[DNSOP]Re: [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)

John R Levine <johnl@taugh.com> Fri, 10 May 2024 16:51 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA29C14F6A7 for <dnsop@ietfa.amsl.com>; Fri, 10 May 2024 09:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="QEJ3zW8Z"; dkim=pass (2048-bit key) header.d=taugh.com header.b="M9rqyTP5"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sEyfj1b-Zvvx for <dnsop@ietfa.amsl.com>; Fri, 10 May 2024 09:51:37 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A99CC14F6A6 for <dnsop@ietf.org>; Fri, 10 May 2024 09:51:36 -0700 (PDT)
Received: (qmail 76671 invoked from network); 10 May 2024 16:51:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=12b7a663e5096.k2405; bh=RpjRN0qhLMSLYzvoJ4AqjMLeg6xdQisOAMZHHFu+S80=; b=QEJ3zW8ZlvA95YoThaO17MuFv7gr75zXhSpNeGU8q2UCavX7aRQhBv7GkE91zkC0zzB0yLi+MJFGiorONgAxLmiHtcE+d9bVK2Gwlj8zt/AGnAKGnm9u5mmDOFtnyRxX7QiZBMTaIOO/Ed5IfvBCrr9iyfXRlauNvnAIUwBioMV9L4funK+nt/71AGnlzOI1q48Q0KGbnE0Upzy8QmaHytXZYBVS6z8y9AAoUjYllKBPXqJKAdbgE4yhGdyhCQGxYr8dEyYBQCc6lg8ybGXE7QeRp1ezBIQy7GI+htFTWSBZPUu6JjAuTJMnjKc/QlgKIHZd1vkfT+CudHp+BqsdhA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=12b7a663e5096.k2405; bh=RpjRN0qhLMSLYzvoJ4AqjMLeg6xdQisOAMZHHFu+S80=; b=M9rqyTP5iIL6p6jhc7Z9OhLLUpUDR+IAo+1Y9H4kfQCh6+kQGfPEgdUqj2c9tcUcId6oFxkB33LlaufVY7W8sc+tglTdyEi6dzuEtHjIeN6BiwPAdy73eXGrV0FTpcbnWlSU9rCSwpoz0d65f4eK6RASzjo+6w+2Jv/37igzdp9IvuVA32SnOqBDtielPRXYG2pYQc2UCkFl9KE+uFLIiAFTEXTCgR33fKeM5BT1iad/Mt+pkTWouGQsSr5qT0zN6q6GPCcha+OVwtL9lAKGAZsuDWTFMkDETrxYj9UvOQ57GoWPRjunwxWLo8GWYvoVzRPY4UJbJFUf6K6GliOcKA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 10 May 2024 16:51:34 -0000
Received: by ary.qy (Postfix, from userid 501) id 126BE8A6845E; Fri, 10 May 2024 12:51:33 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id D2D1C8A6843E; Fri, 10 May 2024 12:51:33 -0400 (EDT)
Date: Fri, 10 May 2024 12:51:33 -0400
Message-ID: <78310813-426c-089c-0517-4c8aae864552@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Paul Wouters <paul@nohats.ca>, jabley@strandkip.nl
X-X-Sender: johnl@ary.qy
In-Reply-To: <23626DA5-CF02-46A8-9C11-EC8A5CF5A8A8@nohats.ca>
References: <0194B743-3C16-4E49-B025-E37747A9D75B@strandkip.nl> <23626DA5-CF02-46A8-9C11-EC8A5CF5A8A8@nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-ID-Hash: FHMQBQDQLCKKW5RECFUJUQPQIPZB5MCS
X-Message-ID-Hash: FHMQBQDQLCKKW5RECFUJUQPQIPZB5MCS
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP]Re: [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ogs8nvQYMwlpZY46a9hcXxCzmfE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Fri, 10 May 2024, Paul Wouters wrote:
> On May 10, 2024, at 05:36, jabley@strandkip.nl wrote:
>>
>> I'm interested in where this guidance comes from.
>>
>> RFC 2782 to me is the grandfather of underscore labels, and it pretty much goes out of its way to encourage a hierarchy of underscore labels to anchor SRV records under, e.g. under _tcp.name and _udp.name.
>
> But if you look at more recent RFCs such as TLSA records, it is narrowed to one specific protocol and port, eg _25._tcp.mx.nohats.ca

But this isn't the same thing.  The two tags on SRV and TLSA records are 
consecutive labels on single records.

As you are both surely aware because you have read the draft, in this 
case, the _signal record sits atop an entire subtree, e.g.

  _dsboot.example.co.uk._signal.ns1.example.net
  _dsboot.example.co.uk._signal.ns2.example.org

means that the name servers ns1.example.net and ns2.example.org have 
bootstrap info for example.co.uk.  Since parent scanning for every 
possible combination of NS and domain would be rather slow, the draft has 
suggestions such as putting the _signal name in a separate zone that 
parents can walk with NSEC.  There might be other tags than _dsboot for 
things like synchronizing multi-provider DNS updates, but it's all DNSSEC.

Needless to say, this is quite DNSSEC specific and even someone invents 
some other thing that uses two domain names in a similar way, it's 
unlikely that you'd want to put it all in the same zone.  So I hope we 
agree to call it _dnssec or something like that.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly