[DNSOP] is the root special? (musings of an old timer) - was Re: [Ext] Re: Making draft-ietf-dnsop-kskroll-sentinel apply to all zones
Edward Lewis <edward.lewis@icann.org> Mon, 18 December 2017 19:19 UTC
Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD2F1277BB for <dnsop@ietfa.amsl.com>; Mon, 18 Dec 2017 11:19:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.311
X-Spam-Level:
X-Spam-Status: No, score=-2.311 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gbfBlqSJCQTz for <dnsop@ietfa.amsl.com>; Mon, 18 Dec 2017 11:19:23 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9838512D84F for <dnsop@ietf.org>; Mon, 18 Dec 2017 11:19:23 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 18 Dec 2017 11:19:21 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Mon, 18 Dec 2017 11:19:21 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: Joe Abley <jabley@hopcount.ca>, Larson Matt <matt@kahlerlarson.org>
CC: dnsop WG <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Thread-Topic: is the root special? (musings of an old timer) - was Re: [Ext] Re: [DNSOP] Making draft-ietf-dnsop-kskroll-sentinel apply to all zones
Thread-Index: AQHTeDUbQ5CyLN7SgEuXfgIgGgxRCg==
Date: Mon, 18 Dec 2017 19:19:21 +0000
Message-ID: <247B55A3-9708-4174-9FD6-6A59544DBD05@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.28.0.171108
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3596451560_819388510"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cLc-0gWMWKLx5tSHFIE8-Itt6Xo>
Subject: [DNSOP] is the root special? (musings of an old timer) - was Re: [Ext] Re: Making draft-ietf-dnsop-kskroll-sentinel apply to all zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2017 19:19:25 -0000
On 12/15/17, 11:34, "DNSOP on behalf of Joe Abley" <dnsop-bounces@ietf.org on behalf of jabley@hopcount.ca> wrote: >That seems fair. I was definitely speaking from a set of personal assumptions without any data; it's certainly possible that non-root trust anchors are widely deployed, however much I haven't seen it. I have one confirmed TLD use of STD 69 (I asked them) and I suspect another does as well (I haven't asked but they do regularly revoke SEP's), this coming from years of steady observation of TLD zones. Of the SLD data I have, which is far less comprehensive and thus inconclusive, I don't see many revoked keys. (With revoked keys being an ingredient of STD 69's process.) But I'll offer that paucity, by its nature, is hard to measure. Nonetheless, no matter what is done for the DNS protocol, it's best if the protocol works the same for all nodes in the tree. Whether the secure entry point is the root or "example.com." or "something.deep.example.com.", we should define the protocol to function in the same manner. (To clear this up, because "my history" vs. "my current" caused confusion before - I'm seeing this a protocol engineer dating back to the time when DNSSEC was assembled [including the earliest opt-out "wars" where the temptation was so "special case" the TLD "com."], not as much as someone working for ICANN today.) And as much as there is one unique root on the global public Internet, there are multiple inter-networks in existence. Such networks also use DNS and also make use of general purpose DNS software. So, I'd really resist setting special rules for the root zone that are tied to how "we" operate. (We can be IANA as the operator of the root zone or we as those whose job is to collectively maintain the global public Internet.) So, I'd make no assumptions about familiarity between the secure entry point and the trust anchor databases. There's not even a way, in-band (to DNS), for a trust anchor operator to know if the secure entry point is honoring STD 69.) In fact, I'd surmise that one of the ingredients in the DNS's wild success and growth is that there's no feedback loop, with the protocol featuring anonymous, context-free sessions. Each time we try to fight that bit of nature, we find "it's hard." Doesn't mean it can't be done, but you're fighting "parental-guardian" nature.
- [DNSOP] is the root special? (musings of an old t… Edward Lewis