[DNSOP] Fwd: New Version Notification for draft-thomassen-dnsop-dnssec-bootstrapping-03.txt
Peter Thomassen <peter@desec.io> Tue, 30 November 2021 00:24 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3E0B3A0BAC for <dnsop@ietfa.amsl.com>; Mon, 29 Nov 2021 16:24:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id whUEV0wVKTb3 for <dnsop@ietfa.amsl.com>; Mon, 29 Nov 2021 16:24:05 -0800 (PST)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63EE03A0BA4 for <dnsop@ietf.org>; Mon, 29 Nov 2021 16:24:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:Subject:From:To:References:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/sQEDgW7x1ITNngJZ+vn0CshtTtJoqeiM6O96aqCkOk=; b=K5oScOa5eLwnk1DNxi0UY/0763 Dl4CHLk7Q5/HkY3TfCk5p46RFguxQOLBFqeC4UgG/YmSxXzj0Akh+moYLzSSaYoWdjtlHkggQ8DNs zzIuSBR3JgIRamJ65OiBq4ntohNpYKxZR8+otWi/+zlP0x1KXUaDrQvLFu89hLStccaT/7r75zIZQ iRhSisFU6yNeBTyCNnX4TeJCAnjzaW33QtsfEVeotmBKtqzOeBK43T3rfUhp3JwtlHmyHquxNZPSC naDHNTaiigdNe/ylmuHZJ6xeUI+C4KfVmewvDOaAOO+SJGbwSTcSnaUjuCbvCjRP1B4D1WSAvg60b KRtmjvIw==;
Received: from ip5f5aec68.dynamic.kabel-deutschland.de ([95.90.236.104] helo=[192.168.1.171]) by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <peter@desec.io>) id 1mrqw9-0006pA-Cb for dnsop@ietf.org; Tue, 30 Nov 2021 01:23:57 +0100
References: <163823024583.13412.3833419565399882982@ietfa.amsl.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
From: Peter Thomassen <peter@desec.io>
X-Forwarded-Message-Id: <163823024583.13412.3833419565399882982@ietfa.amsl.com>
Message-ID: <bc9ec1f2-2ecc-d541-a630-de35ff1faead@desec.io>
Date: Tue, 30 Nov 2021 01:23:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <163823024583.13412.3833419565399882982@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iOya-Z6Hgq-IfDtVHHfJBMBD1VE>
Subject: [DNSOP] Fwd: New Version Notification for draft-thomassen-dnsop-dnssec-bootstrapping-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 00:24:11 -0000
Dear DNSOP, This draft introduces automatic bootstrapping of DNSSEC delegations. The previous version has been presented at IETF 112, and the new version incorporates the feedback gathered there (and on this list before the meeting). Changes (taken from Appendix, with additional notes): - Clarified importance of record cleanup by moving paragraph up. # this is Section 4.1 - Pointed out limitations. # this is (new) Section 3.4 - Replace [RFC8078] Section 3 with our Section 3.2. # It was proposed to deprecate RFC 8078 Section 3.3 ("Accept after Delay"). Replacing all of Section 3 is one way of doing this. Of course, we can limit the update to Section 3.3. - Changed _boot label to _dsauth. # based on a proposal to switch to _dsbootstrap, but I like _dsauth better :-) - Removed hashing of Child name components in Signaling Names. # as discussed at the meeting - Editorial changes. Looking forward to the next steps! Thanks, Peter -------- Forwarded Message -------- Subject: New Version Notification for draft-thomassen-dnsop-dnssec-bootstrapping-03.txt Date: Mon, 29 Nov 2021 15:57:25 -0800 From: internet-drafts@ietf.org To: Nils Wisiol <nils@desec.io>, Peter Thomassen <peter@desec.io> A new version of I-D, draft-thomassen-dnsop-dnssec-bootstrapping-03.txt has been successfully submitted by Peter Thomassen and posted to the IETF repository. Name: draft-thomassen-dnsop-dnssec-bootstrapping Revision: 03 Title: Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator Document date: 2021-11-29 Group: Individual Submission Pages: 14 URL: https://www.ietf.org/archive/id/draft-thomassen-dnsop-dnssec-bootstrapping-03.txt Status: https://datatracker.ietf.org/doc/draft-thomassen-dnsop-dnssec-bootstrapping/ Html: https://www.ietf.org/archive/id/draft-thomassen-dnsop-dnssec-bootstrapping-03.html Htmlized: https://datatracker.ietf.org/doc/html/draft-thomassen-dnsop-dnssec-bootstrapping Diff: https://www.ietf.org/rfcdiff?url2=draft-thomassen-dnsop-dnssec-bootstrapping-03 Abstract: This document introduces an in-band method for DNS operators to publish arbitrary information about the zones they are authoritative for, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated. Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay" ([RFC8078]). This document updates [RFC8078] and replaces its Section 3 with Section 3.2 of this document. [ Ed note: Text inside square brackets ([]) is additional background information, answers to frequently asked questions, general musings, etc. They will be removed before publication. This document is being collaborated on at https://github.com/desec-io/draft-thomassen- dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft- thomassen-dnsop-dnssec-bootstrapping/). The most recent version of the document, open issues, etc. should all be available there. The authors gratefully accept pull requests. ] The IETF Secretariat
- [DNSOP] Fwd: New Version Notification for draft-t… Peter Thomassen