IETF Logo Mail Archive

Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>

"Joe Abley" <jabley@hopcount.ca> Mon, 05 October 2015 21:00 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A55D1B502C for <dnsop@ietfa.amsl.com>; Mon, 5 Oct 2015 14:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lyv2d7j8Yogp for <dnsop@ietfa.amsl.com>; Mon, 5 Oct 2015 14:00:10 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90DB81B5028 for <dnsop@ietf.org>; Mon, 5 Oct 2015 14:00:10 -0700 (PDT)
Received: by ioiz6 with SMTP id z6so199889076ioi.2 for <dnsop@ietf.org>; Mon, 05 Oct 2015 14:00:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type; bh=7GDlZkPDhgbSowjuFHpthYPa+deM/QXc6oyOhF4lCz8=; b=moPYSnW1rsFs76rqmougY/KQZnS/afgHY95lMMQqK+tdfHCamaco9ect0WH/t5tGY9 KhAjZtoKAhvZnGsWp8AV41bCcOknYZ9CAd+31l5Fwahclm5FURUrMWTEr4i6e/ylY4Xm 0oOMs2eC6fkmS9gSy9oottpkbt9YCFEwU6Glo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-type; bh=7GDlZkPDhgbSowjuFHpthYPa+deM/QXc6oyOhF4lCz8=; b=dDM6U8DZgkvlejZ4hU0235e/cvMdhvAI3dSNeNCrmyQ1RXjZWQzy40Lh6XItMdkP2v LXxwWA/Bk74r1n1le+USjoTmJfiOt2JrPdmOvx8X98mDgJ4Azx705MGq6LsDjD0xrxcx kDYtfSJTPR8qRmiOKH26kvqjEaVt1SOF1K8MJAARkYtbMhFQi5K15y68G/Bt7vxg7L/z DGxwLgePAUfjjLQDmOJWVtgx0ckMh2vtV4VO49xUqkMhPMhJhVk86CCihw2ENJd3GQZs UxbmEjkTfvYXqJZ4YFjIsLi8UuJCkrUIvSe71vdTBocx9VnsEK1WV54lPlbw1CSZ71tT kbQQ==
X-Gm-Message-State: ALoCoQnby4Pqy5XSyKpuG8nLR4Msyh9Oa4v1UOxBDwhk7Yg1AZaSiQnIEM+fl+h1qClHWtl7eoeU
X-Received: by 10.107.160.143 with SMTP id j137mr31813106ioe.13.1444078809272; Mon, 05 Oct 2015 14:00:09 -0700 (PDT)
Received: from [172.19.131.226] (135-23-68-43.cpe.pppoe.ca. [135.23.68.43]) by smtp.gmail.com with ESMTPSA id c97sm10950452ioj.41.2015.10.05.14.00.08 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 05 Oct 2015 14:00:08 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Date: Mon, 05 Oct 2015 17:00:07 -0400
Message-ID: <A1B41B27-AFB0-4B42-9F46-AA1D8D5D00F6@hopcount.ca>
In-Reply-To: <97AFB21E-9233-4753-8F89-A6AC6C6B079B@vpnc.org>
References: <20150928114202.823.19868.idtracker@ietfa.amsl.com> <0E4AA958-7740-4602-A3CF-D2E481DBC15E@hopcount.ca> <20150928155325.GA63874@gaon.net> <20150929095301.32c3e6a3@casual> <13F1D87F-1C07-40EB-86B0-564C4109C9B0@virtualized.org> <1973252D-924F-4EF1-A38F-5EC01AD331F6@gmail.com> <FDD04DCC-59C5-41F5-8CAF-1EF31CD65A34@virtualized.org> <63E1E01E-C172-4A0F-B434-F796546BB657@gmail.com> <C4FA9FA6-76E3-4FF3-862B-C5C0DF75C761@kirei.se> <D1C15986-603E-4932-B551-0497638D9849@vpnc.org> <02869F43-87A4-4797-8FD3-276C02DF665D@kirei.se> <EEA946B1-8BF3-4AB7-99D2-4C8CDCCF0EC0@vpnc.org> <F412CE02-C0BA-425E-BBF9-3A40B2B5FEA7@vpnc.org> <9F52E6FC-E503-4E3A-9998-363BF514CC1A@hopcount.ca> <D2C7120E-D13A-4372-8A8D-FE16DDDB5AEA@vpnc.org> <6CE2A233-0CD3-4490-BDDE-A0E82B305F05@hopcount.ca> <97AFB21E-9233-4753-8F89-A6AC6C6B079B@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/mx6VMskp3Zfwkexu42DSrkLUsT4>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 21:00:12 -0000


