[DNSOP] Re: [Ext] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
Peter Thomassen <peter@desec.io> Mon, 08 July 2024 18:21 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 190E7C1E58EB for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2024 11:21:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DRfGiXNBnLE for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2024 11:21:20 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4DDC1E0451 for <dnsop@ietf.org>; Mon, 8 Jul 2024 11:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=lsZCkgR4Lhxyyc2rL1q8M+pSCFjKm4c/b3URc6xLI6Q=; b=WtaJu56M93/9RfQYpj+cdfDJV8 b2n5Euox1tfSOghEnPNgrQmXSwjR4ti3h/DF6R+aGFEWGwVWfdOK+fQxfQA+nlhxV0XINy+YmzqxG lFPerLAKYc8pJDnkUf5208uO3iia7EoBLQX9TJPGFEyrUAY5xjh/rKVsjhodpIE1z/7DACV6yQXPE wfJgl1iqtIxh2cxrMjNGCYmWLIq9+3GbpOLGN+RQGAgotplOuCxMof+OcgN0xx0a83tlfYYyqhVpA O/RHwumUchBMm9Oq6PY2NyLs8pJqtKIUoZfbe2im/tE76U6fjboCpDMrEamw7TGGnGnMle6r9st+c wBMY56fQ==;
Received: from [2a02:8109:9283:8800:7b7b:990b:8f1d:b6e2] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1sQszD-009pV7-JN; Mon, 08 Jul 2024 20:21:16 +0200
Message-ID: <82505b09-c5c9-4afc-879a-0bf07d665c1b@desec.io>
Date: Mon, 08 Jul 2024 20:21:14 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Paul Hoffman <paul.hoffman@icann.org>
References: <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com> <7c3c263e-7b41-4258-9620-82c44f59eb62@desec.io> <81CE86B9-8237-47B1-8762-DF147660E139@icann.org>
Content-Language: en-US
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <81CE86B9-8237-47B1-8762-DF147660E139@icann.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: YQLIADQQVCXFFVLMCLS62RL4L2QUOPIF
X-Message-ID-Hash: YQLIADQQVCXFFVLMCLS62RL4L2QUOPIF
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/oR24xu-aGf3FlsWpM33aCPCZi6k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Paul, On 7/8/24 20:08, Paul Hoffman wrote: >> OLD >> The Zone element in the TrustAnchor element states to which DNS zone >> this container applies. The root zone is indicated by a single >> period (.) character without any quotation marks. >> >> This is underspecified w.r.t. to format, for labels containing dots. >> >> But, the whole document is about the root (it's even in the title), and I wonder why the Zone element is there in the first place. >> >> Instead of fixing the Zone element format, why not just drop the whole Zone element? > > The zone element is there in case someone other than the root operator wants to use the format. Dropping it might cause some current users of the format to fail, so we are leaving it in. So it remains underspecified for labels containing dots. (I'm OK with that, just spelling it out.) >> OLD >> The id attribute in the KeyDigest element is an opaque string that >> identifies the hash. >> >> Is the id attribute expected to be unique within the XML file? [...] > The spec says it is "an opaque string". Your proposal is to extend that and make it unique. This could cause a serious problem in the future if IANA does not change the id string for some reason. We are leaving it as just opaque. That's fine. However, the attribute name "id" suggests uniqueness, because that's how IDs usually work. I suggest something like "opaque (but not necessarily unique)", or renaming it to something else, to prevent this misinterpretation. >> OLD >> If a system >> retrieving the trust anchors trusts the CA that IANA uses for the >> "data.iana.org" web server, HTTPS SHOULD be used instead of HTTP in >> order to have assurance of data origin. >> >> Does this really mean that if I don't trust the CA, then I should be using HTTP? > > Yes. > >> How does that make things any better? > > It does not, but the text doesn't indicate that it makes anything better. I wonder then why we need the "if" clause in that sentence. I'd remove it, but I don't feel strongly. Peter -- https://desec.io/
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- [DNSOP] Re: [Ext] Working Group Last Call for dra… James Mitchell
- [DNSOP] Re: Working Group Last Call for draft-iet… Tim Wicinski
- [DNSOP] Re: [Ext] Working Group Last Call for dra… Paul Hoffman
- [DNSOP] Re: Working Group Last Call for draft-iet… John R Levine
- [DNSOP] Re: Working Group Last Call for draft-iet… Florian Obser
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Ben Schwartz
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: [Ext] Working Group Last Call for dra… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: Working Group Last Call for draft-iet… Tim Wicinski
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Peter Thomassen
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Working Group Last Call for… Paul Hoffman