Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 01 November 2017 14:49 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 090BD13FCA8 for <dnsop@ietfa.amsl.com>; Wed, 1 Nov 2017 07:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PD-vECUapD4J for <dnsop@ietfa.amsl.com>; Wed, 1 Nov 2017 07:49:35 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12F5213F588 for <dnsop@ietf.org>; Wed, 1 Nov 2017 07:49:35 -0700 (PDT)
Received: from [10.32.60.145] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id vA1Em9iu057962 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <dnsop@ietf.org>; Wed, 1 Nov 2017 07:48:10 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.145]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Date: Wed, 01 Nov 2017 07:49:32 -0700
Message-ID: <07D1AE36-25CD-46E5-8550-FF99C0BDEC9F@vpnc.org>
In-Reply-To: <B2622241-C3C6-496B-96C6-6A9FB2DC9926@icann.org>
References: <121CDBC2-D68C-48EE-A56E-46C61FC21538@sidn.nl> <CAN6NTqxy4SWxsUNZyBA=1TZxdhWtVxaTDYLoA1qO2nKf202g9w@mail.gmail.com> <20171101121730.esajuad5cefebtgg@vic20.blipp.com> <B2622241-C3C6-496B-96C6-6A9FB2DC9926@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.7r5425)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/njdL0vmTyIPjOOfwkgLtFobGJrE>
Subject: Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 14:49:36 -0000

On 1 Nov 2017, at 6:48, Edward Lewis wrote:

> The reason why I'm digging into this is that "things change."

As a recap: this thread started with Moritz quoting from RFC 4035 and 
asking:

> Did we miss something, or is there indeed clarification needed?

I believe that RFC 4035 indicates success in any chain means that the 
validator should mark it as Secure.

Mike StJohns pointed out that RFC 6840 gave different guidance. That 
guidance suggests a default scheme and says that it should be up to 
validator configuration.

RFC 6840, which as the the latest standards-track text on the topic, was 
published in 2013. If things have changed since 2013, an update to RFC 
6840 should be started.

--Paul Hoffman