On 5 Oct 2015, at 16:43, Paul Hoffman wrote:

> On 5 Oct 2015, at 16:12, Joe Abley wrote:
>
>> Hi Paul,
>>
>> On 5 Oct 2015, at 15:35, Paul Hoffman wrote:
>>
>>> A document called "DNSSEC Trust Anchor Publication for the Root 
>>> Zone" that says nothing about the most common KSK publication 
>>> practice, that is, by resolver software developers, is woefully 
>>> incomplete.
>>
>> I am confused by that. The KSK maintainer publishes trust anchors for 
>> the root zone. Software developers produce code that consumes those 
>> trust anchors. Perhaps we are missing a shared understanding of the 
>> word "publish" here, but I don't see what common KSK publication 
>> practice you're referring to.
>
> Hrm. I'm pretty sure that most people would agree that software is 
> published, and that config comes with that published software. The KSK 
> is often part of that config.

Ah, that helps explain the disconnect.

> Of course "the KSK maintainer publishes trust anchors for the root 
> zone". So do other organizations. It seems like many people who say 
> they want this document published want this document to be how 
> ICANN/IANA publishes the trust anchors.

That understanding of "publish" had never occurred to me, to be honest.

If someone cuts an article out of the Toronto Star and sticks it on a 
message board for other people to see, is it reasonable to say that that 
person published the article? Or did the Toronto Star publish it?

> [...]
>
> Maybe you are thinking that only ICANN can publish the trust anchor? 
> If so, I would certainly disagree. Anyone can publish it, and that's a 
> feature.

That does indeed seem to be a disagreement.

To state the context I had been working from (hence the confusion):

  - the KSK maintainer publishes a set of trust anchors
  - other people might well re-package them for one reason or another
  - in general, anybody who is hard-coding trust anchors in their 
published software is doing it wrong

>> I fully agree that the document should use actual URLs for the 
>> current KSK. As far as I can see, all the URLs mentioned in the 
>> document are URLs that work today, and have been stable since 2010. I 
>> don't see any speculation about other URLs.
>
>>
>> Can you explain more fully what problem you see?
>
> The URL for retrieving the CSR is <http://data.iana.org/root-anchors/
> key-label.csr>, with "key-label" replaced by the key label of the
> corresponding KSK.
>
> The URL for retrieving a signed X.509 certificate is <http://
> data.iana.org/root-anchors/key-label.crt>, with "key-label" again
> replaced as described above.
>
> Those are templates, not URLs. ICANN does not publish anything at 
> http://data.iana.org/root-anchors/key-label.csr (unless you consider 
> giving a 404 to be publishing...).

OK, I agree they are templates.

I disagree that it makes sense to publish URLs that refer to just the 
key label used by the currently active KSK. That would make this 
document inaccurate as soon as a KSK roll occurred, despite the fact 
that it aims to document the way that the current and future successor 
trust anchors are published.

The "key-label" token is intended to be taken from the root-anchors.xml 
file, which is cited with a stable URL.

You might argue that this is messy, and I might agree. But I would 
suggest that it's the only reasonable way to describe the current trust 
anchor publication mechanism used by ICANN.

> If this document is going to be published by anyone, it should state 
> exactly how ICANN publishes things, not how it might it different 
> future circumstances.

Fully agree, with the opposite conclusion.

>>> It should not talk about the publication of possible future KSKs 
>>> because that is not what ICANN is doing now.
>>
>> I don't understand that, either. The scheme developed at ICANN in 
>> 2009/2010 was designed to facilitate publication of multiple trust 
>> anchors, specifically to allow future KSK rolls. You're saying we 
>> shouldn't document that because a KSK roll hasn't happened, yet?
>
> There is a difference between "how ICANN publishes the KSK" and "how 
> ICANN might publish the KSK". Please pick the one you want so that the 
> WG can decide if that's what they want you to publish. Mixing those 
> two ideas up will not help anyone who is reading the published 
> document.

ICANN might well choose different formats, URL schemes, whatever in the 
future.

The current format, URL scheme, whatever is as is written in the 
document.

The trust anchor publication strategy was designed to handle successor 
keys, and this document aims to describe that strategy.


Joe

v2.23.0 | Report a Bug | By Email