IETF Logo Mail Archive

Re: [DNSOP] [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)

Daniel Salzman <daniel.salzman@nic.cz> Sun, 21 April 2024 19:08 UTC

Return-Path: <daniel.salzman@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 786C4C14F5F4 for <dnsop@ietfa.amsl.com>; Sun, 21 Apr 2024 12:08:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lrvm9GQeQKpy for <dnsop@ietfa.amsl.com>; Sun, 21 Apr 2024 12:08:17 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A5F4C14F5F3 for <dnsop@ietf.org>; Sun, 21 Apr 2024 12:08:16 -0700 (PDT)
Received: from [IPV6:2001:1488:fffe:6:262f:6afe:db58:b621] (unknown [IPv6:2001:1488:fffe:6:262f:6afe:db58:b621]) by mail.nic.cz (Postfix) with ESMTPSA id EBE851C0352; Sun, 21 Apr 2024 21:08:11 +0200 (CEST)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=daniel.salzman@nic.cz smtp.mailfrom=daniel.salzman@nic.cz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1713726492; bh=p82B//Zf6diH+IsthwZYC5Zqf0s4TnzX9znMwEq5XFc=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Reply-To: Subject:To:Cc; b=nQwbToi8/A4CmDVZJRtAoNTz/kAUvoNc4Iuuy0jRjDcb2+MvzLuIzxIyLTazoq7IQ mB56YFhFI7ge/a1mFDD97ThnieXy4VTXb4R+X884WdLphWgNdcndMu48eqycEDjh6l Jaju/wQNeRHenklth9ygjTC2y3afl0DZ5Gt8DPGA=
Message-ID: <ad710042-d2db-4ed9-8515-63390388bd3e@nic.cz>
Date: Sun, 21 Apr 2024 21:08:10 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Paul Wouters <paul@nohats.ca>, Peter Thomassen <peter@desec.io>
Cc: drafts-expert-review-comment@iana.org, nils@desec.io, dnsop@ietf.org, Oli Schacher <oli.schacher@switch.ch>, Q Misell <q@as207960.net>, Christian Elmerot <christian@elmerot.se>
References: <rt-5.0.3-225992-1713566832-1739.1362913-9-0@icann.org> <647558F8-2FEF-4418-AE1C-3BDC3B22A89B@nohats.ca> <1cb4663f-9502-47db-a099-ce5147bb733e@desec.io> <94ea3a71-6c1c-10af-a71f-7cee34e8d0d4@nohats.ca>
Content-Language: en-GB
From: Daniel Salzman <daniel.salzman@nic.cz>
Autocrypt: addr=daniel.salzman@nic.cz; keydata= xsFNBFljlBcBEACuCSBlN1vTS9eEDqowZcLAAF8NytcTlRjXTLWMQtjU+fXkz9Vz10n9TIFj 9Kcec0p0+8F+SowybecwhmYoUzhKI7S9M1ziUmaIhFs2KvZ1GzigE/W5L448P/7pugh875e1 tIrkrbbcIp6+SxaLbgvXlFl630ILZl/gbYOa/Wk21sLu4RjQY39oHb0WTiwPnKhdMdwlnxm6 HeWkHzlvI9N8tlDc6oVnUfqVI8gUyExLnEYjDpZforTVgHRq6RNyfTRZkh8zRsXSTnJlk/bV EDW5i/VgIQugzkgpuTGWlCstryi/MRheNxU1YEUenT69okb96QStfr1J00n8L4VAs8V5IuFU cSc8UqSpB+LgERRTMRFo9IrEXAW/gEKlEVR+501BvJ0/Qggxbgz4PEnKNaxXmAnykJzot2VD