Re: [DNSOP] I-D Action: draft-ietf-dnsop-kskroll-sentinel-15.txt

Bob Harold <rharolde@umich.edu> Thu, 05 July 2018 17:49 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C0F2130E80 for <dnsop@ietfa.amsl.com>; Thu, 5 Jul 2018 10:49:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOuXW34EjnqJ for <dnsop@ietfa.amsl.com>; Thu, 5 Jul 2018 10:49:12 -0700 (PDT)
Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B2E312DD85 for <dnsop@ietf.org>; Thu, 5 Jul 2018 10:49:12 -0700 (PDT)
Received: by mail-lj1-x244.google.com with SMTP id 1-v6so7265622ljv.9 for <dnsop@ietf.org>; Thu, 05 Jul 2018 10:49:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=HvW266VPv31rw9Ws/HJwAaUfKkKaBeDESVZug1pd/e8=; b=khoca3lzyj+GJuDu8TRgla2w+EaD+inl0AzaPQT3oqH+IsU2HDKNbrjZutfmmq23Z8 q/cz5poPcDyKqOZopq4jNAi49A2Ak10/bsgkbHcazsZn5cFpvr1/tTs2Nq3yw4OU4upC 5ccELtXLK7L+1CEoMrEuwPyYe7Eq50/X2LmfZnKO1BfedhGqAJSRy9rv+XQzXH3Hw85A NBG/JHAGhMdClE/eg07sq8fXptiPXnTACA4G7qtZCATMB5I8LLUA1eaOif7M2ws2U8O6 Idi+5QNPpg9auLYDBPIBwO/oTW2SQZVtn3APJxUS5c6QI4n+5Iv7cGcEmAiVZQDRcZYu yFPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=HvW266VPv31rw9Ws/HJwAaUfKkKaBeDESVZug1pd/e8=; b=Ix5koxPCmMmcgYN+qmPGsdZpB61fbvVw2Nl6TPuiAVN4uo41HV9V8ulunVnxIPtTog cE1YDgHi4ExJr7djPfdYxsiKI38o1jLbFD2BTXGe58MAuQ6swl3tW6RxmRxi4UWbRnzp CngmbTxySh6beFd3hp8jL59xZkwl9LvfakxTpNLWWl0JyYZS19bklquuZuFur7EwJane vQo7KGOe4HI+ycNlJHxloHm5Ro4Ig6oqx4pS6X+tQhIUD3ROlEv0UxjxF8LwFr93aeLe op6quyq52qFHSLb70AqJ7zzFbyUVMYt5YoLUeKA9QHEPWKNCU7pT8Egmj1Orsj7EmQ4n XMbg==
X-Gm-Message-State: APt69E12D62PGBaS6o2YqDbaC3FqlucrGHXKvJ9Dtd0/rVlUoLyWU9cz qZQcewPNefM1BAxmfZRcZKsNnRxIyKcojYK0x947C8zw
X-Google-Smtp-Source: AAOMgpe7aUqfYdGQmfx4+GRKeg4K4JRmkoSsonTxalgXzp13VNaBlp3Vzq+Y0MRNg7y7+HMAB2LpBGrWnO06IiNtOiw=
X-Received: by 2002:a2e:9f4d:: with SMTP id v13-v6mr4519918ljk.42.1530812950201; Thu, 05 Jul 2018 10:49:10 -0700 (PDT)
MIME-Version: 1.0
References: <153056261341.16368.17424614083368225701@ietfa.amsl.com>
In-Reply-To: <153056261341.16368.17424614083368225701@ietfa.amsl.com>
From: Bob Harold <rharolde@umich.edu>
Date: Thu, 5 Jul 2018 13:48:59 -0400
Message-ID: <CA+nkc8BQ5h=SkeNLLZi9kUmAr72U-Dxiz=Bej9XrJeqbo2FMSA@mail.gmail.com>
To: IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001d5c060570442a72"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hbJCpYj-TSetZQbNG3EMlsXgt1I>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-kskroll-sentinel-15.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 17:49:16 -0000

On Mon, Jul 2, 2018 at 4:17 PM <internet-drafts@ietf.org>; wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Domain Name System Operations WG of the
> IETF.
>
>         Title           : A Root Key Trust Anchor Sentinel for DNSSEC
>         Authors         : Geoff Huston
>                           Joao Silva Damas
>                           Warren Kumari
>         Filename        : draft-ietf-dnsop-kskroll-sentinel-15.txt
>         Pages           : 21
>         Date            : 2018-07-02
>
> Abstract:
>    The DNS Security Extensions (DNSSEC) were developed to provide origin
>    authentication and integrity protection for DNS data by using digital
>    signatures.  These digital signatures can be verified by building a
>    chain of trust starting from a trust anchor and proceeding down to a
>    particular node in the DNS.  This document specifies a mechanism that
>    will allow an end user and third parties to determine the trusted key
>    state for the root key of the resolvers that handle that user's DNS
>    queries.  Note that this method is only applicable for determining
>    which keys are in the trust store for the root key.
>
>    [ This document is being collaborated on in Github at:
>    https://github.com/APNIC-Labs/draft-kskroll-sentinel.  The most
>    recent version of the document, open issues, etc should all be
>    available here.  The authors (gratefully) accept pull requests.  RFC
>    Editor, please remove text in square brackets before publication. ]
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-kskroll-sentinel-15
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-kskroll-sentinel-15
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-kskroll-sentinel-15
>
>
More nits:

2.2. Special Processing

(last paragraph)
"exactly as if the mechanism described in this document was not
implemented or disabled."

That is a little confusing, the "not" could apply to "disabled".
Better to end with "was disabled or not implemented" or "was not
implemented or was disabled"


4. Sentinel Tests from Hosts with More than One Configured Resolve

"Resolve" -> "Resolver"

-- 
Bob Harold