Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-13.txt

Warren Kumari <warren@kumari.net> Thu, 19 July 2018 20:11 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E90CC130DC9 for <dnsop@ietfa.amsl.com>; Thu, 19 Jul 2018 13:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pp6c6TxRtIvW for <dnsop@ietfa.amsl.com>; Thu, 19 Jul 2018 13:11:08 -0700 (PDT)
Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com [IPv6:2a00:1450:4864:20::441]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AF86130E2A for <dnsop@ietf.org>; Thu, 19 Jul 2018 13:11:08 -0700 (PDT)
Received: by mail-wr1-x441.google.com with SMTP id c4-v6so9217014wrs.12 for <dnsop@ietf.org>; Thu, 19 Jul 2018 13:11:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=hvIi4tC50Sy/MOKZbdODF/ItRJKkLIY2MDF3TBh0xpM=; b=ouHo/qsm9qfJAAdWDa4Inat/GthRzF5lDA41RUdfCC+BERkuvxw0EIDLjuVQJvst3m ELE/Mk1s39KEaqXyj4jrUInoYUbMKJFua6PjOPnZmStKXQS5j/SuDnQfLXwEkvk6JO4k raWDTd4h4jLI81/INYVXUCm4bfHi53csbfWA8rZdP4/BAX8NNcl7F3Ss3ucC/2+KcoO1 4FT+aiFVbujCPyoHZRoZroLZFokGuvRYCb114ElXnLj/K1LbNhzk9dhGvU1xyVBXUo9e 3WnpumJvSsznFZIR+E/FyLwd5HGd/MluuBsazlE1VHh8LJLqlzn/NAoqm0PHUmUlfxjz plOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=hvIi4tC50Sy/MOKZbdODF/ItRJKkLIY2MDF3TBh0xpM=; b=GjPY44ROK/QSOtRy6/Ync73c8yiV+QGiykpwGK+kYvfzXikYFzmN0ewMkIJYn744Zd yhoQ4XBNr++CAUpeoL63e+dSjhF+5yCRHbB58Z61MSBQZGxYKoB6ARWnz6bTScu/OrsE 8RWBU1ItlQ5/FuBcNc+QSY8fF2287WRMB/MnhRk1fVnaAv6R8wB0Js1J13kee41a9xUh ra4l0f5MXw4A64p/68nGUBgcQZ237KHO+6/NNvFo/ncZUhH7DW9T5It+ifiQ2/dFErNE iSYg8wObkdnWYeEf7XL6+BhqDknRPfystkTw8AQuKWp/oDrYpMp5+YgU6GmgYCInXw+m iqzg==
X-Gm-Message-State: AOUpUlHC5ppp+p2LpN5J0QEv4BfqSB5GugTnA1cMc26ZwWhgZb26Vwyd 9sAbCTfLBtt8PokxrESZ+soSZBChjPLD2WEtKW7qBw==
X-Google-Smtp-Source: AAOMgpd08LgaIwQGK51ReqS29UqvUhyDX4EjK3NHO61wR+fgloirGqQN4RSvWnWCNqjeOUZI+8AaJLxX3AQRatYb5jw=
X-Received: by 2002:adf:bbd4:: with SMTP id z20-v6mr8689710wrg.183.1532031066629; Thu, 19 Jul 2018 13:11:06 -0700 (PDT)
MIME-Version: 1.0
References: <153174539326.23149.7392295208412679544@ietfa.amsl.com> <CAN6NTqy=ETR5nDWSdz1hL+MKSCtVoZLcZ3_hYqa4U6So_=LMQQ@mail.gmail.com> <CAHw9_iJ4CR1kT7Weps0E8=XQ05rfY6ZLSs9uw=TxxTmS8Q3LHw@mail.gmail.com>
In-Reply-To: <CAHw9_iJ4CR1kT7Weps0E8=XQ05rfY6ZLSs9uw=TxxTmS8Q3LHw@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 19 Jul 2018 16:10:30 -0400
Message-ID: <CAHw9_iJpmmYXosTjMn=euEd7qsc6k-9D950hjtHztz1axZSukA@mail.gmail.com>
To: olafur=40cloudflare.com@dmarc.ietf.org
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qLuIAnYaAr7MFMhckrhKC0LrkDE>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-13.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 20:11:12 -0000

On Wed, Jul 18, 2018 at 9:36 AM Warren Kumari <warren@kumari.net> wrote:
>
> The authors are more than happy to change the name to that...

.... but we would really really appreciate more comments / review.
W


>
> W
> On Wed, Jul 18, 2018 at 9:13 AM Ólafur Guðmundsson
> <olafur=40cloudflare.com@dmarc.ietf.org> wrote:
> >
> >
> > Hi
> > i read this document over with fresh eyes and tried to ignore any history.
> >
> > Summary: Publication considered harmful
> >
> > Reasons: This document calls itself "Security Considerations" but in reality all it is covering is "Publication considerations by Authority"
> > the document does not cover at all the consumption of RFC5011 events by resolvers which IMHO are the more important part of the protocol.
> >
> >      Olafur
> >
> >
> > On Mon, Jul 16, 2018 at 8:49 AM, <internet-drafts@ietf.org> wrote:
> >>
> >>
> >> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> >> This draft is a work item of the Domain Name System Operations WG of the IETF.
> >>
> >>         Title           : Security Considerations for RFC5011 Publishers
> >>         Authors         : Wes Hardaker
> >>                           Warren Kumari
> >>         Filename        : draft-ietf-dnsop-rfc5011-security-considerations-13.txt
> >>         Pages           : 20
> >>         Date            : 2018-07-16
> >>
> >> Abstract:
> >>    This document extends the RFC5011 rollover strategy with timing
> >>    advice that must be followed by the publisher in order to maintain
> >>    security.  Specifically, this document describes the math behind the
> >>    minimum time-length that a DNS zone publisher must wait before
> >>    signing exclusively with recently added DNSKEYs.  This document also
> >>    describes the minimum time-length that a DNS zone publisher must wait
> >>    after publishing a revoked DNSKEY before assuming that all active
> >>    RFC5011 resolvers should have seen the revocation-marked key and
> >>    removed it from their list of trust anchors.
> >>
> >>    This document contains much math and complicated equations, but the
> >>    summary is that the key rollover / revocation time is much longer
> >>    than intuition would suggest.  This document updates RFC7583 by
> >>    adding an additional delays (sigExpirationTime and
> >>    timingSafetyMargin).
> >>
> >>    If you are not both publishing a DNSSEC DNSKEY, and using RFC5011 to
> >>    advertise this DNSKEY as a new Secure Entry Point key for use as a
> >>    trust anchor, you probably don't need to read this document.
> >>
> >>
> >> The IETF datatracker status page for this draft is:
> >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5011-security-considerations/
> >>
> >> There are also htmlized versions available at:
> >> https://tools.ietf.org/html/draft-ietf-dnsop-rfc5011-security-considerations-13
> >> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5011-security-considerations-13
> >>
> >> A diff from the previous version is available at:
> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-rfc5011-security-considerations-13
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of submission
> >> until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> Internet-Drafts are also available by anonymous FTP at:
> >> ftp://ftp.ietf.org/internet-drafts/
> >>
> >> _______________________________________________
> >> DNSOP mailing list
> >> DNSOP@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dnsop
> >
> >
> >
> >
> > --
> > Ólafur Gudmundsson | Engineering Director
> > www.cloudflare.com blog.cloudflare.com
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf