IETF Logo Mail Archive

Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>

"Paul Hoffman" <paul.hoffman@vpnc.org> Mon, 05 October 2015 19:35 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 715611B4F33 for <dnsop@ietfa.amsl.com>; Mon, 5 Oct 2015 12:35:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XXqRein87Z9W for <dnsop@ietfa.amsl.com>; Mon, 5 Oct 2015 12:35:54 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 501A91B4F35 for <dnsop@ietf.org>; Mon, 5 Oct 2015 12:35:54 -0700 (PDT)
Received: from [10.47.60.19] ([207.164.135.98]) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t95JZovu056750 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Oct 2015 12:35:51 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host [207.164.135.98] claimed to be [10.47.60.19]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Joe Abley <jabley@hopcount.ca>
Date: Mon, 05 Oct 2015 15:35:50 -0400
Message-ID: <D2C7120E-D13A-4372-8A8D-FE16DDDB5AEA@vpnc.org>
In-Reply-To: <9F52E6FC-E503-4E3A-9998-363BF514CC1A@hopcount.ca>
References: <20150928114202.823.19868.idtracker@ietfa.amsl.com> <0E4AA958-7740-4602-A3CF-D2E481DBC15E@hopcount.ca> <20150928155325.GA63874@gaon.net> <20150929095301.32c3e6a3@casual> <13F1D87F-1C07-40EB-86B0-564C4109C9B0@virtualized.org> <1973252D-924F-4EF1-A38F-5EC01AD331F6@gmail.com> <FDD04DCC-59C5-41F5-8CAF-1EF31CD65A34@virtualized.org> <63E1E01E-C172-4A0F-B434-F796546BB657@gmail.com> <C4FA9FA6-76E3-4FF3-862B-C5C0DF75C761@kirei.se> <D1C15986-603E-4932-B551-0497638D9849@vpnc.org> <02869F43-87A4-4797-8FD3-276C02DF665D@kirei.se> <EEA946B1-8BF3-4AB7-99D2-4C8CDCCF0EC0@vpnc.org> <F412CE02-C0BA-425E-BBF9-3A40B2B5FEA7@vpnc.org> <9F52E6FC-E503-4E3A-9998-363BF514CC1A@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/bK9pCyQcLdmvC23kvmwbjq2QaVw>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 19:35:55 -0000

A document called "DNSSEC Trust Anchor Publication for the Root Zone" 
that says nothing about the most common KSK publication practice, that 
is, by resolver software developers, is woefully incomplete.

If instead the document is supposed to be about current ICANN 
publication only, then the document should be retitled, given a better 
abstract, and give the actual URLs for the current KSK and describe the 
formats used for the current data. It should not make speculation about 
other URLs nor about other format options. It should not talk about the 
publication of possible future KSKs because that is not what ICANN is 
doing now.


On 5 Oct 2015, at 10:14, Joe Abley wrote:

> Hi Paul,
>
> On 5 Oct 2015, at 9:52, Paul Hoffman wrote:
>
>> Given that the title and abstract of this document disagree with what 
>> many people here have said they want the document to discuss, if the 
>> WG adopts this work item, please adopt an exact description of what 
>> is wanted with the expectation that this draft could be changed to 
>> fit the description.
>>
>> I still believe the description of the document people want is best 
>> done by ICANN because it is ICANN who can describe what the 
>> publication process is today.
>
> I think we're conflating a couple of things that could perhaps be 
> better considered separately.

Yes, definitely.

> 1. This document could be published by ICANN through the IETF if they 
> want to make it part of the historical record (what we did in 
> 2009/2010) and also provide a reference to current practice that is 
> easier to find (and doesn't have DRAFT written all over it) than the 
> current reference that I think is only buried within root-dnssec.org. 
> There's precedent for this, see e.g. RFC 7108 which was published as 
> an individual submission. If we followed the same path, we'd be 
> looking at dnsop to review for clarity and accuracy, but we wouldn't 
> be asking for adoption.

If the main issue is "it's too hard to find the current publication 
procedure", then ICANN should (and can) fix this easily. We can also 
take the stupid "DRAFT" designation off.

Publishing an RFC about how ICANN published something in 2010 seems like 
a waste of time, even for historical purposes. It will cause more 
confusion than benefit.

> 2. The current draft was originally written by me as ICANN staff and 
> Jakob as an ICANN contractor. If there's a need to add current ICANN 
> staff to the author list to make it look more official, surely we 
> could do that (as we did with 7108, actually, which was published 
> after I left ICANN).

No one has even vaguely suggested this, and if they do, I'd be happy to 
try to talk them out of it.

> 3. If ICANN prefers not to see this draft published in the RFC series, 
> then that's a good reason not to do it. The value in this document 
> (wherever it is published) lies in it being real, which means we need 
> ICANN's support, e.g. through references in the KSK maintainer's DPS. 
> If that's the preference, let's hear so, clearly. Right now it's 
> difficult to distinguish between individual contributors' opinions and 
> the desires of the IANA Functions Operator.

You are fully and painfully aware of how difficult it is to get "ICANN" 
to state a preference. I'm bringing this up as an individual who has 
read the document carefully and believes that the document only 
partially matches current publication practice for the trust anchor, 
even if the document is retitled and has a more accurate abstract.

> 4. If there are elements in the current text that don't match current 
> practice, then let's hear what they are.

Current practice for what? Publication? Publication by ICANN? It is 
somewhat unfair to ask this question when WG participants have different 
expectations for the document.

> So far comments to that effect are causing some alarm, but without 
> details it's hard to know what to do with them.

Bosh. I gave you details off-line last week, and you acknowledged them. 
It is clear that people commenting on this thread are not reading the 
document listed in the subject line carefully, because most /all who 
have said that they want the document published follow up with a 
description of something that does not match the the current document.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email