KTzrr26a9LnrT0GWom9rg89Ih876PA53vUXBB+FWP9QOFDcOfz3nMjCrLbMzhTsAzrNFXxch zLq+66CLqsQQytDVFpLI+X++sKRTOHkq6vV1bAPjlljrannLnn1y/DvkOOkiHOdYyjmR7Dfk vxgcWh/3Gx4J9gipxZITOr7LamEYgHfElY/UWCtc1Vjt8Xvgt4dofDpvSwY9YzgRWxJKC5ew YdqTCI+zxL1f0fjkeiRYNi959UMMjgdcY7Zpi8oPPQmlyBw15QARAQABzSZEYW5pZWwgU2Fs em1hbiA8ZGFuaWVsLnNhbHptYW5AbmljLmN6PsLBlAQTAQoAPgIbAwULCQgHAwUVCgkICwUW AgMBAAIeAQIXgBYhBHQvpOlYKbbF6sa4VxC7evb+u9arBQJhp0QqBQkRkKUTAAoJEBC7evb+ u9ardC8P/3MOFkzXxU2B40C9YHLH+VU5omunG9yIBGBYRuBhhtgfHAfYkYxmOvRcXPknNeR/ 43tjH3YPlXsbBf3R4aD59MDIw0zhMB+TWyHML1P+p6PhxNRXCK6eaKRXW9d+/uaeMke46h6q tjVq3nPiBaKtfLIwqE2mD95uClxDt/4PGwuA0kWKFT7DV4gUwqcZqWtIGHrY0gglayT6F1Vo +x71cyGOKCiBDezv9LLuEANX62fA+/+zrGPWMFX4FA10lnBiww5cQQUG81NurnuvObYLJPdE p8b2GnlJ0MNAebLHP3qEetliXW/aHqofyiuzwSADvkjLaqwR58lJIRudIGgDKkCh/ZD2UCBT DVLBm5C/+Yui5sJWqLT0e5U5vLIosXHODIVEy9jC8mkMqYuG8CeqLiJeGolBNEzlolzWh2yc JoZQ7hGm97mNP2MQazgITbN4C7m8Y7WdJ5V1yKw8n6jyOLeEVS1b+0g2R9PKDC8taVH4o7xg zx5M5d4jybR23ic9vo17WzWL+Km7iF5LtcPKO88HX+bmSmZYiCcLrBDIPVrtt4OHriwjJte8 nOmZfRenUmI92oLuAflgWrR7OdnklT6PrAEO2X7nkjoP4iBRjYFXisZeNdLGGfz2BEoPyfFV QaFZjWWwbDRS2oYqIfr4aQ/akvaTszPfhbgsAq/AS2+czsFNBFljlBcBEADpGfFgbzb9f4Dj 2yuAdH3IjGUepKroiE2f6IlDmWlWl94Ei04bg0O7gCrlfjWkAnc0rGwI9XraARqV38LuAmtM jmtqD/zsZgUWjpBGvAaxZUY5Eaz0bWkEXtlnCE8nAPcx5qAZk19ZnNHFd58vU/eauk7d61IQ TAQ0e0KoQw/rH8keHdIqicoCUvjF+PcXnhoqPi6khyPEYEAkfy7rps3UaZiOy0HPNsPhNY1P B8qCnXlfGOtOBtOEXLsIGg6BxoCmJhM8TsPmcHX4DKEaOc7dmU2DLVkgdUMWTocRqRqooz1C WQmdmwHb5xOpeVXR62YVCx50KDaxSJ6vSGEisQ460ZBtjU/7S+/5VGho3KbeuK2X7vREbxaC sc0sxEdUZ4tGreA4We353/eHuZ4Aps5Fb9ljfRSnC2G2VliByIXOgMkJbwF7WLVfi2iJRoyQ WHv2N3thO9nzv4/gOWUL0w2yirlxj9scE1li1d/vLpepWpijYhsVRHdVcq3NI3l5iblikU9z POaDVs2CXeLpYFw4XgQ8QkRWNn67Wvn0299UtDxdWH9CYugbvHygVy+FZy0zLXtV2bipmOlI D4HWxChx6F2tr7FP49ZXSRytimyrCRh4VFCckaoi6lYeei2oY4E0DJBYhyMrornLQJ6Kglmk 03k57leWgxexiaBexH6BNQARAQABwsF8BBgBCgAmAhsMFiEEdC+k6VgptsXqxrhXELt69v67 1qsFAmGnRF0FCRGQpUYACgkQELt69v671qtpnxAAjNYg3w6FpPLJ4bjnU4Z67v7nGdia4/uN MaUW4/hDrhW3lYBznh2EgsLLalEiYyX/Qx+OrdY452pJBWJqgmkcWSCPLzP0wVf+FmosLnug OY2cjxf9sb8CkYxAPtSh4Afit5x/uOa2pHItR4N3bA4SxJEgK3JzMf+bjdRy3iRKFc/a6LW+ oA/yn1S190iaDI1ZX3UnflKPFKIW+n5gC42f6OycOJUHNgkCWT+t03WHoT5wN+n8ZhpcONXE vLxuKm4Q3mJxkYwfbS2SJWy89Dkn74A5Kt4jzfQTrYgkEpT2TBBr2JJtbG1yfEmY4RUEY3aA n7ZYB3a4D1kIIlp9NeJV7nshzF3Y/nNGqsOfRsCYjKXTg0qdUCe2FAb5vqES65oqFOSPZO+G ZeQfzgFwC8oLzbI0FzXOvPF8sj9Y9kmuHYhWFdZWFbXdh3p5SapSTynSFDlmF0v0Pp9AlJfG R2Jq4wmi/UKeNH/74060REFKT7uFtNv3bWr9usxleAn3vW7fVvSxGh5/JttuMdJaM1VI/oQ2 fjh5B9LToJSZzug3XxsaEeaWaErhrP2Ll5DgeVQTkr1/jPvJBFMzpd8inMOtY58V9pi9iRwL oJtHzGdv4s6WrAofMpXChYYtKt55KGo99rNASNHdXnZd0WbJUiuW2PslHGK1bb2So7T0ARqV H2U=
