Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

John Levine <johnl@taugh.com> Thu, 30 April 2020 02:21 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F10D53A0D46 for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 19:21:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Level:
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=lp+ElD+E; dkim=pass (1536-bit key) header.d=taugh.com header.b=xvBHxVv4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6x38Ip7XttZN for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 19:21:47 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3A4A3A0D3F for <dnsop@ietf.org>; Wed, 29 Apr 2020 19:21:46 -0700 (PDT)
Received: (qmail 80200 invoked from network); 30 Apr 2020 02:21:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=13946.5eaa3639.k2004; bh=3uyStzMLjKRi2jcLyvNwIpzF+YMZBRIwwwPVE6FIxTc=; b=lp+ElD+ExUEqzLtwkOXPXSWDDgL3u0nxuh8f8jWezZFnyTXsfbEHogfa8n85mqzGOdvkwcq4TG8jdX/DpKs9DqUVq5IwgG22Ht5tDtt4Ioo2t+RtsNREwkzb7wQ6Vc5Jpz5SvhzKgQZDLeb26quYt9zS1ywW02YpzuVH6jRrWDgvUIYfk5dGCV+e0xkN14VAStwnaoIDHK8fYs+fIPxrO3Dv0uERXL7OI40jcslWXh4lU6PlE2hSlpBTqEQFKPu6
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=13946.5eaa3639.k2004; bh=3uyStzMLjKRi2jcLyvNwIpzF+YMZBRIwwwPVE6FIxTc=; b=xvBHxVv4QCZqrq5pX/Yb93mW3yOwTX7tJrEagc2LMWbAFGqYbn5IKAjNvS2NHmA+o0PgUakt79AkqfGX5j2whG4yBUNohXI5H2nz5kBiTa/sUgUwn9SOupMoSh7SdGq/o8m7bBYQFaqOiyrloO906gtf1+WdvTeYlmStZ+7z87IG71uCtLAM7JnHF+7UZRNdcjBnPWYEgOyZitVKKUBAIvTRKaHBkGmLA2z1k4Ak4iEEWctr/MrNius+jMgu94QI
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 30 Apr 2020 02:21:44 -0000
Received: by ary.qy (Postfix, from userid 501) id 95982188B8E7; Wed, 29 Apr 2020 22:21:44 -0400 (EDT)
Date: 29 Apr 2020 22:21:44 -0400
Message-Id: <20200430022144.95982188B8E7@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dnsop@ietf.org
Cc: mglt.ietf@gmail.com
In-Reply-To: <CADZyTk=y5RC3_mEROYF0mro0=NDxS3qbgsh7nuj6KGLWOGjMYA@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kEIz_4Wy2nYz2VMU_EZHeaLwW9E>
Subject: Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 02:21:50 -0000

In article <CADZyTk=y5RC3_mEROYF0mro0=NDxS3qbgsh7nuj6KGLWOGjMYA@mail.gmail.com> you write:
>
>My understanding of the draft is that it attempts to prevent a key to sign
>a RRset it is not necessarily authoritative for.

If that's what it means, that's what it should say.  As I read it, the flag it defines
says that the zone will only sign NS and DS and perhaps the occasional _flag.

The 95,000 signed A and AAAA records I found in TLD files are all
authoritative, since there is no zone cut between them and the TLD.
But that's over 200 TLDs which this proposal would not apply to.

Perhaps we should ask some TLD operators if they'd be interested.