[DNSOP] AD Review of: draft-ietf-dnsop-dnssec-bootstrapping
Warren Kumari <warren@kumari.net> Fri, 05 April 2024 20:42 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A343DC14CEFA for <dnsop@ietfa.amsl.com>; Fri, 5 Apr 2024 13:42:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x46HDYtaEAiK for <dnsop@ietfa.amsl.com>; Fri, 5 Apr 2024 13:42:42 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 710DDC14F5EB for <dnsop@ietf.org>; Fri, 5 Apr 2024 13:42:42 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-56c404da0ebso3978715a12.0 for <dnsop@ietf.org>; Fri, 05 Apr 2024 13:42:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; t=1712349760; x=1712954560; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=HesHo8hEEYAYTPxBnbvCP+xmLgKKYCwXnxXn5Xfs9wc=; b=OW9Ksn21eWuHoXOVi9ot/rm4bfpCErM1rWmGxYWCeYwzVE1aUeaoSEwyeJePEwQdcR Sb891nMGa2jwIFrrWEU/D2ngN53bVCTF9SAtI0+xyU/dQl2E/Y+1PMk//uvQMvqzbpFv yPML18DTbtfH3UbcX0T8q56taSJK+tkTGGhZJqpD6sijoZ7BbLaWEtHN2MsLTK/ft3vS LMiHBQH7JkfjfMIzQ89ZqXKaiDwWx+Dd63TeHyVvtepSvbY9BY2opptXdsM0wn7C4J0a Zb1q0OzAypkOhJY9O6Zh6r3GQXpLPjqCtZ5g1eDPvvzTBL10ivxvq1JRy1XcuNs2bcBp oaTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712349760; x=1712954560; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=HesHo8hEEYAYTPxBnbvCP+xmLgKKYCwXnxXn5Xfs9wc=; b=XnGj+d/lMqweRzZH78TNN4phcHk18sHtz0t1WOL8scAPVTucERksc27tidlHb0NWM8 xl5u5bv1nFpQEBpCb1B3mV6j4izqqW0poFSx2DBdbAAbuYGrFRubTk9xS5mNzEp3qMqW xGeC0bumd+tsnVLrf3eCMkom1zz/9yhxri9hnK26h2TKUpY+CYKaiHMF8UC4QhzRojlk HN5mqGW7xIlQqbp8NublrvkwGtp4rcACVm9myzaVsTCFBZmqFkH6m5mvwJien9z4hHNn /8EKxiSg1up3ci6NC6ANbzorNKvPF/dXobqjtgnAUeEJalHk+5a2ccw7Xbp/JcxKngVB 5IWA==
X-Forwarded-Encrypted: i=1; AJvYcCUwZX8azfVKQZ4jExDra4M4x2AF99evAgYa2eZPvmMEcrmJHljjwZL4ShOTlunJLlXUPkO05YO/BwGPlxGU2Q==
X-Gm-Message-State: AOJu0Yx2ZmoGHo+RzgAGjNF34t7IBj0serK4VKA7fDFE3/ehgMAgTQOi lcSNLZ9lJZIJ3UTB4zbEmMrkrjdFhcuEkjZYnMgF6YyakCe1bxO7J8MhLjoA7eK5ppzEYtM3rF0 WIJFoNayw4qmoDoypRvLphHVOoqP3H8TDdzK2SgwnOCScmnwj
X-Google-Smtp-Source: AGHT+IEHhapQuNlaygz0KUdaYaH/2DyrQ5FzhEqqSaGoGCZM4A7wTf2fy4seWqf20Ksfy3Q2voUzTumJPme4Qk2iY48=
X-Received: by 2002:a50:9f05:0:b0:56e:2abd:d00f with SMTP id b5-20020a509f05000000b0056e2abdd00fmr2011419edf.18.1712349759777; Fri, 05 Apr 2024 13:42:39 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Fri, 5 Apr 2024 13:42:38 -0700
Mime-Version: 1.0
X-Superhuman-ID: lun4tlb7.15d053f5-4169-4bc3-af04-810d7408f0cc
X-Superhuman-Thread-ID: draft00462674a22212b8
X-Mailer: Superhuman Desktop (2024-04-04T19:06:25Z)
X-Superhuman-Draft-ID: draft00aba138a5425b93
From: Warren Kumari <warren@kumari.net>
Date: Fri, 05 Apr 2024 13:42:38 -0700
Message-ID: <CAHw9_iJ2f_++4v+tjrFfxJv==a0FFJA=soTiPG5_V8PDuC4GaQ@mail.gmail.com>
To: draft-ietf-dnsop-dnssec-bootstrapping@ietf.org, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000029d08a06155f7ff3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kERF3PJh6yPH5JclJVOLLh-d-bo>
Subject: [DNSOP] AD Review of: draft-ietf-dnsop-dnssec-bootstrapping
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 20:42:46 -0000
Hi there, authors (and WG), Thank you for this document, I found it clear, useful, and an easy read. I do have a few comments/nits; addressing these now should help the IETF LC and IESG evaluation go more smoothly. Please SHOUT loudly once you've had a chance to address these, and I'll start IETF LC. Comments / questions: 1: Please be consistent in capitalization of Parent, Child, Registry, Registrar. 2: "Signaling Domains SHOULD be delegated as zones of their own, so that the Signaling Zone's apex coincides with the Signaling Domain (such as _signal.ns1.example.net). While it is permissible for the Signaling Domain to be contained in a Signaling Zone of fewer labels (such as example.net), a zone cut ensures that bootstrapping activities do not require modifications of the zone containing the nameserver hostname." Can you please try and reword this? I'm not entirely sure what "Signaling Domains SHOULD be delegated as zones of their own," actually *means*. I think I sort of do, but I don't think I could fully articulate it — perhaps "standalone zones"? 3: "To keep the size of the Signaling Zones minimal and bulk processing efficient (such as via zone transfers), Child DNS Operators SHOULD remove Signaling Records which are found to have been acted upon." This feels fairly hand-wavey (especially because it has a "SHOULD") — how would that child operators know that the signing records have been processed/consumed? (yes, I know, but it seems like some text it needed). Perhaps just rewording the sentence would help - something like: "Once a Child DNS Operator determines that specific Signaling Records have been processed (e.g by seeing the result in the Parent), they are advised to remove the Signaling Record. This will help keep the Signaling Zone smaller, and bulk processing (such as via zone transfers) more efficient."