Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
"Joe Abley" <jabley@hopcount.ca> Mon, 28 September 2015 17:03 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCDC91ACEC2 for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 10:03:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dNHLvzMRodC4 for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 10:03:09 -0700 (PDT)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D8F71ACEBF for <dnsop@ietf.org>; Mon, 28 Sep 2015 10:03:09 -0700 (PDT)
Received: by igbkq10 with SMTP id kq10so60496352igb.0 for <dnsop@ietf.org>; Mon, 28 Sep 2015 10:03:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type; bh=Gl+G1BeLtDOzYHXAqeQ13bqkyEp9kAITbzxrTl7ZX/Y=; b=nyLUayPE6hbtgTT3tyPoJbPrazsZtdE8bVJHMHQitk5NsSJn2STFeO/pTViDMUgsQb TT8uH+MR5wWB3KH7pnciefzrHEOO+mivXwaLBg3QNp9bDpCcz4DAbG67nfA+2kLT90qV R+wg76ebBBjmF7Vlt8KtsYPH4ZwREHoNGJtjM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-type; bh=Gl+G1BeLtDOzYHXAqeQ13bqkyEp9kAITbzxrTl7ZX/Y=; b=K8yiq7e5zyyBradLt5dPL52ljj6bCi//Urh91UhOdPl5ogs/R3i+HrvWHF54ePUO6K /IXMT9w8a2J1DbD/BorL37W58EFXdCUoJr4oeprMHCF+D7RiVVEyQwchJ9/HBUnpA+ZU 18VRpzQ6tyrbUHNVas1ibVwo3SJcLImOQe2zDhn2bB+6Lwbpg05cDfPm+lCQUje5f33F h4d2Phk8WHgpt4uWv1rNzG4XkVT6J4EmOXV05RfLUVSoML+cPEKGwb+G+/8q182BoRCH W94DV31/xQ8bDMofS2d5cuNZZOnMI8gJUlMiQtXNGojAs3YyRoECcksYcKdE2WW1hb10 McDg==
X-Gm-Message-State: ALoCoQl894zv2oHHKmfub49J5XnrE8H7Dp8HZoobi5Gzo++zpAOqpmyOK//p08hbroONLmJd17wa
X-Received: by 10.50.136.195 with SMTP id qc3mr17986294igb.78.1443459788625; Mon, 28 Sep 2015 10:03:08 -0700 (PDT)
Received: from [172.19.130.134] (135-23-68-43.cpe.pppoe.ca. [135.23.68.43]) by smtp.gmail.com with ESMTPSA id g198sm8917907ioe.6.2015.09.28.10.02.59 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 28 Sep 2015 10:02:59 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Date: Mon, 28 Sep 2015 13:02:48 -0400
Message-ID: <5CA0FE6C-62E4-4EE7-B972-7E7798B3BA8A@hopcount.ca>
In-Reply-To: <4F880C04-95D4-47E5-8132-DCCA6F2F1C14@vpnc.org>
References: <20150928114202.823.19868.idtracker@ietfa.amsl.com> <0E4AA958-7740-4602-A3CF-D2E481DBC15E@hopcount.ca> <4F880C04-95D4-47E5-8132-DCCA6F2F1C14@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.1r5103)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/q5zY4_34a5XNVEkaTEHFLaJJINk>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 17:03:11 -0000
On 28 Sep 2015, at 12:35, Paul Hoffman wrote: > We could do that, but the RFC should probably not be published for at > least another six months due to terminology / politics / IANAPLAN, so > we don't need to rush the WG LC either. For example, the draft uses > the phrase "an IANA function performed by ICANN", to which many folks > at layer 9 will object until the transition has already happened. I think we have consensus that a good reference for how to retrieve trust anchors is a really, really good thing to have long before anybody starts coming up with dates for the KSK rollover. To put that more forcefully, I think it'd be a really bad idea if people didn't have solid guidance from the IETF about how things are supposed to work well in advance of the KSK actually rolling. Assuming I'm not alone in that thinking, perhaps we could look at the current text and consider whether there's a way to de-politicise it to the extent that it does its job and describes current practice. This doesn't need to be a dnsop document. It could be an AD-sponsored, individual submission. But even in that case the IESG would surely (and reasonably) expect it to be reviewed here to confirm that it does actually document the current state of things. > If the WG wants to adopt this draft before the IANA transition is > done, I would strongly prefer that the document be first adopted > before there is a WG Last Call. Getting the wording in the document > about "this is a current implementation" should be done in more than > one step. As a concrete example, the abstract boldly states "This > document describes how such trust anchors are published" which should > instead be "This document describes one way how such trust anchors are > published". Even the phrase in the abstract "has been > cryptographically signed" can be misread by the ICANN skeptics as "was > signed in the past, but isn't currently". There are other examples in > the document that should be stated more carefully. Fully agree that edits to the benefit of clarity, accuracy and the avoidance of politics seem entirely worthwhile and sensible. > Also: how much is this document really needed? Are there operators of > validating resolvers who are unfamiliar with how to get the trust > anchor? It is likely that the most common method for getting the > DNSSEC trust anchor for the DNS is "it came in my distro". If so, then > a "how it is currently done" document needs to emphasize the positive > and (maybe very) negative aspects of this practice. Those who use implementations that follow the guidance in the document (e.g. unbound) don't need to care. Those who don't, in my experience, tend towards trust on first use. Maybe that's good advice. There's a companion draft draft-jabley-validator-bootstrap that aims to provide this kind of guidance. The goal of draft-jabley-dnssec-trust-anchor was to document how the trust anchors are published, not how to consume them. I think this is a useful separation. Joe
- [DNSOP] Fwd: Expiration impending: <draft-jabley-… Joe Abley
- Re: [DNSOP] Fwd: Expiration impending: <draft-jab… Shane Kerr
- Re: [DNSOP] Fwd: Expiration impending: <draft-jab… Andras Salamon
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Fwd: Expiration impending: <draft-jab… Shane Kerr
- Re: [DNSOP] Expiration impending: <draft-jabley-d… David Conrad
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… David Conrad
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… David Conrad
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Jakob Schlyter
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Jakob Schlyter
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Tim Wicinski
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… George Michaelson
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… George Michaelson
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Richard Lamb
- Re: [DNSOP] Expiration impending: <draft-jabley-d… George Michaelson
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Edward Lewis
- Re: [DNSOP] Expiration impending: <draft-jabley-d… manning
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Mark Andrews
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Ralf Weber
- Re: [DNSOP] Expiration impending: <draft-jabley-d… manning
- Re: [DNSOP] Expiration impending: <draft-jabley-d… W.C.A. Wijngaards
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Andrew Sullivan
- Re: [DNSOP] Expiration impending: <draft-jabley-d… David Conrad
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Andrew Sullivan
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… manning
- Re: [DNSOP] Expiration impending: <draft-jabley-d… John Levine
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… David Conrad
- Re: [DNSOP] Expiration impending: <draft-jabley-d… manning
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… manning
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Andrew Sullivan
- [DNSOP] Pity (was Re: Expiration impending: <draf… Andrew Sullivan
- Re: [DNSOP] Pity (was Re: Expiration impending: <… Paul Vixie
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Pity (was Re: Expiration impending: <… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Richard Lamb
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Mehmet Akcin