.ietf@gmail.com>, The IESG <iesg@ietf.org> > Date: Wed, 3 Aug 2016 15:53:08 -0700 > Subject: Re: [DNSOP] Terry Manderson's Discuss on > draft-ietf-dnsop-dnssec-roadblock-avoidance-04: (with DISCUSS and COMMENT) > Terry Manderson <terry.manderson@icann.org> writes: > > > Hi Spencer, > > > > On 14/07/2016, 12:57 PM, "Spencer Dawkins at IETF" > > <spencerdawkins.ietf@gmail.com> wrote: > >> > >>Terry, I like where you're headed, but just to ask the obvious question, > >>are you thinking the draft would, or would not, also contain something > >>like "at the time this document was approved, a domain used for this test > >>was $someactualworkingdomain.com <http://someactualworkingdomain.com>"? > > > > Sorry I didn't make it obvious, yes I would like to see text like this, > > and I think it makes an easy path for the less adventurous in addition to > > supplying more in depth guidance. > > How does this text work to be dropped into the end of the > "Implementation experiences" section (1.3): > > <section title="Test Zone Implementation"> > <t>In this document, the "test.example.com" domain is > used to refer to DNS records which contain test records > that have known DNSSEC properties associated with them. > For example, the "badsign-a.test.example.com" domain is > used below to refer to a DNS A record where the > signatures published for it are invalid (i.e., they are > "bad signatures" that should cause a validation > failure).</t> > > <t>At the time of this publication, the > "test.dnssec-tools.org" domain implements all of these > test records. Thus, it may be possible to replace > "test.example.com" in this document with > "test.dnssec-tools.org" when performing real-world > tests.</t> > </section> > > And then everywhere that test.dnssec-tools.org exists in the document, > I'll replace it with "test.example.com". > -- > Wes Hardaker > Parsons > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > >
- Re: [DNSOP] Definitions of basic DNSSEC terms Edward Lewis
- Re: [DNSOP] Definitions of basic DNSSEC terms Casey Deccio
- Re: [DNSOP] Definitions of basic DNSSEC terms Tony Finch
- Re: [DNSOP] Definitions of basic DNSSEC terms Paul Hoffman
- Re: [DNSOP] Definitions of basic DNSSEC terms Paul Hoffman
- Re: [DNSOP] Definitions of basic DNSSEC terms william manning
- Re: [DNSOP] Definitions of basic DNSSEC terms Edward Lewis
- Re: [DNSOP] Definitions of basic DNSSEC terms Tony Finch
- Re: [DNSOP] Definitions of basic DNSSEC terms Paul Hoffman
- Re: [DNSOP] Definitions of basic DNSSEC terms Wes Hardaker
- [DNSOP] Definitions of basic DNSSEC terms Paul Hoffman