Re: [DNSOP] Call for Adoption: draft-huque-dnsop-multi-provider-dnssec

Petr Špaček <petr.spacek@nic.cz> Tue, 17 July 2018 11:18 UTC

Return-Path: <petr.spacek@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BC78130F2C for <dnsop@ietfa.amsl.com>; Tue, 17 Jul 2018 04:18:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.021
X-Spam-Level:
X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9C10Z90smoC7 for <dnsop@ietfa.amsl.com>; Tue, 17 Jul 2018 04:18:32 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3F55130DCF for <dnsop@ietf.org>; Tue, 17 Jul 2018 04:18:31 -0700 (PDT)
Received: from [IPv6:2001:1488:fffe:6:44c4:3a94:bfde:f8d1] (unknown [IPv6:2001:1488:fffe:6:44c4:3a94:bfde:f8d1]) by mail.nic.cz (Postfix) with ESMTPSA id 345B6604ED for <dnsop@ietf.org>; Tue, 17 Jul 2018 13:18:30 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1531826310; bh=WdZzb2DRO2em+NeQunDAObtiujadI+uCgQGyRPsKFbw=; h=To:From:Date; b=ddTQ0Hw67aALG15eTHDRlJSrzDlqdWDgJGhI27lOAUVZFCkMmTvVqYAcAfyqvkZ4G qJVaK6jLoLsRKbpxIkjf1yJ6h2n1v7VImIGvFR2d17dzEY4Th82CBFqz4GHg9xCIkg 1LHoeaAod61bPEYe2pkZ7DEs7Y9joSGVzgXe8wrA=
To: dnsop@ietf.org
References: <CADyWQ+E6S1K2Rt6gWMNkM6pYEJE1J7EGajuc_+ZjES5+KWxaoA@mail.gmail.com> <alpine.LRH.2.21.1807101104250.5219@bofh.nohats.ca> <BC2188E8-205E-4CFD-89AD-2D8B0ECF6F8A@hopcount.ca> <CAHPuVdUJ7PnZw1pqQ9nQaXVAEj81EchaA=0G16YVfMRexigD2Q@mail.gmail.com>
From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= <petr.spacek@nic.cz>
Openpgp: preference=signencrypt
Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= xsFNBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABzSJQZXRyIMWgcGHE jWVrIDxwZXRyLnNwYWNla0BuaWMuY3o+wsF9BBMBCAAnBQJYa4wfAhsDBQkDwmcABQsJCAcC BhUICQoLAgQWAgMBAh4BAheAAAoJEM6N1qGlCiHkjGoP/3fvimzczcaqPM8lgY9fKKcr2DhH 42HF+fXsj0SvPeEoYDuWwIcsTGna6sdmrhCD/mB6eCNivAOcZYDH7j3YDgdFX2xy1sRY0ylF uyfcOT1Qn1xNTglSaf00gUWDgLBQB/USphB9Of6U1ka4gLJpCWKoZ3cLQe09cUpq9HOZYs/g WSNx9UTr06fcO0rtgZpg+IZJN/R2ORhQBwk4n2Dtx5J+Xyoy7ht1Fwz07BWAGJ4P8oJOhsi1 LukDD8ul3+6IeoSbRvyGpP6boegaMwxPR10VgsrYU2t1cK58iRv/xJ3TClb0JBn5aI3Bmh1j mPROrC55tvxRoeRLmxXHzbPZpWdbRjEcf9SEiAGNTgo9C+eXbubeSETWgisfJhZ4ebhkHnfz