[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

Paul Hoffman <paul.hoffman@icann.org> Mon, 17 June 2024 20:18 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03237C1519BB; Mon, 17 Jun 2024 13:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Level:
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Q7wpGAJJZKz; Mon, 17 Jun 2024 13:18:12 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E3CBC1930D8; Mon, 17 Jun 2024 13:18:12 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa4.dc.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 45HKDM22003775 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jun 2024 13:13:23 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Mon, 17 Jun 2024 13:18:06 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.034; Mon, 17 Jun 2024 13:18:06 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Tim Wicinski <tjw.ietf@gmail.com>
Thread-Topic: [DNSOP] [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis
Thread-Index: AQHawPN34+kGzgAAOEizC2MV9ysYdA==
Date: Mon, 17 Jun 2024 20:18:06 +0000
Message-ID: <9DE49AD4-13B4-48DC-B68C-9172CB91F5F6@icann.org>
References: <CADyWQ+Hn260OEfcF8HEJ0jbfGOvL3GZnQN9=Bpod40TVxY8U_g@mail.gmail.com> <D3C5248E-39A9-4D23-A18D-F906E201B99A@strandkip.nl> <CADyWQ+EZuP+54MY21B_Q8yHz1myurhOypBsdVAZYkwhHZN+exQ@mail.gmail.com>
In-Reply-To: <CADyWQ+EZuP+54MY21B_Q8yHz1myurhOypBsdVAZYkwhHZN+exQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <164B5363BC7C82428B54680B6FC632CD@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-17_14,2024-06-17_01,2024-05-17_01
Message-ID-Hash: JGUUPT5WDNNCWJXSLMKHPQ3N2BACLTJ2
X-Message-ID-Hash: JGUUPT5WDNNCWJXSLMKHPQ3N2BACLTJ2
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Joe Abley <jabley@strandkip.nl>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hSR-9qTq_vnZVcQ9-e_R5DDIxqw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Jun 17, 2024, at 09:52, Tim Wicinski <tjw.ietf@gmail.com> wrote:
> 
> 
> 
> On Mon, Jun 17, 2024 at 12:19 PM Joe Abley <jabley@strandkip.nl> wrote:
> On 17 Jun 2024, at 17:54, Tim Wicinski <tjw.ietf@gmail.com> wrote:
> 
>> Oh that's a very good point, and does make that assumption.   "will be valuable if root-servers.net [root-servers.net] is DNSSEC signed" does not make that assumption. 
> 
> It perhaps narrowly avoids one of the assumptions I mentioned but it still warmly embraces the other one. 
> 
> I still think this text speculates about the future and I still don't know why we think that is a good idea.
> 
> 
> The more I think about this, I believe you are correct that we can not make any assumptions about the future. 
> 
> It then feels like that last paragraph is removed.  Thoughts? 

The paragraph reads:

If the "root-servers.net" zone is later signed, or if the root servers are named in a
different zone and that zone is signed, having DNSSEC validation for the priming queries
might be valuable.
The benefits and costs of resolvers validating the responses will depend heavily on
the naming scheme used.

It is still accurate as it stands, does not lead to an assumption of what name would be signed and, more importantly, strongly indicates that the name that eventually gets signed might be different than root-servers.net. I'm not sure why we would want to remove that.

--Paul Hoffman