In-Reply-To: <94ea3a71-6c1c-10af-a71f-7cee34e8d0d4@nohats.ca>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------mHRgYIvteY4SWx0RjJxnIhhB"
X-Virus-Scanned: clamav-milter 0.103.10 at mail
X-Virus-Status: Clean
X-Rspamd-Action: no action
X-Rspamd-Pre-Result: action=no action; module=multimap; Matched map: WHITELISTED_IP
X-Spamd-Result: default: False [-0.20 / 20.00]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; FROM_HAS_DN(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; WHITELISTED_IP(0.00)[2001:1488:fffe:6:262f:6afe:db58:b621]; ARC_NA(0.00)[]; ASN(0.00)[asn:25192, ipnet:2001:1488::/32, country:CZ]; FROM_EQ_ENVFROM(0.00)[]; HAS_ATTACHMENT(0.00)[]
X-Rspamd-Queue-Id: EBE851C0352
X-Spamd-Bar: /
X-Rspamd-Server: mail
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/h0N5TsIY4BCuqnTEg6uPXPApBW4>
Subject: Re: [DNSOP] [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Apr 2024 19:08:22 -0000

Hello all,

We (Knot DNS) don't see any issue with updating our implementation if necessary.
Personally I'm fine with the current format.

Daniel

On 4/21/24 01:38, Paul Wouters wrote:
> On Sat, 20 Apr 2024, Peter Thomassen wrote:
> 
>> The authors certainly don't insist, but we'd need to pick a suitable replacement for the "_signal" label.
>>
>> John proposed "_dnssec-signal" elsewhere in this thread.
>>
>> The authors would like to note that adding "_dnssec-" eats up 8 more bytes, increasing chances that bootstrapping will fail due to the _dsboot.<domain-name>._dnssec-signal.<nsname> length 
>> limitation. Other than this (unnecessary?) use case narrowing, this choice seems fine.
>>
>> That said, does this choice address your concerns?
> 
> It would, but I would also be okay if it is just _dnssec.
> 
>> The main question then is to get implementations updated. I'm thus copying a few implementers so they can comment w.r.t. making this change in their implementation. I suppose that barring their 
>> objections, it's fine to go ahead?
> 
> I feel less sympathy there because I brought this up a long time ago :)
> But also, implementations are all young and new and I think it is still
> pretty easy to change.
> 
> Paul

v2.31.3 | Report a Bug | By Email | System Status