Re: [DNSOP] Changes since draft-ietf-dnsop-rfc4641bis-13
Antoin Verschuren <antoin.verschuren@sidn.nl> Tue, 23 October 2012 11:32 UTC
Return-Path: <Antoin.Verschuren@sidn.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6AF021F86AD for <dnsop@ietfa.amsl.com>; Tue, 23 Oct 2012 04:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.504
X-Spam-Level:
X-Spam-Status: No, score=-4.504 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SFfKXZdohwW4 for <dnsop@ietfa.amsl.com>; Tue, 23 Oct 2012 04:32:49 -0700 (PDT)
Received: from ede1-kamx.sidn.nl (kamx.sidn.nl [94.198.152.69]) by ietfa.amsl.com (Postfix) with ESMTP id 4951521F868B for <dnsop@ietf.org>; Tue, 23 Oct 2012 04:32:48 -0700 (PDT)
Received: from kahubcasn01.SIDN.local ([192.168.2.73]) by ede1-kamx.sidn.nl with ESMTP id q9NBWftO027105-q9NBWftW027105 (version=TLSv1 cipher=AES128-SHA bits=128 verify=CAFAIL) for <dnsop@ietf.org>; Tue, 23 Oct 2012 13:32:47 +0200
Received: from KAHUBCAS1.SIDN.local (192.168.2.41) by kahubcasn01.SIDN.local (192.168.2.73) with Microsoft SMTP Server (TLS) id 14.2.247.3; Tue, 23 Oct 2012 13:32:38 +0200
Received: from [94.198.156.18] (94.198.156.18) by KAHUBCAS1.SIDN.local (192.168.2.41) with Microsoft SMTP Server (TLS) id 14.2.247.3; Tue, 23 Oct 2012 13:32:38 +0200
Message-ID: <50868055.6030809@sidn.nl>
Date: Tue, 23 Oct 2012 13:32:37 +0200
From: Antoin Verschuren <antoin.verschuren@sidn.nl>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: dnsop@ietf.org
References: <507D691F.9000404@nlnetlabs.nl>
In-Reply-To: <507D691F.9000404@nlnetlabs.nl>
X-Enigmail-Version: 1.4.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [94.198.156.18]
Subject: Re: [DNSOP] Changes since draft-ietf-dnsop-rfc4641bis-13
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 11:32:51 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16-10-12 16:03, Matthijs Mekking wrote: > Hi all, > > The document draft-ietf-dnsop-rfc464bis-13 has seen some issues > while being in AUTH and RCF-EDITOR state. This e-mail will list all > the suggested changes to address those issues. While reading the proposed changes and the whole document again, I noticed another paragraph that is no longer desired. My question is that now that we do make some changes, it is advised that this paragraph is also adjusted to fit current day practices. The paragraph is 4.3.2. The advice in this paragraph, which hasn't changed since 2009 when it was first written down, has been overtaken by new insight and practices. It advises registries to store only DS in stead of DNSKEY material in their database. This has proven to be impractical when deploying DNSSEC on a large scale: 1. Current practice proves that the majority of DNSSEC domains in the world today is provisioned by sending a DNSKEY record to te registry, and not DS. Running code for the majority of DNSSEC domains uses DNSKEY. 2. The old advice is based on the assumption that less errors are being made when cutting and pasting a DS in a webinterface or reading it since it is smaller than a DNSKEY. Current practice today however is that this is all automated, and while provisioning 1.3 M DNSSEC domains, we have not seen such errors. 3. With more algorithms used for DNSSEC today, and some no longer advised, registries want to hash the DNSKEY to DS themselves so they don't need to go through a "contacting every child" nightmare when an algorithm is no longer supported. The DS is owned by the parent, not the child. Our practice shows that hashing is a minor operation by the parent. It takes no real effort whatsoever in computation or time. 4. The most important motivation for us to use DNSKEY is consistancy with new processes that did not exist in 2009. DNSSEC secure transfers (http://tools.ietf.org/id/draft-koch-dnsop-dnssec-operator-change-04.txt) is the most important one. In a DNS-operator change, the operator initiating the change needs to send his new KSK (DNSKEY/DS) to the registry AND needs to relay his ZSK (DNSKEY). It is confusing that in bootstrapping a delegation a DS needs to be sent, but when transfering a DS AND ZSK DNSKEY needs to be sent. It is better to use DNSKEY in both processes so a child operator is never burdened with calculating a DS or having to think about 2 different fields in EPP that do not have the same meaning. So our advise is to use DNSKEY syntax for both KSK and ZSK when transfering to your parent. So my advise is to either delete paragraph 4.3.2 since it is bad advice (there is no convincing motivation given in this paragraph anyway), or use the motivation given above to advise for using DNSKEY over DS. If needed, I'm willing to write text. - -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren@sidn.nl xmpp:antoin@jabber.sidn.nl http://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJQhoBVAAoJEDqHrM883AgngBMH/1e5LxpQrZNLJ/lV5kp2OJFx WWsKM2joRSSpW+fc/CMp6gQ5kMs32TqjAk3SLGcUEnKKU1L4zBOPIPzHNfyryqEp +Mckt+LGtC9/OngjTtfKGvfejLmUormu0zmwSTW5hJqUi16lz4chHosJtvI3JNpZ s73gDUW11zAxomyJw3bkBOQQgPklpV+7IOAGMeRkxXPUWvhMaPYsGwppZFI4nX49 Bw5zYytnL9YbfdK+LzY7DY5j3ZoEVV6056w7Gn2U4or8IBTQxquR9rpA0XHmrYPv C07lSeDdwu7jGrv4Qt2ORcZwjvSVYmDD5q3q84w8ZAe7/LU7JAiRaTPIrOBHmoc= =HVX8 -----END PGP SIGNATURE-----
- [DNSOP] Changes since draft-ietf-dnsop-rfc4641bis… Matthijs Mekking
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Tony Finch
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Antoin Verschuren
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Miek Gieben
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Niall O'Reilly
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Olafur Gudmundsson
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Edward Lewis
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Antoin Verschuren
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Matthijs Mekking