IETF Logo Mail Archive

[DNSOP] negative-trust-anchors-02

Andrew Sullivan <ajs@anvilwalrusden.com> Thu, 19 March 2015 03:45 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E281A873B for <dnsop@ietfa.amsl.com>; Wed, 18 Mar 2015 20:45:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.758
X-Spam-Level: *
X-Spam-Status: No, score=1.758 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eea-V451rF3d for <dnsop@ietfa.amsl.com>; Wed, 18 Mar 2015 20:45:30 -0700 (PDT)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0A991A872C for <dnsop@ietf.org>; Wed, 18 Mar 2015 20:45:30 -0700 (PDT)
Received: from mx1.yitter.info (unknown [67.211.120.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 157A48A035 for <dnsop@ietf.org>; Thu, 19 Mar 2015 03:45:29 +0000 (UTC)
Date: Wed, 18 Mar 2015 23:45:27 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20150319034526.GB6046@mx1.yitter.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/fP6LTUi2C3m0PdvqT5BPqct1ctY>
Subject: [DNSOP] negative-trust-anchors-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2015 03:45:34 -0000

Dear colleagues,

I have read draft-ietf-dnsop-negative-trust-anchors-02.  I have some
comments.

To begin with, I support, very strongly, getting this basic idea
documented and published soon.  Recent commentary (I will not say
"fatuous") on DNSSEC complained at length about DNSSEC failures, as
though returning to those halcyon days where "Certificate Invalid.
Proceed? [YES] [no, why would you ever press this?]" dialogues were
the norm would be nice.  NTAs are needed to aid with making DNSSEC
compatible with human expectations.

In section 1, it'd be nice to break up some of the references to other
documents at the beginning.

In my opinion, the final paragraph of section 1 could be cut without
any damage to the document.  Certainly, everything starting with,
"When I see folks voice opinions…" is editorial and can profitably be
removed.  Regardless of how much I might agree with the sentiments, I
don't think that's necessary for a protocol document to adopt that
argumentative tone.  The Introduction elsewhere gives ample reason
that NTAs are a potentially useful innovation for effective
deployment of DNSSEC.

In section 2, I am jarred slightly by the description of NTAs as the
inverse of TAs.  I wonder whether they're actually the converse or,
more likely, reverse of TAs.  None of these are satisfying to me.
Perhaps I spent too much time in syllogism school.  I don't feel
strongly about this, but I found it distracting, and probably just
saying, "By way of analogy, negative trust anchors stop validation…,"
or something along those lines.

In section 4, I would be stronger in this sentence:

   End users generally do not know what DNSSEC is, nor should they be
   expected to at the current time (especially absent widespread
   integration of DNSSEC indicators in end user software such as web
   browsers).

That sets the bar way too low.  How about this:

    End users generally do not know of, understand, or care about the
    resolution process that causes connections to happen.  This is by
    design: the point of the DNS is to insulate users from having to
    remember IP addresses through a friendlier way of naming systems.
    It follows from this that end users do not, and should not, be
    expected to know about DNSSEC, validation, or anything of the
    sort.

In section 5, I'd remove "and is potentially harmful to DNSSEC
adoption."  DNSSEC is not, as the I-D argues (IMO correctly) an end in
itself.  

I don't understand why section 6 is in the document, and I really
don't understand why it is in the location it is.

Everything up to section 7 seems to be motivational.  It might be nice
to group all of itq into a big section (Introduction and Motivation) or
something like that, and then deal with the normative parts in another
section (leaving the sections 1-6 as subsections instead).  There are
some people who feel very strongly that the motivation stuff needs to
be in a separate document, but publication would probably be eased by
the single introduction and motivation section.

In section 7, there are these bits:

   Technical personnel trained in the operation of DNS servers MUST
   confirm that a failure is due to misconfiguration, as a similar
   breakage could have occurred if an attacker gained access to a
   domain's authoritative servers and modified those records or had the
   domain pointed to their own rogue authoritative servers.
   […]
   Finally, they should make a
   reasonable attempt to contact the domain owner of the misconfigured
   zone, preferably prior to implementing the Negative Trust Anchor.

How are you going to do the first part without the last part?  Is this
to cover the, "I saw them post on a mailing list," case?

After that, there's

   In the case of a validation failure due to misconfiguration of a TLD
   or popular domain name (such as a top 100 website), this could make
   content or services in the affected TLD or domain inaccessible for a
   large number of users.  In such cases, it may be appropriate to use a
   Negative Trust Anchor as soon as the misconfiguration is confirmed.

It seems to me that the top 100 website cases are exactly where one
would most expect malfeasance, and therefore the names where one needs
the strongest diligence, no?

In the final paragraph of section 7, it'd be nice also to point out
the isolation across the tree: example.com's NTA need not (MUST NOT?)
affect .net or example.net or lower.example.net or even example2.com.

Respectfully submitted,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email