? Something like that… 4: "It is RECOMMENDED to perform queries within Signaling Domains (Section 4.2) with an (initially) cold resolver cache or to limit the TTL of cached records to the interval between scans, as to retrieve the most current information regardless of TTL." This sentence doesn't really work - it says to "limit the TTL of cached records" so you have the most current information regardless of the TTL. Perhaps just adding "regardless of the original TTL" (or "actual TTL" or something...) 5: "(When a batch job is used to attempt bootstrapping for a large number of delegations, the cache does not need to get cleared in between queries pertaining to different Children.)" Is this always true? I'm not sure, but it feels like there could be cases where there are delegations to domain early on in a run, which you later discover later in a run is also being bootstrapped. E.g you start with example.com and it uses ns1.example.net. Later on you discover than example.net is also bootstrapping, but it is already in the cache…. This might be a really uncommon corner case (and I might be completely wrong about this causing an issue!), but it seems like unless we are 100% sure we should just drop this sentence (and implementers can figure out if the optimization is worth potentially stepping on a rake :-P). I'll happily note that I cannot figure out if my concern is valid, but it *feels* like there is something scary here… Nits: 1: s/involes/involves/ 2: s/For lack of a comprehensive DNS-innate/Due to the lack of a comprehensive DNS-innate/ 3: "The Parent can then use this signal to cryptographically validate the CDS/CDNSKEY records found at an insecure Child zone's apex, and upon success secure the delegation." Suggest: "The Parent can then use this signal to cryptographically validate the CDS/CDNSKEY records found at an insecure Child zone's apex and, upon success, secure the delegation." (I generally avoid noting comma-related nits, but this one triggered my OCD, so…) 4: O: "Other applications might arise in the future, such as publication of API endpoints for third-party interaction with the DNS Operator or of other operational metadata which the DNS Operator likes to publish." P: "Other applications might arise in the future, such as publishing API endpoints for third-party interaction with the DNS Operator or other operational metadata that the DNS Operator likes to publish." C: Flow / readability. 5: "To publish a piece of information about the Child zone" s/a piece of// (I think that this works better, without changing the meaning / intent). 6: "If, however, an error condition occurs, in particular: [many many things] the Parental Agent MUST abort the procedure." This seems somewhat tricky to read / parse — by the time you get down to the "the Parental Agent MUST abort the procedure" bit you've forgotten where the sentence starts. I recommend: "If an error occurs in any of the following steps, the Parental Agent MUST the procedure: Step 1:... " (just a suggestion) 7: This seems a little clumsy: "The Parental Agent does not use in-bailiwick Signaling Names during validation because they cannot have a pre-established chain of trust at bootstrapping time, so are not useful for bootstrapping." Perhaps: "In-bailiwick Signaling Names do not have a pre-established chain of trust at bootstrapping time, and so the Parental Agent cannot use them during validation." ? 8: I had to read this multiple times to figure out what it meant: "For example, when discovering Signaling Names by performing an NSEC walk or zone transfer of a Signaling Zone, the Parental Agent MUST NOT assume that the nameserver(s) under whose Signaling Domain(s) a Signaling Name appears is in fact authoritative for the corresponding Child." Perhaps s/appears is in fact authoritative/appears is, in fact, authoritative/ or, perhaps better yet "appears is actually authoritative…" ? 9: "In this case (and in other cases alike where some list of "bootstrappable domains" is retrieved from elsewhere), the Parental Agent MUST" Perhaps: "In this, and other cases where a list of "bootstrappable domains" is retrieved from elsewhere, the Parental Agent MUST…"? 10: "The protocol is further restricted by the fact that the fully qualified Signaling Names fit within the general limits that apply to DNS names (such as their length and label count)." I found this somewhat confusing — it is "In addition, fully qualified Signaling Names must by valid DNS names (e.g length, label count, etc.)" ? Thank you again; I know that making edits to address nits can be annoying, but we are expecting many people to read and review the document, and so having it polished is important and polite (also, once people start commenting on nits, they seem to continue :-) ) W
- [DNSOP] AD Review of: draft-ietf-dnsop-dnssec-boo… Warren Kumari
- Re: [DNSOP] AD Review of: draft-ietf-dnsop-dnssec… Peter Thomassen