Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-05.txt
Warren Kumari <warren@kumari.net> Sat, 09 May 2015 07:43 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 736721AC39F for <dnsop@ietfa.amsl.com>; Sat, 9 May 2015 00:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYBefV0TDoBD for <dnsop@ietfa.amsl.com>; Sat, 9 May 2015 00:43:57 -0700 (PDT)
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 152521AC39E for <dnsop@ietf.org>; Sat, 9 May 2015 00:43:56 -0700 (PDT)
Received: by wief7 with SMTP id f7so50753589wie.0 for <dnsop@ietf.org>; Sat, 09 May 2015 00:43:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=JviuCdpXOOBVqSFm1+3MY8elj9obLuJOh8A/BJOb+jQ=; b=DrM94OeZhx1hQO3jtUU6iGO/iNFF8J4MXxPWtkUd0ZcM0BhZJ+5SEhVV2XBDDFo76K YVVMlopP2etf8XnYr+19oOv5LZ3azqqxw2XJ+ZG33/77nlyaBaGKbsW6P+TtRmpDs6fD hLzxNobwmFuAm2gamhsFi3plYAQWOLQ2grM1NQZztJnMFNyTon52HywKcosaCyHw9jDC dvtLJQwTG8hTilOI5Wfeu777Uvys2kbkH6gkOz5shkWEkL1AiT40OiYbvmqp7h4lBS3T qKQCJeH3JNCH+GQaOXUcEDIHyq/lr2lmeApDpn11BUc8A7yK06qUG8k8f871p6jPPYCC otSQ==
X-Gm-Message-State: ALoCoQnatg1KjuXH0TPhVQNu/82fUtbpTOTAM1ASFrQNzDRbVz74DIN7UV7t6FOd/34UjJBogGq+
MIME-Version: 1.0
X-Received: by 10.180.83.130 with SMTP id q2mr3062988wiy.89.1431157435685; Sat, 09 May 2015 00:43:55 -0700 (PDT)
Received: by 10.194.47.36 with HTTP; Sat, 9 May 2015 00:43:55 -0700 (PDT)
In-Reply-To: <CAHw9_iKtzET+pCsHuOi-9EHusF1X1h6vGapv0pb7hER7dRB0QA@mail.gmail.com>
References: <20150505210309.14142.2834.idtracker@ietfa.amsl.com> <alpine.LSU.2.00.1505061231430.23307@hermes-1.csi.cam.ac.uk> <CAHw9_iKtzET+pCsHuOi-9EHusF1X1h6vGapv0pb7hER7dRB0QA@mail.gmail.com>
Date: Sat, 09 May 2015 09:43:55 +0200
Message-ID: <CAHw9_i+mO2FYHhS3TEs2Dc3RfT7kb6bHmOYqC7QGRG=S4LhgUg@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Tony Finch <dot@dotat.at>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/qKZDwMlhTaMrvj2ECcGyt2I5a4M>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 May 2015 07:43:59 -0000
On Fri, May 8, 2015 at 2:41 AM, Warren Kumari <warren@kumari.net> wrote: > [ Top post ] > > Thanks for all the comments. I've integrated most of them (need > additional text for one), and am posting a new version with the > changes. > > Comments inline. > > On Wed, May 6, 2015 at 8:37 AM, Tony Finch <dot@dotat.at> wrote: >> I have read through the draft. Looks good. >> >> Some wording suggestions: >> >> Section 1.1: >> >> By way >> of analogy, negative trust anchors stop validation of the >> authentication chain. Instead, the resolver sends the response as if >> the zone is unsigned and does not set the AD bit. >> >> I suggest: >> >> Instead, the validator treats any upstream responses as if >> the zone is unsigned and does not set the AD bit in responses it sends >> to clients. > > DONE. > Thanks. > >> >> >> Section 1.2: >> >> As domains transition to DNSSEC, the most >> likely reason for a validation failure will be misconfiguration. >> >> I suggest: >> >> As domains transition to DNSSEC, the most >> common reason for a validation failure has been misconfiguration. >> > > DONE. > Thanks. > >> I am also worried about DNSSEC failures resulting from botched changes of >> domain hosting or ownership. Not sure what to say about that. >> > > Me neither -- but that's a type of misconfiguration? :-) If anyone has > suggested test I'm happy to consider it. > > >> Section 2: >> >> The requirement MUST NOT affect parental domains is fine, but why only >> SHOULD NOT for other branches of the tree? I would expect that to be