e+e+hvbaTSoFyMbKeOlfoYCmaDRBgT53i72HIkvO+HrVcmulZytw/yyOHuwObEFVgn3AeORv rb8I1kiv5W4wnZxDslhCeRR+wMGiKhc9ewU/mg3Rqo6GN+8mT0DHnsHuq1lu3WYslfNYkBSo nFcctFD2KXVozrwpn3vWJ4Qt6qu5XS1lDCD5WshZXh7qoISWnnMqsMyBW/R7WyiABeIz4uOg SkRwT2wSUYr+JtBZIjREy2JQDVhjf18DL1Qa7OxSes8YwWSx1pQAzwbfFx0gzRDyIT/39le4 pX430yTQzsFNBFhri/0BEADFp4ZfxSoKTAad0IkFK9CVoZ6XKywYLFNPPhzw++gbvHL2EX7Q qhEsqbsWMYpH4jc/Kq55OYYU/lIcULuD0Y9oDR26XFQou0FeSNnzRGb607U8OFOPQ+ei92Mm 1YPQ33GPj8GqbQpkAp35sfjJ64TH/EQY38RN33jsHRkhwtWU/6yo+RZs7cFRuihuLl8FuoP0 A5u/x+lNNeIBk8f27LVYrF81NSDDDYjnObCah+QLzGAwGDtjWkBVawpoHWwq58OQSx5piwyO CnFJeFONRcTRgOz239rsEA5LeYfmOGcnNwG6CHoJ5ZdWJw5OV9BoA7UTHG95xVHV5QiEm6q6 igI6wKV2RtFS7Roe0Wt8H7gC41JeqaKTUsGkz6uJraF8mmKyS8E+mSh3djmqdJNHF1pJqKxA xPYA9Y0jPnYWeEH4fPeOR2YvBjztsye9nOv1AuKNu03duzocyU95DfP/lwNJr5SH918Vf1t7 WcJj9dg6J9Jc5LOwg13Qr31TuZijrMdqM7LJKC/0tOkSeXNoMlHJOIqbqm7N414I0HytbENf 7AiyDxNA5TzJKkB0eBPLm2FMQCHLfasJHgbCrQut6nYw3f3Gn3+PDzGEHI9sfQv/mYvO77oR SGw+3Hy1ToxIncIirAyRpa5KdPLklDpADvpfkXjuL6IfZZ0OIWKLSRa/DQARAQABwsFlBBgB CAAPBQJYa4v9AhsMBQkDwmcAAAoJEM6N1qGlCiHkn54P/AgyzrffYzRq6d7vHfFhd8HzHHrU BtOK+5182DME1JX9Aow5Dy9kbfxAfTc4tbCY5EnhoUICbmVAJ5wL5lrGxQPSnulIyF8OmJjc VlGI6zXYvP0VHZ/L8dPcf+RPqhMCPpaxe2+h5XpPxvOkDLlnCrsA4J1bAGW5kpxdGnY4aRrv aKhtGMqgSwSx25l3RnoOROU/hTDV4EHCuTkMRfILmsuNT7It40iL5nyDiJ8o3p1CLjRwUzVn 4r4jE8DXhbWXaKJ0KQZpKiQDVV7qJcJIeBJvZpFfxJ44LxBct9TkC69ROntYhd6M7031DT3P IYW9VyMhLN5dRfzhEdFUc+3AlnoOOKcGwYiCnH2DwDva3ZicOAH8099mWZcwVL/sjKKbJGPo JbdT9C3gSnsoa3uBbsiChRhAno80Jsk/igb4QaMw4PsS3230kfBGkQ/oAPPM0iJ9kn8NXB/9 iBe5cKEUiiYQfSn9x1HyG0sT3/jSYaq3obmBNHJE24w/RKWoPsaKjoyaInAuU5L0cNZ30OWd eWFREIxlajFl2vXb9nCc80/i6PceJySiyJgd5cYEL4hfn/B6RXph9kAJySsqlIZoBhcwneGX mAS0M41jJjuIQdt5pkLhM9XoXjBFMGGtA/CtiicEgitItJfVCxdLG4bZOCrfPmevMGLxpEmB GouQ9dVQ
Organization: CZ.NIC
Message-ID: <51bce21c-4b70-1f09-9e7d-eff29b71e3ff@nic.cz>
Date: Tue, 17 Jul 2018 13:18:30 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAHPuVdUJ7PnZw1pqQ9nQaXVAEj81EchaA=0G16YVfMRexigD2Q@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nSlvST9bVrOE5f-4x3Q3_mnTH0o>
Subject: Re: [DNSOP] Call for Adoption: draft-huque-dnsop-multi-provider-dnssec
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 11:18:40 -0000

