[DNSOP] draft-wallstrom-dnsop-dns-delegation-requirements-03
Edward Lewis <edward.lewis@icann.org> Sat, 12 November 2016 21:16 UTC
Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4884C129421 for <dnsop@ietfa.amsl.com>; Sat, 12 Nov 2016 13:16:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.698
X-Spam-Level:
X-Spam-Status: No, score=-5.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sr_UPq5EJlE2 for <dnsop@ietfa.amsl.com>; Sat, 12 Nov 2016 13:16:17 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93D1D12711D for <dnsop@ietf.org>; Sat, 12 Nov 2016 13:16:17 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sat, 12 Nov 2016 13:16:15 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Sat, 12 Nov 2016 13:16:15 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: draft-wallstrom-dnsop-dns-delegation-requirements-03
Thread-Index: AQHSPSoArDi3ElWujkOhYEQUfFnQNA==
Date: Sat, 12 Nov 2016 21:16:14 +0000
Message-ID: <ED2B34F2-0C3C-4139-8F04-5246407B675E@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1b.0.161010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.236]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3561862573_2149501689"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fPP4sNFKv978xCecyK_GHbtNcf0>
Subject: [DNSOP] draft-wallstrom-dnsop-dns-delegation-requirements-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Nov 2016 21:16:19 -0000
I read through the document and had a lot of comments, so maybe I need to "back up a bit." I'm conflicted over documents that define good operational practices over top of a standard protocol. There's much evidence we need this, for example, just to pick one, the number of TLD zones with very large DNSKEY sets. On the other hand, confusing operations and protocol can impair efforts to improve the protocol, such as how round-robin made DNSSEC more difficult in needing to define a canonical order of the resource records within an RR set. I'd support this document but it has to state up front that it has a limited scope, which needs to be properly defined. The origin of my comment is section 2.1 which says that a delegations' name must be a hostname (a'la RFC 1123) and further that registered names are generally good for this. I know that there's no need for a delegation's name to be "printable" in general, the only delegation I can't make work (with DNSSEC) is '*'. E.g., there's no reason I can't have "\007.mylab.mydept.myorg.example" in my zone. Of course, that would not be very easy to access via a web browser location bar. Contrary to that, I had few "problems" with section 3 because it states up front "the public Internet DNS hierarchy" as the application domain. Section 2 and earlier didn't scope the work. What I can't find is a definition for, what is called in section 8, a "fully functional" delegation. Again, that is tied to the lack of scope. And, (as this dives deeper than I intended to mention), in section 8.2 there is this: "Any DNSKEY algorithm number used for in a zone MUST be assigned by IANA." Does that include PRIVATEDNS (253)? (To pick nits, it's not DNSKEY algorithm number, it's the registry of DNS Security Algorithm Numbers.) If someone uses that "IANA assigned" number they won't be "fully functional" for some interpretation of "fully functional." And ... I think IANA "assigned" is the wrong verbage, perhaps IANA registered. By now I've gone far into the weeds. I'd like to see the document state or define what kind of delegations it is covering. I think it is fine to define a kind of something more generic and apply rules to that. Much in the same way that IDNA defines rules for IDNA-aware applications while not altering the basic protocol definition. Bottom line - there ought to be a way to provide operational guidance to participants on the global public Internet while allowing for continued permission-less innovation. Guidance is needed but don't give it in a way that can be used to stop anyone from trying other things in their sandboxes.
- [DNSOP] draft-wallstrom-dnsop-dns-delegation-requ… Edward Lewis
- Re: [DNSOP] draft-wallstrom-dnsop-dns-delegation-… joel jaeggli