Re: [DNSOP] Fwd: FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-07.txt
Daniel Migault <daniel.migault@ericsson.com> Mon, 06 May 2019 22:33 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725581200A4 for <dnsop@ietfa.amsl.com>; Mon, 6 May 2019 15:33:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1KiYBFs6doVs for <dnsop@ietfa.amsl.com>; Mon, 6 May 2019 15:33:02 -0700 (PDT)
Received: from mail-qt1-f178.google.com (mail-qt1-f178.google.com [209.85.160.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1F68120073 for <dnsop@ietf.org>; Mon, 6 May 2019 15:33:02 -0700 (PDT)
Received: by mail-qt1-f178.google.com with SMTP id y42so16827175qtk.6 for <dnsop@ietf.org>; Mon, 06 May 2019 15:33:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yOfCuUzkgdDQnEx/5H8aT1aqHykVqZId5IFHVtXqSyg=; b=QCaVh2J/o/c4w9pyeicA3Gr6cDSzgD9JSD6YU6oj91LE0cQlGcGDbNFBuxWYQtGL+E aLEn5d9pEEuta0KoCLJ6XVVM5zJ2gH5Dj6pnYdjy6mAqi3JtRdB1FmMbGu/65Fr5m3Yt 6O6TJmyuq+EFJ+HXIwDzTVQf3SmH8sUBIvZny6XR9gBcu2kCeKmKh6xCXk7wbpS8ULkR 0UjJFj6eLgx+6eHyDNsfoEb8FQYe1LD7MDAwioGzUr4xm1GfRD9EjtpKH8NuDhJYme2v +CsV90LGL9q9GtZCaVKeZaOwxe1WAETHakN9zX6xuD+Bhqj9dHk3wcHgC5xaax91Z36p AUMA==
X-Gm-Message-State: APjAAAUNv7SI+Cjn1YK/wrhdcl9U7194W2bxHbX1GC/YrCGBGUQPvuQ9 ObdM1GdUnRMIiQkc2sBlpgkCGQEozC+M+/yIcJ27er1o
X-Google-Smtp-Source: APXvYqxkmBw8qKTTeODaexj80PesjNrTr33/kBHtjYKi0Ve6AbggJRBCtXgGlCV/fWLgIjcpRhMmkgAvjyK34hhVX0I=
X-Received: by 2002:a05:6214:10e1:: with SMTP id q1mr22698608qvt.39.1557181981633; Mon, 06 May 2019 15:33:01 -0700 (PDT)
MIME-Version: 1.0
References: <154342814186.13692.7258212111896455439.idtracker@ietfa.amsl.com> <DM3PR15MB10029872937ACF23722DB328E3D10@DM3PR15MB1002.namprd15.prod.outlook.com> <CADZyTk=uhvqXYy_sVXD8_Svs3-e=zdxQpupo1X-7_9-QiLLHEQ@mail.gmail.com> <6.2.5.6.2.20190324070321.0f9445e8@elandnews.com>
In-Reply-To: <6.2.5.6.2.20190324070321.0f9445e8@elandnews.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Mon, 06 May 2019 18:32:49 -0400
Message-ID: <CADZyTknhFBqaVeMhrhWyy3gxMm1GOQVnesa2FyrOPiPnNmZLxw@mail.gmail.com>
To: S Moonesamy <sm+ietf@elandsys.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ddb34905883faea5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ecTKBrHMGZry64zzM0QEQuFVDGU>
Subject: Re: [DNSOP] Fwd: FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-07.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2019 22:33:05 -0000
Hi, Thanks for the feed backs. We discussed your feed backs at the IETF meeting and ... delayed your response. I apology for it. Please see my comments inline. Yours, Daniel On Sun, Mar 24, 2019 at 10:41 AM S Moonesamy <sm+ietf@elandsys.com> wrote: > Hi Daniel, > At 07:10 AM 23-03-2019, Daniel Migault wrote: > >We would particularly appreciate to share your thoughts and discuss > >the requirements to operate DNSSEC validators. In particular, feed > >backs from operators or implementers would be more than welcome. > >Please feel free to share your thoughts on the mailing list, > > I took a quick look at the draft. The reference for RFC 7598 might > be a typo [1]. > > Section 6.1.1: > > "Because of this, it is recommended that implementations make the root > zone trust anchor obvious to the operator while still enabling > configuration of general trust points." > > The meaning of "obvious" in the above sentence might not be that obvious. > <mglt> I understand your comment as our use of obvious is misleading. What we meant here is that the root zone TA is a by default configuration. <mglt> > > Section 6.2 discusses about a data store and references RFC 5011 as a > requirement [2]. I read a comment [3] about RFC 5011 in which one of > the assumptions of that RFC is mentioned: "The resolver has access to > persistent writeable storage that will work across reboots". I am > not sure whether that is usually the case for unmanaged devices. > > <mglt> Thanks for the pointer. You are correct we should also mention that the storage be updated with new keys. I guess the issue is not only for unmanaged devices. </mglt> > Section 8: > > "In order to anticipate the sunset of one of the signature scheme, > a DNSSEC validator may willing to estimate the impact of deprecating > one signature scheme." > > The sentence is not clear. > <mglt> The purpose was to provide means to enable old cryptography to be removed from the resolvers. In other words, resolvers are not expected to keep all legacy crypto. </mglt> > > As an overall comment, I suggest considering whether the audience is > the average working group participant only. If that is not the case, > the draft could do with an editorial pass. > > <mglt> Thanks! we will do. Rather than discussing about requirements, we will move this to operational practises I believe that will make the document clearer. </mglt> > Regards, > S. Moonesamy > > 1. I assume that it is RFC 7958. > 2. The sentence actually makes a recommendation. > 3. > > https://blog.cloudflare.com/its-hard-to-change-the-keys-to-the-internet-and-it-involves-destroying-hsms/ > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] FW: New Version Notification for draft-mg… Daniel Migault
- [DNSOP] Fwd: FW: New Version Notification for dra… Daniel Migault
- Re: [DNSOP] FW: New Version Notification for draf… Daniel Migault
- Re: [DNSOP] Fwd: FW: New Version Notification for… S Moonesamy
- Re: [DNSOP] Fwd: FW: New Version Notification for… Daniel Migault