[DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.

Michael StJohns <msj@nthpermutation.com> Fri, 30 August 2024 03:08 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FE2BC151992 for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2024 20:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48CC0XFuJHbb for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2024 20:08:33 -0700 (PDT)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BECCFC151549 for <dnsop@ietf.org>; Thu, 29 Aug 2024 20:08:33 -0700 (PDT)
Received: by mail-qv1-xf2d.google.com with SMTP id 6a1803df08f44-6c34c02ff1cso431816d6.2 for <dnsop@ietf.org>; Thu, 29 Aug 2024 20:08:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1724987312; x=1725592112; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=64c/+GFfgUG8WpI8FWwubs9NciVjHCUArGQLKSqxe0Q=; b=RLD5Mib0XEZPRiiWFgqJaKHjwf0CyMQllsG1GIf/LOroCHPeaOThbtWtoJeJthEiSA Ss3JAym0mSBYa+KskjH77msQOoV6nIXWF2tjN5YPM6BzVlZiyo+GvSfaSqHKmjFL5oTV t7KFmNDhlKGqctFz4/D0bRxuNg2+/c5dU2SmrAF9dI3NYh12vG5sWa66jzjVHATg1+c7 1CLTwxHZ62UbwgGYo0LIF6/NXjFKtF1DuLh7x6CFMMEjezCxfLA7nTUzjIr65kyPj+b+ uT5KJXsfw/cd50K1XRav+cTGEJ8XTdALf9iV9qGJzfjPftNS7ZDmuW2TXiqSTMzoykGZ LWgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724987312; x=1725592112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=64c/+GFfgUG8WpI8FWwubs9NciVjHCUArGQLKSqxe0Q=; b=M6UtygkGU6FioxhVVbQwwbKQNUJLPAKrJs7Cho+NJX3sHyr4NoFqcXR/zdZr8V1lKo um5tYfi76JYFBWbv+y7wFRT1e+AD/0Caq8hjkcqCMM94OM3aLWiqSoCmis4DeFcPi+Hi Y8Aj53csyB3ICRBjvHIUfImO+YmJ2Fs8KUiF/0tyjj2v1/UfQ82G5m3ss2TPy69CcUYi udogp2y3eJtRrfrubANvtYhqPwjE3+YSo/IUrLfxhqyZ4Yqh315xynr8UyoL1OCs1G6K cc1TZNaAt8Muqd7H4u4NM36cA7IU5fzvciDWorGohzBZKQrof6VPLEhuMEJC8/HKF2vv 7W6A==
X-Gm-Message-State: AOJu0Ywv96fsJ9O7mBClD9Jdysfs0r2SGxvACZiuY65bu1F/tiN0MLK4 yuSpPDAUhxxCDmNbUVi+8t9DoPLOs6vVkESCd6Ik2tJuCB33VT2oxk6WO014mQhT+u2AkX3uvMm L
X-Google-Smtp-Source: AGHT+IGxYpQA2lRjNB4TvA8k0y1qYBNpp9AkF1GP+J+7P6IEWelADt4pwXVhZimk5L/2Qz4d1bQxKA==
X-Received: by 2002:a05:620a:bd3:b0:79f:fe8:5fce with SMTP id af79cd13be357-7a804182014mr502164585a.3.1724987312253; Thu, 29 Aug 2024 20:08:32 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a806d37552sm106953485a.77.2024.08.29.20.08.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Aug 2024 20:08:31 -0700 (PDT)
Message-ID: <96ad151e-d526-4eac-ba65-1b66340bdd7c@nthpermutation.com>
Date: Thu, 29 Aug 2024 23:08:30 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Warren Kumari <warren@kumari.net>
References: <CAHw9_iL-ZwwA_pckR+=7SndOvqjfcNX9FjZ9Bim24uSYgTxkyw@mail.gmail.com> <98896B9D-259E-4E46-8DC7-E873D8B25F55@icann.org> <d9aed09d-b1c8-4ba1-9d4e-e83d504bfe40@nthpermutation.com> <65A596AD-1A4F-400A-9404-E2D60A54BE66@icann.org> <36118f44-d18d-443b-8aa8-007b8b62db3f@nthpermutation.com> <49523BCB-7747-44A2-97FA-8F46B238B4E0@icann.org> <cb326dc1-cee9-4369-9cb4-7ffc314e0eb3@isc.org> <CAHw9_iJ_xpJ4_WOPqkP6XjahiS01czO3=8fiAZbjUwTop7_zBA@mail.gmail.com> <3A844030-5C0A-4BB7-A56B-B6C8C159D9BC@icann.org> <e220ce5e-7624-4ade-8be4-77685e20f3cf@nthpermutation.com> <CAHw9_iKGt5NpWnAuOh3Sz6RUCc7J=joJHFYL+uNsjRK8wesQ4Q@mail.gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <CAHw9_iKGt5NpWnAuOh3Sz6RUCc7J=joJHFYL+uNsjRK8wesQ4Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: PZRVKIYBY4LTH3XGBH5ZC7PXNPKEXKAE
X-Message-ID-Hash: PZRVKIYBY4LTH3XGBH5ZC7PXNPKEXKAE
X-MailFrom: msj@nthpermutation.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dshD-Qw9Pp8XdP-7ClOXSwFHr64>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On 8/29/2024 9:14 PM, Warren Kumari wrote:
> Yes, I might *personally* decide to use the IANA TA after the 
> validUntil if they haven't published a new one. If I did, that would 
> be entirely my own (bad) decision, and I'm clearly doing something 
> unsupported… just like if I happen to eat a can of beans past their 
> expiration date…

*bleah*  What an awful analogy.   Not even close.

If there are NO OTHER TRUST ANCHORS and you decide to automatically stop 
trusting the ONLY EXISTING TRUST ANCHOR because IANA didn't manage to 
keep to its schedule to add a new trust anchor (which has happened more 
often than not).... you deserve exactly what you're going to get.  The 
ENTIRE DNS tree falling off of your visibility because you can't 
validate anything because you treated the "we plan to stop on this day" 
as "this is invalid whether or not we actually do something".

Trust anchors mostly don't have an expiration date for just this reason. 
DNSSEC could have specified one, but it didn't.  Having IANA ignore the 
DNSSEC spec and tell people to trust  that a TA has an expiration date 
is what's unsupported.

What's also unsupported is automatically deleting the TA based on this 
file, rather than deleting a TA once its been revoked.

Be careful in how you use "unsupported" - I would doubt you'd be able to 
support the assertion from the other DNSSEC documents.

Later, Mike