Re: [DNSOP] DNSSEC validator requirements

Daniel Migault <daniel.migault@ericsson.com> Thu, 13 April 2017 20:19 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8D4124B0A for <dnsop@ietfa.amsl.com>; Thu, 13 Apr 2017 13:19:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level:
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PPAJxVe5fQST for <dnsop@ietfa.amsl.com>; Thu, 13 Apr 2017 13:19:02 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8A9D129A9B for <dnsop@ietf.org>; Thu, 13 Apr 2017 13:18:54 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id h125so34788220lfe.0 for <dnsop@ietf.org>; Thu, 13 Apr 2017 13:18:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=bK70zdmv5v8VH5/UySXBltkK33Qrz1yZsMyaWOhsii0=; b=p3LYmbvKQlGxA5/brTiIXAh+MY+ovEeGaPpSqUB3DF+9Nf5xlaScEH/EMaGEDxt0Lg oaXElxQ8F0iUMCDpGfwpfstucm0D7g4rHVeTltNwR1o9vEefNj4wTLmwHn9eKE1FQC1e AkUX7LBNmM4uxc2ZbHGJ87s+6Jw3ckaEkexTNaWsRX+6QXDJuXI9bjfBi4o526NeonSx xK1DEguU1uv2RfXImY3VBSFZyM7A3P32UJH2m9u/2hDJEq+pdzYdjv1LtLLIoFh1Oun2 zdP/fjE+1tiBk0mu6NMelbpVDyts8ansrdlBFGDg9wXQq1YBgy5JhYVwybE5fCNqZD06 /uwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=bK70zdmv5v8VH5/UySXBltkK33Qrz1yZsMyaWOhsii0=; b=CO+WqJGEG3Ks18lfkc6QsMBPdxyTw+x7/mLCs5j2G2rBOKMosuIUE0jlouvaeVwcFM jGtvTCH1jJ+VU23Y57QPB554RrkoZitL7tZ80rvMyQJrvxPL3GbJXRo0Gp5CmAt+ohis ku7RK3jHHMp9WFx89utli+X/AS7kARIn/79744MZ0yx7BM9wH8sjBCL4ZAH3sdThkfXQ pC/nDnX4DXIrSmMDQ/iqs48kBdM7yO/JnItwQPoPKoqt3HKOy6CoWpJO2NmExuCaiqEo Rjga80lEqbnlVCjSyBKQTxi2tU6lF24kZbGkMXoCiBVOM4P5Rligu7k69c+k4qxfu2hR KkmQ==
X-Gm-Message-State: AN3rC/7PV9ZvzKwmIPZu8OiGiiguXbh/S6W/nWeTQDVoLQMbKrfX7dzY yTIRCUsRpi2cGJvPC95VST1IWb5P/Q==
X-Received: by 10.25.155.145 with SMTP id d139mr1649298lfe.174.1492114732718; Thu, 13 Apr 2017 13:18:52 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.46.69.85 with HTTP; Thu, 13 Apr 2017 13:18:51 -0700 (PDT)
In-Reply-To: <cb2dca19-654c-2411-5ef6-613ce3276808@nic.cz>
References: <20170331034800.GD99337@isc.org> <cb2dca19-654c-2411-5ef6-613ce3276808@nic.cz>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Thu, 13 Apr 2017 16:18:51 -0400
X-Google-Sender-Auth: 7z0pS9rQJQ083V4obTR1T68NIII
Message-ID: <CADZyTkntyR9iF0Hs9wSiCNT30OHSUtFQ4TbOxTMZp=6QDrVX0A@mail.gmail.com>
To: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= <petr.spacek@nic.cz>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary=001a114022989ba18d054d12087b
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lJP0zwFlimS706M-h-HOL6XdRZk>
Subject: Re: [DNSOP] DNSSEC validator requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 20:19:04 -0000

Thank you Evan and Petr fro your comments. I thought I would be able to
provide you some text this week... but I am running late. I will send you
some text next week.

I agree with your comments, and will make my best to address them. I also
came with other requirements.

Yours,
Daniel

On Fri, Apr 7, 2017 at 7:25 AM, Petr Špaček <petr.spacek@nic.cz>; wrote:

> On 31.3.2017 05:48, Evan Hunt wrote:
> > I have reviewed draft-mglt-dnsop-dnssec-validator-requirements-04.txt
> and
> > some comments on the substance of it are below. (I'll also send some
> > grammatical nitpicks via private mail.)
> >
> >> However, without valid trust anchor(s) and an acceptable value for the
> >> current time, DNSSEC validation cannot be performed.  This document
> lists
> >> the requirements to be addressed so resolvers can have DNSSEC validation
> >> can be always-on.
> >
> > This abstract, and the introduction below, both seem to suggest that the
> > intention of this draft is to list requirements for automatic
> bootstrapping
> > and recovery of DNSSEC without human intervention.  However, several of
> the
> > requirements actually included in the text describe mechanisms of human
> > intervention: for example, insertion of negative trust anchors or the
> > ability to flush the cache.
> >
> > To my mind, any need for human intervention contradicts the idea of
> DNSSEC
> > being "always-on"; humans can't react instantly.  So I suggest revising
> > the abstract and the problem statement to say that these are requirements
> > for a DNSSEC validator to be recovered when it fails, rather than for
> > it always to be on.
>
> A document listing what can possibly go wrong with DNSSEC deployment in
> real world and what "features/tools" software vendors have to provide to
> ease recovery is a good idea.
>
> Having said that, I support Evan's view that here we are not talking
> about "always-on" but more about "human intervention"/recovery. I think
> that all other Evan's comments are good ideas as well and improve the
> document.
>
> I'm looking forward to reviewing a new version of the document.
>
> --
> Petr Špaček  @  CZ.NIC
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>