Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-multi-provider-dnssec
Matthijs Mekking <matthijs@pletterpet.nl> Mon, 13 January 2020 08:57 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67A6812008B for <dnsop@ietfa.amsl.com>; Mon, 13 Jan 2020 00:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.596
X-Spam-Level:
X-Spam-Status: No, score=-2.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtyas5syrwjW for <dnsop@ietfa.amsl.com>; Mon, 13 Jan 2020 00:57:57 -0800 (PST)
Received: from lb1-smtp-cloud9.xs4all.net (lb1-smtp-cloud9.xs4all.net [194.109.24.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2C21120013 for <dnsop@ietf.org>; Mon, 13 Jan 2020 00:57:56 -0800 (PST)
Received: from [IPv6:2001:980:4eb1:1:8cc2:8303:1aac:3384] ([IPv6:2001:980:4eb1:1:8cc2:8303:1aac:3384]) by smtp-cloud9.xs4all.net with ESMTPSA id qvXii0oHPT6sRqvXjiSpxX; Mon, 13 Jan 2020 09:57:53 +0100
To: dnsop@ietf.org
References: <CADyWQ+Gip_1qYv8ZQBBfY3OUFxizOMVMpckQZtZRNu4JJtGnLA@mail.gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <9ecd0c1e-5f7a-6635-04f7-dfa6a3f5f164@pletterpet.nl>
Date: Mon, 13 Jan 2020 09:57:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <CADyWQ+Gip_1qYv8ZQBBfY3OUFxizOMVMpckQZtZRNu4JJtGnLA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfFxnQnz60o8DVG7W0rQpa3gaHD7lajtqT7YOQaoNoo9xnuJTzrMQt16o5UtFH8ztszeARxg+dPIGXlqzNVXCMbqV375FG3CAMFc1zzp1aBMxVdz7C2f5 hW6ZwLGFus7qhYKBAVUaZvB0d4NhVrKfYGIp4HIjfyqiEeXtkGzDPmNW3YEOLR4HI4wYxfsDdbx2jG6szPm+/GgPAGM48miYDxF/WUpaS5KD0LzZhaBuP/hq OIw8f2rrWEtilxJyIRcD1clOhKZDM3KxIlAZEXVrv6g=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rkInBvs-4S5zGZ-5CXHjAxQcm2I>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-multi-provider-dnssec
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 08:57:59 -0000
Late to the party, I am sorry. I am positive about this document, and support publication. I do have one comment on the document, requesting an update. In section 4 it is said it is RECOMMENDED that providers use a common signing algorithm. I think this is too weak and it must be a MUST. The reason given for RECOMMENDED is that the "liberal approach" works. The liberal approach says that authoritative zones MUST sign RRsets with every algorithm in the DNSKEY RRset, but validating resolvers don't have to enforce this requirement. However, that does not mean the authoritative server can simply ignore this rule. Also, if two different providers are using different algorithms, that means two DS records with different algorithms are distributed to the parent. And now the algorithm is signaled in the parent and a validator may execute the multiple algorithms protection check, expecting both chain of trusts to work. In other words, please adapt section 4 to be more strict when it comes to multiple algorithms. If you agree, I am happy to provide the suggested text. Again my apologies for bringing this up so late. Best regards, Matthijs On 10/31/19 4:47 PM, Tim Wicinski wrote: > > This starts a Working Group Last Call for > draft-ietf-dnsop-multi-provider-dnssec > > Current versions of the draft is available here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-multi-provider-dnssec/ > > The Current Intended Status of this document is: Informational > > FYI, I will not shepherd this document, as it was written with several > of my coworkers. > Benno Overeinder will be Document Shepherd. > > Please review the draft and offer relevant comments. > If this does not seem appropriate please speak out. > If someone feels the document is *not* ready for publication, please > speak out with your reasons. > > If there are normative issues, agenda time at IETF106 will be set aside > to address them > > This starts a two week Working Group Last Call process, and ends on: 15 > November 2019 > > thanks > tim > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Benno Overeinder
- Re: [DNSOP] Working Group Last Call for draft-iet… Brian Dickson
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Ebersman
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Henderson, Karl
- Re: [DNSOP] Working Group Last Call for draft-iet… Shane Kerr
- Re: [DNSOP] Working Group Last Call for draft-iet… Bob Harold
- Re: [DNSOP] Working Group Last Call for draft-iet… Frederico A C Neves
- Re: [DNSOP] Working Group Last Call for draft-iet… Shumon Huque
- Re: [DNSOP] Working Group Last Call for draft-iet… Shumon Huque
- Re: [DNSOP] Working Group Last Call for draft-iet… Matthijs Mekking