IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-05.txt

Tony Finch <dot@dotat.at> Wed, 06 May 2015 12:37 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40CAB1A6EDA for <dnsop@ietfa.amsl.com>; Wed, 6 May 2015 05:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36AjXbRKAj-S for <dnsop@ietfa.amsl.com>; Wed, 6 May 2015 05:37:28 -0700 (PDT)
Received: from ppsw-41.csi.cam.ac.uk (ppsw-41.csi.cam.ac.uk [131.111.8.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4499D1A1B8F for <dnsop@ietf.org>; Wed, 6 May 2015 05:37:27 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:37790) by ppsw-41.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1YpyZp-0005S5-Qu (Exim 4.82_3-c0e5623) for dnsop@ietf.org (return-path <fanf2@hermes.cam.ac.uk>); Wed, 06 May 2015 13:37:25 +0100
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1YpyZp-0001pS-7t (Exim 4.72) for dnsop@ietf.org (return-path <fanf2@hermes.cam.ac.uk>); Wed, 06 May 2015 13:37:25 +0100
Date: Wed, 06 May 2015 13:37:25 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: dnsop@ietf.org
In-Reply-To: <20150505210309.14142.2834.idtracker@ietfa.amsl.com>
Message-ID: <alpine.LSU.2.00.1505061231430.23307@hermes-1.csi.cam.ac.uk>
References: <20150505210309.14142.2834.idtracker@ietfa.amsl.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/r1c80Kz_KDj6P7SSQalE6lSGmUo>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2015 12:37:31 -0000

I have read through the draft. Looks good.

Some wording suggestions:

Section 1.1:

   By way
   of analogy, negative trust anchors stop validation of the
   authentication chain.  Instead, the resolver sends the response as if
   the zone is unsigned and does not set the AD bit.

I suggest:

   Instead, the validator treats any upstream responses as if
   the zone is unsigned and does not set the AD bit in responses it sends
   to clients.


Section 1.2:

   As domains transition to DNSSEC, the most
   likely reason for a validation failure will be misconfiguration.

I suggest:

   As domains transition to DNSSEC, the most
   common reason for a validation failure has been misconfiguration.

I am also worried about DNSSEC failures resulting from botched changes of
domain hosting or ownership. Not sure what to say about that.

Section 2:

The requirement MUST NOT affect parental domains is fine, but why only
SHOULD NOT for other branches of the tree? I would expect that to be MUST
NOT as well. Is this to allow for someone putting an NTA on a DLV domain
perhaps?

I don't understand the diagram :-(

Section 3:

   Most current implementations of DNS validating resolvers currently
   follow [RFC4033] on defining the implementation of Trust Anchor as
   either using Delegation Signer (DS), Key Signing Key (KSK), or Zone
   Signing Key (ZSK).

I suggest:

   Most current implementations of DNS validating resolvers currently
   follow [RFC4033] on configuring a Trust Anchor using either a public
   key as in a DNSKEY RR or a hash of a public key as in a DS RR.

... because this is closer to what RFC 4033 says, and from the point of
view of the validator there's no difference between a KSK and ZSK, and
usual practice says you should only use SEP keys (i.e. KSKs) for trust
anchors so mentioning ZSKs here is very unwise.

This sentence is unclear:

   A Negative Trust Anchor should use domain name
   formatting that signifies where in a delegation a validation process
   should be stopped.

Does it mean:

   A Negative Trust Anchor should be configured using a
   fully-qualified domain name in RFC 1035 master file syntax, to
   indicate that validation should not occur at or below that domain name.

And for:

   Different DNS recursive resolvers may have different configuration
   names for a Negative Trust Anchor.  For example, Unbound calls their
   configuration "domain-insecure."[Unbound-Configuration]

I suggest:

   Different DNS validators may have different configuration
   names for a Negative Trust Anchor.  For examples see Appendix A.

Section A.1:

Worth mentioning unbound-control insecure_add and insecure_remove?


Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Hebrides, Bailey: Northerly backing northwesterly 6 to gale 8, increasing
severe gale 9 at times, decreasing 5 later in west Bailey. Rough or very
rough, occasionally high in Hebrides. Occasional rain. Good, occasionally
poor.

v2.23.0 | Report a Bug | By Email