Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-10.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 30 September 2019 22:23 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC28712081F for <dnsop@ietfa.amsl.com>; Mon, 30 Sep 2019 15:23:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6NRN9iAOHcpE for <dnsop@ietfa.amsl.com>; Mon, 30 Sep 2019 15:23:34 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34227120178 for <dnsop@ietf.org>; Mon, 30 Sep 2019 15:23:34 -0700 (PDT)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 2CBEE2A4A92 for <dnsop@ietf.org>; Mon, 30 Sep 2019 18:23:33 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <156962713660.24718.71133858140531907@ietfa.amsl.com>
Date: Mon, 30 Sep 2019 18:23:31 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: dnsop@ietf.org
Message-Id: <CEC273B9-3EE4-4DEB-BA38-FCF90819C0AF@dukhovni.org>
References: <156962713660.24718.71133858140531907@ietfa.amsl.com>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ckKYIqgIGLcKUzEueiX5ac6Z7vM>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-10.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2019 22:23:37 -0000

> On Sep 27, 2019, at 7:32 PM, internet-drafts@ietf.org wrote:
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-extended-error-10

Perhaps at my instigation the descriptions for:

	3.8.  Extended DNS Error Code 7 - Signature Expired
and	3.9.  Extended DNS Error Code 8 - Signature Not Yet Valid

were changed in version 10 to read, respectively:

	... but all the signatures in an RRset in the validation chain were expired.
	... but all the signatures received were not yet valid.

But I guess it is also possible in pathological cases, that both
might apply.  Specifically, when none of the RRSIGs are extant, with
at least one expired, and the rest (at least one) not yet valid.

FWIW, the language could be amended to accommodate this possibility:

	... but no signatures are presently valid and some (often all) are expired.
	... but no signatures are presently valid and some are not yet valid.

Which raises another question: Can an OPT RR legitimately carry more than one EDE
option, and thereby communicate multiple errors?  Such as perhaps the above
hypothetical with some RRSIGs expired, and some not yet vlid.

-- 
	Viktor.