Re: [DNSOP] dnssec-kskroll-sentinel-06 clarifications

Geoff Huston <gih@apnic.net> Wed, 28 March 2018 02:55 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FC6C124B0A for <dnsop@ietfa.amsl.com>; Tue, 27 Mar 2018 19:55:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eaDbWaVCbVRm for <dnsop@ietfa.amsl.com>; Tue, 27 Mar 2018 19:55:12 -0700 (PDT)
Received: from JPN01-OS2-obe.outbound.protection.outlook.com (mail-os2jpn01on0073.outbound.protection.outlook.com [104.47.92.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD477120724 for <dnsop@ietf.org>; Tue, 27 Mar 2018 19:55:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1dnsY6QOp48MEVwg/ukJFuihleZ6kBqQrapXRMOQKD0=; b=AnX4EfnZx/71IrGOHw51+gbv/sNmFH2mZj5WEod2l+VIX80mu0YU1LOYamIqPkonkMNRCfSpwDOnRIPStpTEJu3Na4GWuxiFwRNpJZFl0vE3S8MPyabNrBZDBZIzp71ZdzYTzu/i7/uDdP/J18f6uL4m2OXdZPNak0wtByaXVvk=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from 2001-44b8-1121-1a00-e902-1c63-697e-83c4.static.ipv6.internode.on.net (2001:44b8:1121:1a00:e902:1c63:697e:83c4) by TY1PR04MB0701.apcprd04.prod.outlook.com (2a01:111:e400:5a08::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.609.10; Wed, 28 Mar 2018 02:55:05 +0000
From: Geoff Huston <gih@apnic.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Wed, 28 Mar 2018 13:54:51 +1100
References: <dfb0182f-fada-c1ea-93fc-4f8c29046725@nic.cz> <F3995DA1-2BDB-4576-B1F7-0EC40EB5D77F@apnic.net>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <F3995DA1-2BDB-4576-B1F7-0EC40EB5D77F@apnic.net>
Message-Id: <DD8FB430-5C55-450F-8EBA-3E64563E8995@apnic.net>
X-Mailer: Apple Mail (2.3445.5.20)
X-Originating-IP: [2001:44b8:1121:1a00:e902:1c63:697e:83c4]
X-ClientProxiedBy: HK2PR02CA0148.apcprd02.prod.outlook.com (2603:1096:202:16::32) To TY1PR04MB0701.apcprd04.prod.outlook.com (2a01:111:e400:5a08::23)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 21cc2294-d8d3-45dd-b09c-08d5945750c3
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:TY1PR04MB0701;
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0701; 3:mxXAPJJCNmtRb5eNapnvxlu6RzEm6Diefcz7sW39J301n+uL0Cw7NIBZne8vfcF9mpRn3nEsdAMufiJBI2Fl0suSKmaLSvnwt3ElhQ1oacnptGVBRl4jQthEKIC+92jmLR/E9U+k7IMiLTqh4f8mXFaWXVkiCwUwV+K4TTTHKOh4Nr1lMR1U7OiW/31aBv/xiRqSZzpd7nsUun5YOcOV9L0Sa/fbdjB9J3b2jZvQaHlmIpAjvqPzRHg5Dm5IaYti; 25:eBQrx4vSfkbtP52VfScRzIpQMMmhCn88vl5u871TsAqWRxDgtx9qQH9/Tp1zIAxkFbLCbZpWF1zR6jrYrzE4FzNCO3m+ykyafFwcfpOkExaN9q5jMjcVGUA7PI4QzvKoihL4oa9W6Ca2RBnvcHWlPu9ZAG6J2JIUdydZKGfhNPGWH4U6V+YMKGS6e0Mh5PaSu28YBXgbrH79qw4NPBz73Oi49LpcP42Jf/pALiE3dyStPK+xQFiptMjn8m7Zk1kJ91EmX1CrUKb0zhOWJRuInbX+fMSax0kXfTP2Lw4ClbVMH7XXhvK6SC8zip1Yta5OWA6YLPM9VH9JBSTGjXyhVQ==; 31:OCHaax7Chml/kxDF9YiaR4CYRbGFiYc5ny2nfBiCie9Zz6Y2WAoHPouvYd8T9gc65bjzLDRO3oTDqMMYO1AoQseOdgYWJy+X0iB4VSXfrK47FGlbDMaBbxW3WRr9/jawhyx57ctXt3yoigwJO5+AVm9IJd6CfOPvzkb8Fif5wa8u4UoiT6OBJCvIEng5DdxIcnVSQnc06JnfXfjYMrtWRARPYKiha7QVReDZG80La9Y=
X-MS-TrafficTypeDiagnostic: TY1PR04MB0701:
