IETF Logo Mail Archive

Re: [DNSOP] Making draft-ietf-dnsop-kskroll-sentinel apply to all zones

Joe Abley <jabley@hopcount.ca> Fri, 15 December 2017 15:37 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 565651270A7 for <dnsop@ietfa.amsl.com>; Fri, 15 Dec 2017 07:37:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2MTKxqzUZ5a7 for <dnsop@ietfa.amsl.com>; Fri, 15 Dec 2017 07:37:25 -0800 (PST)
Received: from mail-it0-x242.google.com (mail-it0-x242.google.com [IPv6:2607:f8b0:4001:c0b::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDCE3126B6E for <dnsop@ietf.org>; Fri, 15 Dec 2017 07:37:24 -0800 (PST)
Received: by mail-it0-x242.google.com with SMTP id f190so19798255ita.5 for <dnsop@ietf.org>; Fri, 15 Dec 2017 07:37:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3N1L6O2sM0AMXgZBC+LlNRHJ6bjEmOlNSziATw+I0LM=; b=LF8FaVvnnqT2jXfWRh4Tp+rSRfcFy3Y+n5O19T5Psm7YTpFvzDJNkwM5pITjnmQd3h BH3l3npqwD/TY4LxfTtpyr+JkZoRDh0CAyPzI7zGXepC3WW0gMF/gs1GTCMvvIpBSYR0 D4GhY2wDUQ0nQ1AD8mbPcqtYLuFQk7fbWy0vc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3N1L6O2sM0AMXgZBC+LlNRHJ6bjEmOlNSziATw+I0LM=; b=HgAlLoS4X9qdPhgldw2z4tFTmNqFYHIvwfGQyqoLqX0l+vbXdku2dDkggfiovJ4hoI 0hcu3Kw5WJpYU/hCMw29Qt0GY1kQx9oGPRdLigpGoTwEDA1sB0CxP95LOBPgbDLzDy/O HgiYAhWpHVuY4U8+8okMTwRkYMGAx2daBW6upu7o6LPha4R8/GKta2yfvu77I9HPYG1k UsjDui5A6d7d112+I/ATVeomCcU/WjINj0Z3FVDzER/G4IXSvQFG9V3wvq8Y4THblBhi VF5RIfcAf0yP2CDP0ffXkeskL/d0lNMQQsCYEHF4KdjSYYyye/83xIstxIth/AOThcbn W6MA==
X-Gm-Message-State: AKGB3mJpHO01MQtuCPicVGZpum2CC0Gg1WRHYquKmJ0hoxTQJgMHO7Of lljVqnxT3mf7cG7ypy1EdifkAROIz3s=
X-Google-Smtp-Source: ACJfBot1zJ+54F7Qofx3944tMQViKgTtJxD+LROa5UkjhaoyWSqL0XSXTEQSw8228W3rMo+hG+Q0dA==
X-Received: by 10.36.107.69 with SMTP id v66mr9370277itc.10.1513352244045; Fri, 15 Dec 2017 07:37:24 -0800 (PST)
Received: from [199.212.92.9] (135-23-173-35.cpe.pppoe.ca. [135.23.173.35]) by smtp.gmail.com with ESMTPSA id d3sm3856495itf.1.2017.12.15.07.37.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Dec 2017 07:37:22 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <A6465B30-EC72-4282-8600-5B850E67D7BA@vpnc.org>
Date: Fri, 15 Dec 2017 10:37:17 -0500
Cc: Geoff Huston <gih@apnic.net>, dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AD804DDC-774C-41AA-AB8E-411A63D54A15@hopcount.ca>
References: <FE393168-BE0E-41E2-BA27-89A3D2DA4790@vpnc.org> <5E1FF941-C80D-442C-ABB5-6C81F3B1A149@apnic.net> <A6465B30-EC72-4282-8600-5B850E67D7BA@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kTCOP-j8LiNunhwGFeilrrJvVQs>
Subject: Re: [DNSOP] Making draft-ietf-dnsop-kskroll-sentinel apply to all zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 15:37:26 -0000

On 15 Dec 2017, at 10:31, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> On 14 Dec 2017, at 21:45, Geoff Huston wrote:
> 
>> I agree the mechanics of the change in the text, and even in the code for support this are pretty minor, but I am slightly worried about the intended generality of the proposed change being a small step too far, so I am curious to understand why you are advocating this change.
> 
> Because the root zone is not special for DNSSEC.

I agree with that philosophically, but not practically.

In practical terms anybody who has a non-root trust anchor installed has a bidirectional operational relationship with the people who publish it. Synchronising that trust anchor, with the glorious benefit of a full list of relying parties and knowledge of how to interact with them, is a far cry from the situation we find ourselves in with the root zone.

While it's conceptually elegant to have this mechanism easily available to the operator of nameservers for any zone, it's not clear to me that this is supported by a tangible use case.

If changes motivated by this desire for elegance weaken support for the one use case we have, they seem like a bad idea. (Not saying they do; I haven't thought about them that hard and in any case I am not an implementor.)


Joe

v2.23.0 | Report a Bug | By Email