On 14.7.2018 06:12, Shumon Huque wrote:
>> On Tue, Jul 10, 2018 at 12:06 PM Joe Abley <jabley@hopcount.ca
> <mailto:jabley@hopcount.ca>> wrote:
>>
>> I actually think the document is actually almost entirely operational;
>> at least, it describes a set of operational and design considerations
>> for deploying DNS services constrained by particular sets of
>> requirements. I don't see it as describing business models, but rather
>> how commonly-available commercial DNS services can be lego'd
>> together. Having said that, see (further) below.
> 
> Yes, it is indeed almost entirely operational. If dnsop is now only about 
> protocol enhancements, maybe we need to change its name to dnsext! :-)
> 
>> I don't particularly know who the audience for this document is, but
>> I'm pretty sure it's not me. So I'm not the right person to judge
>> whether it solves a real problem or is pitched at the right level. I
>> haven't reviewed the document in detail; I've just skimmed through
>> it. I'm pretty confident that the authors know what they are talking
>> about :-)
> 
> The audience in my opinion is the general DNS community, since I think
> they should be aware of the issues. The portion of the community that
> would benefit from actually using the new deployment models described
> in the document is likely much smaller: a set of enterprises that
> need to deploy DNSSEC in a multiple signing provider configuration,
> and a set of managed DNS providers that are willing and capable of
> supporting this. I expect this population will grow over time if/when
> DNSSEC adoption grows. And yes, this does solve a real problem for
> those enterprises.
> 
>> I don't know that the document would necessarily benefit from adoption
>> by the working group. I also don't know that the working group ought
>> to have the kind of concern about the topics that this document
>> addresses that would cause it to seek editorial control. It seems
>> entirely plausible that the document contains useful advice, however,
>> and that the RFC series is a suitable place for its publication.
>>
>> I think this document is an ideal candidate for the independent
>> stream. I don't see an obvious reason why it belongs in dnsop.
> 
> From discussing this draft at the last IETF, it appeared to us that
> there was interest from the working group in taking on this work. Doing
> this as a working group document carries more weight than an independent
> submission (of course, most people outside the IETF would not know the
> difference).
> 
> On ceding editorial control to the working group, and whether or
> not the group should even care about the issues raised in the
> draft - that is a good question, and I had contemplated that prior
> to the last IETF. If we sensed that this would lead to a protracted
> fight between DNS protocol purists and the DNS traffic management/
> tricks crowd about how to solve this problem in entirely different
> ways, then I think we would probably have elected to go the
> independent submission route. I did not get that impression.
> 
> In principle, I am open to tackling the larger question of should we
> standardize the various traffic management tricks. But I suspect there
> will be strong resistance from both camps, and even if it could be done
> and implemented, it would not be possible to do so in a time frame
> required by the folks interested in this draft.
> 
>> Like Paul, my lack of enthusiasm for adoption shouldn't be interpreted
>> as an objection.
> 
> Ok. I waited a few days to see if other people will speak up in support
> of this draft, but I guess we're in the pre-IETF lull period. Lest people
> get the impression there is no enthusiasm for this draft, I want to remind
> folks that I presented this draft at IETF101 in London, and there appeared
> to be quite a bit of interest.. I went back and took a look at some of the
> previous discussion:
> 
> The original email thread for this draft from March starts here:
> 
>     https://www.ietf.org/mail-archive/web/dnsop/current/msg22196.html
> 
> Here's video of my presentation at IETF101:
> 
>     https://www.youtube.com/watch?v=MixId63DGP4&t=33m16s
> 
> And you can jump to the Q&A section here:
> 
>     https://www.youtube.com/watch?v=MixId63DGP4&t=40m54s
> 
> As you can see, most people who expressed an opinion were supportive
> of doing this work (as a working group document). The jabber session
> shows more supportive comments. And I had largely positive discussions
> with many other folks in the hallway track.
> 
> Jim Reid, notably, was quite vocally opposed. As far as I could tell,
> on the basis that (1) this is another straw on the camel's back, and
> (2) who is actually even asking for DNSSEC, is there any demand, and
> will this move the needle.
> 
> Regarding (1), if this is straw, it seems to be rather light straw.
> I don't think the DNS camel should be used as a bludgeon to beat back
> all proposals to enhance the DNS. The incentives here appear to be in
> the right place. There is increased complexity. But the folks that bear
> the costs of this complexity are the enterprises and their DNS provider
> partners that want to deploy this. It does not impose new operational
> or complexity burdens on other folks.
> 
> Regarding (2), this actually has the potential to move the needle. If
> there is no solution to this problem, organizations that use these traffic
> management features with multiple providers will effectively be blocked
> from deploying DNSSEC. If we are encouraging DNSSEC adoption, I
> think this problem needs to be solved.
> 
> Lastly, I attended a meeting of several DNS companies on Thursday, and
> the discussion on this topic that occured clearly indicated to me that
> there is interest.

Nice summary. In short I support work on this and having it as WG
documents makes sense to me.

-- 
Petr Špaček  @  CZ.NIC