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0701; 20:VLA1NtUbIlNxFXM8TuDeHTiiA/ggXlEFxB5KFS+f6fuQ7Ng1Se9PdBgKD6kdTOO9ufzNd8z2VPhgi/T6qRfD1SZpV5/CDay18QKf4UkViP3ZP4YS+WXHtc/caobNrjAxBwjd2EFQ5FXEEYzRpMNj+HrJ2dt4H2xqlwGf/uRenlcLmochkQDKL6PkijIQVjXOlZ3kzBVnRaS50uZ0LRlp3ALYF0OzSWxRaqs3vKVXw8SCkd1yolOh1HxEpplbGm1e; 4:0Txqi6vt6C/xIenxs1gNvkSe20wPRlgqfZixnAuGDLEMWjbGudv/MWiJzoeOGX0cN9o2QnjX1PO3aVTP5WhBp0DzNo6HZGEmRo9XqWgz7ULyhUF3+SZuPj6MbSGI9671GP9ws9JPQW/GgH4EJUIxQaQq61wRXd5MfiAik6JuGDSE3DUvfkP9WaykTKyjowfkRq9cfMDWwqqGxSRsN5npmh+f8/XZ/zD3d3Xs3HgF6besKeuGaCKtcel3Uphqcw5Ym+tRxCYSalMuvI6NaZuEGw==
X-Microsoft-Antispam-PRVS: <TY1PR04MB070107CE4A0B1C819511F442B8A30@TY1PR04MB0701.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231221)(944501327)(52105095)(6041310)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011); SRVR:TY1PR04MB0701; BCL:0; PCL:0; RULEID:; SRVR:TY1PR04MB0701;
X-Forefront-PRVS: 06259BA5A2
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(346002)(39380400002)(366004)(39840400004)(396003)(376002)(199004)(189003)(6916009)(6666003)(53936002)(478600001)(68736007)(2906002)(33656002)(6116002)(50466002)(82746002)(25786009)(7736002)(6246003)(106356001)(6512007)(105586002)(86362001)(97736004)(6486002)(6506007)(23676004)(446003)(83716003)(316002)(52116002)(52146003)(11346002)(52396003)(2486003)(229853002)(16526019)(76176011)(8746002)(47776003)(186003)(81166006)(81156014)(5660300001)(386003)(8936002)(2616005)(8676002)(57306001)(46003)(59450400001)(50226002)(486005)(305945005)(476003)(486005)(36756003)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR04MB0701; H:2001-44b8-1121-1a00-e902-1c63-697e-83c4.static.ipv6.internode.on.net; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;TY1PR04MB0701;23:LhqwrP7ZOwV3jUyjhWBsZE9gzEufBvaqumbRoeOlyyQL+Yv0bB1HGFnN1MATw6uCE8WmY+S2RWQdfZ8OzRJ8L2APzhPCXiW3FvEKos3BqnTiOUrU2x+IY/jo+HCmb6VtjGuLqgJXii4owXXgdqQjBMmnlSfcRgNxQiQMw9yoZi6ck6eFRJ8v2vNygNFUk+/r9oITk29ZvSwB9+rI6WSTlIPcI5VIk26rpNXSXDbh4WoOL+PkaMKsMFAsqcoFbNBlU/urV9eXP60OVTusnRhKdh0TXA4BBD1wviG6weHiYZixBWpqN7WvUr/8WrG/XTsR4hWZbGYM+Svw9LYA1SESpWaXQli0UDJYcV8Yitz1j21nDvZO4gcHAOUhjAJTJV6597Czhef8eqqm19+xA+1WYZxMlsxVOt1TxS0AN+kRReiCfNQGrWZgsJt6pPChOsqygIykAqYfoTqMkN3aQAmYjK54B6fWckUa7lyTFd4ShHUEStdvdjPKH2Ft1u6m5ShqJ1HcAYqrmkqE9oQepYtmvLV7+z9f5szA2e/ntruiJ4PFRt5kG5JIn60NGCcuBZ8dmHKiKdGeaSyY0cn9HsRl7Wf4sp1pDicDIvL7X2lbAyhTnKSWnbiIxS7OCPlFIkGqZnzjflhEk6vp95+ONxSkOqH6+DcihSPOeWuttuYx0KJi3QcDw8oAR2H/foibW27/nVydgLLHKaSkjExD7AkP4lIGerV4Afw9LfxOevlUYVgrzNHiLgMK/NS4y733hkGSZaZ29RXDvau6+4S7vj0SxQWEK8c0jZhdqqUQpGiJxq56kkQlXoHFTcz/mBoOJWtXC5/4YeiF+svy7fdwgU/5wpKTqcZwG4r00Gk0IHHfTTyr/vp3ngoHVeZYNvyzyuyvwjqGg7VHWOHZ78y3FfSwMXMv+TEV0RlbzSPzvLPpb9JE8Sj2vRlY5YlUo2hYpuX0xpPFCj4y1CSMgmmu5Gpm7jrX9uwgURiDmQPJZ8D+ZBAlffBAFiCZaTw9rsZZpp0ys5Dee7nGY3eHJ1NSKoX2BGrQBMPZy1sMhq5iADBUn7DXzuPygtD/Hhu+RXzI5y8z5I2MMT7Ro00zFr6EshdNv1UO2Ic72ILz830TpViug1SVOdv8Hz39giCu3Hx2dDHAJjVRIgRv8evhGAjP2wKgVQ3ZIaol0P9u+GISOnc6wmf+dt0yzvjE31g/v359epB2uPvl6Ig3cNV+MTejggMhqlIOWCgHmtCrhzM95dqx1KtJZKkpT0Vzz3VnWZtD4h6Ps1eeUVn8G/DvO4wC2eLslNTSzYjwl6fWBE2m967cwm31FHxXEqZzChXMg0fWaC50