MUST >> NOT as well. Is this to allow for someone putting an NTA on a DLV domain >> perhaps? > > I seem to remember it being something subtle to do with delegations, > but will check with co-authors / go back through earlier mail. > Example.com uses ns1.example.net. example.net borks their keyroll, and > we "rescue" them by putting in an NTA. This has affected something in > another branch of the tree. > > >> >> I don't understand the diagram :-( > > Fair enough - it *is* confusing. I'll ask one of the other authors to > fix it (you *so* don't want me to fix it :-)) So, I've chatted with some of the other authors (Paul and Jason) and we agree that: A: the diagram is confusing and B: it doesn't actually *add* anything to the document. So, we are proposing simply removing it. If anyone screams we'll put it back... Seem good? W > >> >> Section 3: >> >> Most current implementations of DNS validating resolvers currently >> follow [RFC4033] on defining the implementation of Trust Anchor as >> either using Delegation Signer (DS), Key Signing Key (KSK), or Zone >> Signing Key (ZSK). >> >> I suggest: >> >> Most current implementations of DNS validating resolvers currently >> follow [RFC4033] on configuring a Trust Anchor using either a public >> key as in a DNSKEY RR or a hash of a public key as in a DS RR. >> >> ... because this is closer to what RFC 4033 says, and from the point of >> view of the validator there's no difference between a KSK and ZSK, and >> usual practice says you should only use SEP keys (i.e. KSKs) for trust >> anchors so mentioning ZSKs here is very unwise. > > DONE. > Fair 'nuff. > >> >> This sentence is unclear: >> >> A Negative Trust Anchor should use domain name >> formatting that signifies where in a delegation a validation process >> should be stopped. > > Yes, that is unclear.... > >> >> Does it mean: >> >> A Negative Trust Anchor should be configured using a >> fully-qualified domain name in RFC 1035 master file syntax, to >> indicate that validation should not occur at or below that domain name. > > DONE. > Nope. I don't think that we need to define the format here -- it is > (IMO) an implementation detail. > I don't really know what the point of the sentence is, but it does't > (AFAICT) add anything, and so I'm removing it... > Thanks! > > >> >> And for: >> >> Different DNS recursive resolvers may have different configuration >> names for a Negative Trust Anchor. For example, Unbound calls their >> configuration "domain-insecure."[Unbound-Configuration] >> >> I suggest: >> >> Different DNS validators may have different configuration >> names for a Negative Trust Anchor. For examples see Appendix A. > > DONE. > Thanks, much better. That was left over from earlier versions... > >> >> Section A.1: >> >> Worth mentioning unbound-control insecure_add and insecure_remove? > > NOT DONE. > Yes, yes it is. I believe one of the Unbound developers was going to > contribute text, I'll follow up with them. > > > > Thanks again, > W > >> >> >> Tony. >> -- >> f.anthony.n.finch <dot@dotat.at> http://dotat.at/ >> Hebrides, Bailey: Northerly backing northwesterly 6 to gale 8, increasing >> severe gale 9 at times, decreasing 5 later in west Bailey. Rough or very >> rough, occasionally high in Hebrides. Occasional rain. Good, occasionally >> poor. >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Tony Finch
- [DNSOP] I-D Action: draft-ietf-dnsop-negative-tru… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Warren Kumari