Re: [DNSOP] Changes since draft-ietf-dnsop-rfc4641bis-13
Matthijs Mekking <matthijs@nlnetlabs.nl> Wed, 24 October 2012 14:36 UTC
Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A984E21F8A07 for <dnsop@ietfa.amsl.com>; Wed, 24 Oct 2012 07:36:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.505
X-Spam-Level:
X-Spam-Status: No, score=-102.505 tagged_above=-999 required=5 tests=[AWL=0.094, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MgDTVa5xRKiq for <dnsop@ietfa.amsl.com>; Wed, 24 Oct 2012 07:36:50 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6455E21F89F6 for <dnsop@ietf.org>; Wed, 24 Oct 2012 07:36:50 -0700 (PDT)
Received: from [213.154.224.18] (zoidberg.nlnetlabs.nl [213.154.224.18]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.5/8.14.4) with ESMTP id q9OEadWH078868 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Wed, 24 Oct 2012 16:36:40 +0200 (CEST) (envelope-from matthijs@nlnetlabs.nl)
X-DKIM: OpenDKIM Filter v2.6.7 open.nlnetlabs.nl q9OEadWH078868
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1351089404; bh=kWNBodfL/1KFE4hsrGM7Rof/rwiMjmv1ZY3hiTQV+6I=; h=Date:From:To:Subject:References:In-Reply-To; b=bPQy17N1eeM3sHPML91mSaMdUk3HbuZtXal5AImebzowEsFsjzPg9aSUx2EwrKB6+ 76oorTtdThs0zttv6eam3XgyVITJWvV97dDMuYckzTozNVPK8CWeL+fu709LcT8Bkx RjBpeeXWVL1Z3xOQoZZphxj6ZD1KDL2TniziGFsk=
Message-ID: <5087FCF8.4020704@nlnetlabs.nl>
Date: Wed, 24 Oct 2012 16:36:40 +0200
From: Matthijs Mekking <matthijs@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: dnsop@ietf.org
References: <507D691F.9000404@nlnetlabs.nl> <50868055.6030809@sidn.nl>
In-Reply-To: <50868055.6030809@sidn.nl>
X-Enigmail-Version: 1.4.5
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enigDC45CC227C24F048316F18AF"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [213.154.224.1]); Wed, 24 Oct 2012 16:36:40 +0200 (CEST)
Subject: Re: [DNSOP] Changes since draft-ietf-dnsop-rfc4641bis-13
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2012 14:36:51 -0000
Hi, I am against changing the suggestion in Section 4.3.2, even though you provide practices that in one legitimate case DNSKEY is preferred over DS. Such a change would in my opinion have to go through the working group and reach consensus there and I am afraid it is way too late for that. I would not be surprised that after publication, we come up with even more considerations that are also legit and could have been in the incorporated into the document. But at this moment I would not like to discuss changes that delay publication, unless there is detected something fundamentally wrong with the document. Also note that this is to be an informational RFC, not a BCP. The document is not claiming that one approach is better than the other. It merely provides considerations and provides arguments that can help operators to make a well-thought decision. Best regards, Matthijs On 10/23/2012 01:32 PM, Antoin Verschuren wrote: > On 16-10-12 16:03, Matthijs Mekking wrote: >> Hi all, > >> The document draft-ietf-dnsop-rfc464bis-13 has seen some issues >> while being in AUTH and RCF-EDITOR state. This e-mail will list all >> the suggested changes to address those issues. > > While reading the proposed changes and the whole document again, I > noticed another paragraph that is no longer desired. > My question is that now that we do make some changes, it is advised > that this paragraph is also adjusted to fit current day practices. > > The paragraph is 4.3.2. > The advice in this paragraph, which hasn't changed since 2009 when it > was first written down, has been overtaken by new insight and practices. > It advises registries to store only DS in stead of DNSKEY material in > their database. This has proven to be impractical when deploying > DNSSEC on a large scale: > > 1. Current practice proves that the majority of DNSSEC domains in the > world today is provisioned by sending a DNSKEY record to te registry, > and not DS. Running code for the majority of DNSSEC domains uses DNSKEY. > > 2. The old advice is based on the assumption that less errors are > being made when cutting and pasting a DS in a webinterface or reading > it since it is smaller than a DNSKEY. Current practice today however > is that this is all automated, and while provisioning 1.3 M DNSSEC > domains, we have not seen such errors. > > 3. With more algorithms used for DNSSEC today, and some no longer > advised, registries want to hash the DNSKEY to DS themselves so they > don't need to go through a "contacting every child" nightmare when an > algorithm is no longer supported. The DS is owned by the parent, not > the child. Our practice shows that hashing is a minor operation by the > parent. It takes no real effort whatsoever in computation or time. > > 4. The most important motivation for us to use DNSKEY is consistancy > with new processes that did not exist in 2009. DNSSEC secure transfers > (http://tools.ietf.org/id/draft-koch-dnsop-dnssec-operator-change-04.txt) > is the most important one. In a DNS-operator change, the operator > initiating the change needs to send his new KSK (DNSKEY/DS) to the > registry AND needs to relay his ZSK (DNSKEY). It is confusing that in > bootstrapping a delegation a DS needs to be sent, but when transfering > a DS AND ZSK DNSKEY needs to be sent. It is better to use DNSKEY in > both processes so a child operator is never burdened with calculating > a DS or having to think about 2 different fields in EPP that do not > have the same meaning. So our advise is to use DNSKEY syntax for both > KSK and ZSK when transfering to your parent. > > So my advise is to either delete paragraph 4.3.2 since it is bad > advice (there is no convincing motivation given in this paragraph > anyway), or use the motivation given above to advise for using DNSKEY > over DS. > > If needed, I'm willing to write text. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Changes since draft-ietf-dnsop-rfc4641bis… Matthijs Mekking
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Tony Finch
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Antoin Verschuren
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Miek Gieben
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Niall O'Reilly
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Olafur Gudmundsson
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Edward Lewis
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Antoin Verschuren
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Matthijs Mekking