X-Microsoft-Antispam-Message-Info: OHcHcsHGXPWo2Idqeu3RASbhzL6WQClwqo46qEV13kUg9QICRSFA8GJZEzPAatYd9U4sDLVJbEF3b2OqGntv/As+ZwofvytVoEeDl1TEtrNkxNdDAnbDNTyg+o0T8dv1jSIKxq59nF8d1nGkkk289kPDDJTk90AzkafjhomJmTAzzluU+tszhVZ7GSdB8YcW
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0701; 6:1N8/8Da6p2U1DBSwVcY5sGgnLiQ2Z2/i/CMY6dLjkEzke7YsM0ffiR4zyFoLiJAxPtuhoa3xxcFg0dSKEUm2dxn8JyZNKkO0IPxnuW4xTUz5lgz+GwxFGJ0K3AvnEWx52PBW8lFUsW3cFTMS2c4CNIu4ZSFpBHxKyuz3CUCzkbKqJ8tUvg+6OYy0lE7h05QHkLeqDm/ZdW6WuRZtuMh1j2sO/m600NC8z/q60YbYDFcYZKr5/mTUPuvZO7MDotbuvS/KqQvbL/cx3D3Ww9UPh3882gIKQTDagpGCy9Rjwy6QAxQic137CstqZK0pPnjK0GIU47zLxtrD6W6xYDuYoaHSBtFIkOMFewiZYxE0KI07N7kBtnHgkRADov1llFs0buuyMlBvJDUQNzJZaMbGaa+s5n3U6t6xCJAT367Pjmx08EsamXtqkELf6x9EGOBr1L6Z9I+big1BI9EzAobgwg==; 5:bbvfdVnG9sLWThUmjLVdfk8Gx0Q+xY+sTYOnvMl7idqp9spzuYCk425xDeSns+AG5o5d2xLe4NEHTLHdbWGYcRTa29slDvI7MlCQZrsU/gPmJcl1Q75Y9ys/m+QMohbXQywE4JIcdrGhF4UCyZB8V/G5FJKdJpZs8tdysPDpt9I=; 24:f485Fq9ISKe+yLhGGpQGTCCw/ScfNwOekNV81W6Txb2gxKsIfAOCapOShn4HKk/T+fe86XHSIVF0Czoz0oMZykfWdz6zOQocv2Z6wLsU8Qs=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0701; 7:Ut12uEwTsWqB22gxbYlcovwb2UUTCgZ7Z7ztI1098kW37TvW/yjW5beJYEdSsKfW1G9mTeg0yxdBucMDr2Fys8LK5UTSpzIGg4xbia9gmHUOJGcK8rrUbuURTXma7rMQ4O5rgSt8OeKj0gez8nUK7fYNhxc7q1TuXb3up+dUsBPiLq0oAL7cCALaY256qDCn6JZIwRXGGK8B7SG/o/xX9gz85ZIhxpLIfWmHCUIr1oLYIr8AHQ1V9QKGGob3OJmA
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Mar 2018 02:55:05.8203 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 21cc2294-d8d3-45dd-b09c-08d5945750c3
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR04MB0701
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hawKGa6eJxr8pU6AQsd3FtcX0wY>
Subject: Re: [DNSOP] dnssec-kskroll-sentinel-06 clarifications
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 02:55:15 -0000

> 
> I was VERY surprised to see the opposite text sneak its way into 
> a pull request, and equally surprised that a co-author of the draft
> approved the request and pushed the -09 version without raising this
> on the mailing list, particularly as it directly contradicts your 
> message here.
> 
> The current text in -09 reads: 
> 
>   The DNS response is DNSSEC validated, regardless of whether	
>   DNSSSEC validation was requested, and result of validation is	
>   “Secure"
> 
> I believe this text in the current draft is incorrect and leads to
> the wrong behaviour. The idea is for the resolver to act in a manner 
> that is consistent with the way it would behave in a hypothetical key
> roll scenario - and if the query has the CD bit set the resolver would 
> return the response without this special process.
> 

My sincere apologies for the intemperate tone of this post, and to Paul and Warren
here. I managed to choose a form of expression that conveyed a far more strident
and aggressive tone than I intended, and I sincerely did not intend to cause
offence here. In any case I do apologise for this, and I'll attempt to be far
more prudent in future with my postings to this list.


    Geoff