Re: [DNSOP] Multi Provider DNSSEC Models

Paul Wouters <paul@nohats.ca> Thu, 22 March 2018 12:26 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23CF912D7F8 for <dnsop@ietfa.amsl.com>; Thu, 22 Mar 2018 05:26:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBsS5TM8gNEA for <dnsop@ietfa.amsl.com>; Thu, 22 Mar 2018 05:26:56 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64309126CD8 for <dnsop@ietf.org>; Thu, 22 Mar 2018 05:26:56 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 406Qs93rZ4z259; Thu, 22 Mar 2018 13:26:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1521721613; bh=yUeRyF5PaCOqxIzeMYLst4WVe9Yj9lV1bBytTz2YXUs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=kjEW2B/qOOxgllgPF6ZsU3KvmtbbX8JVELR0hbG8eoepvfj04axOjOP+uW378ucmF G0vRaHLd7JjzakrpYppJSZuX27nIrKLH/JuJlOVSg5LBP/yJ5rJm2fr5fUhgGETpOr UF9+HQbT+Qg4sgnNQv37N1Rix05MN8gJyhgvTkWE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 9qIebrKzyNMt; Thu, 22 Mar 2018 13:26:50 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 22 Mar 2018 13:26:50 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id CD8DD30AF10; Thu, 22 Mar 2018 08:26:48 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca CD8DD30AF10
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C52DF40008AD; Thu, 22 Mar 2018 08:26:48 -0400 (EDT)
Date: Thu, 22 Mar 2018 08:26:48 -0400
From: Paul Wouters <paul@nohats.ca>
To: Olafur Gudmundsson <ogud@ogud.com>
cc: Shumon Huque <shuque@gmail.com>, Tony Finch <dot@dotat.at>, "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <9724C1F6-C470-4B4F-AFB3-2085A1B47B26@ogud.com>
Message-ID: <alpine.LRH.2.21.1803220822330.6096@bofh.nohats.ca>
References: <CAHPuVdVi5C3nyVuG2aiLefN7eFPOx+GnOCxU40iio_Gn0oQ8qA@mail.gmail.com> <DFCE50F5-2385-4512-BF9F-1266C0DA4D6E@dotat.at> <CAHPuVdXy+oYgQEUoHoxN7W1BnuCoa+opHbQ9tbLZX2xDj2xoZg@mail.gmail.com> <9724C1F6-C470-4B4F-AFB3-2085A1B47B26@ogud.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iWzqrtdojMEbxrQpbR0bsWZ86XY>
Subject: Re: [DNSOP] Multi Provider DNSSEC Models
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 12:26:58 -0000

On Thu, 22 Mar 2018, Olafur Gudmundsson wrote:

> The document covers the case that different providers use different signing algorithms BUT does not cover if they use different negative
> answer approaches, 
> no good answer other than say NSEC with “lies”. 

I think the document describes what I think of as a new and clever type
of deployment. But it reads as some kind of BCP you could read or skip,
mostly based on the title. Maybe change the title to something like

 	Considerations for DNSSEC multi-signer deployments

Paul