Re: [DNSOP] Fwd: New Version Notification for draft-mglt-homenet-dnssec-validator-dhc-options-02.txt
Daniel Migault <mglt.ietf@gmail.com> Tue, 22 October 2013 12:49 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6EF11E819F; Tue, 22 Oct 2013 05:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.48
X-Spam-Level:
X-Spam-Status: No, score=-2.48 tagged_above=-999 required=5 tests=[AWL=0.119, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0bqh5aBsRxFg; Tue, 22 Oct 2013 05:49:41 -0700 (PDT)
Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id E2E6811E8164; Tue, 22 Oct 2013 05:49:32 -0700 (PDT)
Received: by mail-we0-f177.google.com with SMTP id x55so7947368wes.22 for <multiple recipients>; Tue, 22 Oct 2013 05:49:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PbouCr0hn0WeJuHTjuqCZyjJLinKrqsaFcPrrP2Dnno=; b=jPnCMwzvyDfN4DtpmusU6wqzUbLh7nsgVTkcB8lweYkIS7MCLHEf158F18+WQmST2j qGzsMUtBfXqh4GQJkrOOrDRMg35Xm1VLX+hb/Tye2JWsW0wtcpw0BxmLQAU5cy1TsCvd jGhzDdGBz0MWYhtPra81+mk6S1PnFTU7ISc1jYfa9AYGBmI3Sf+0NZixYkmzCjTlTInb 6MAgcSn/U5wpM1WWhEGbPoGFKKdwIF/PwfLP/VUewkhmpDbPqJILpPTL9Vr7eUHUNpee EPdD04M4DX4aqn34mltaFi2v9b1S24Kf59AwuuxjmIoHxxEAFtHURFIN1LIirJJ++gaA Zp4A==
MIME-Version: 1.0
X-Received: by 10.194.122.168 with SMTP id lt8mr484049wjb.76.1382446172055; Tue, 22 Oct 2013 05:49:32 -0700 (PDT)
Received: by 10.194.41.138 with HTTP; Tue, 22 Oct 2013 05:49:31 -0700 (PDT)
In-Reply-To: <829622C6-AE6A-45DC-B650-E7E2A5D9DC31@hopcount.ca>
References: <20131021071220.8650.43280.idtracker@ietfa.amsl.com> <CADZyTknNZD_L8Jr1zndAH7_Ckd7Ga-d=y1twF4KT9=NONXzjpA@mail.gmail.com> <alpine.LFD.2.10.1310211341050.24547@bofh.nohats.ca> <829622C6-AE6A-45DC-B650-E7E2A5D9DC31@hopcount.ca>
Date: Tue, 22 Oct 2013 14:49:31 +0200
Message-ID: <CADZyTkmTqvbuzyhZqJUP6Fb7fMCmAEmyXEjLiBx1PS6NM2urMg@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Content-Type: multipart/alternative; boundary="089e011777af01ac7104e953d5a5"
Cc: "homenet@ietf.org" <homenet@ietf.org>, Paul Wouters <paul@cypherpunks.ca>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-mglt-homenet-dnssec-validator-dhc-options-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2013 12:49:41 -0000
Hi Joe, Thank you for your comment. draft-jabley-dnsop-validator- bootstrap-00 is mentioned in the draft. We would like to extend this to other non root KSKs. Otherwise we do not see contradictions with what is mentioned in draft-jabley-dnsop-validator-bootstrap-00. As mentionned "[...] and believe the principle described in these documents [ draft-jabley-dnsop-validator-bootstrap-00, and I-D.jabley-dnssec-trust-anchor] SHOULD be applied by the validators". Best Regards, Daniel On Mon, Oct 21, 2013 at 8:27 PM, Joe Abley <jabley@hopcount.ca> wrote: > > On 2013-10-21, at 14:16, Paul Wouters <paul@cypherpunks.ca> wrote: > > > For CPE devices, I think querying for the root key without dnssec to > > use as time and possible TA is something it could possibly prompt the > > user for. It would work without DHCP and not require new DHCP options. > > CPE devices could also insecurely query for the proper ICANN website and > > grab the trust anchor bundle (i.e. what unbound-anchor does) and use the > > certificate of ICANN. > > See also draft-jabley-dnsop-validator-bootstrap-00. > > > Joe > -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- [DNSOP] Fwd: New Version Notification for draft-m… Daniel Migault
- Re: [DNSOP] Fwd: New Version Notification for dra… Joe Abley
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Daniel Migault
- Re: [DNSOP] Fwd: New Version Notification for dra… Daniel Migault
- Re: [DNSOP] Fwd: New Version Notification for dra… Daniel Migault
- Re: [DNSOP] [homenet] Fwd: New Version Notificati… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters