[DNSOP] Paul Wouters' Discuss on draft-ietf-dnsop-rfc5933-bis-12: (with DISCUSS and COMMENT)
Paul Wouters via Datatracker <noreply@ietf.org> Tue, 29 November 2022 20:14 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CC2E8C15258C; Tue, 29 Nov 2022 12:14:17 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Paul Wouters via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-rfc5933-bis@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com, tjw.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 9.1.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Paul Wouters <paul.wouters@aiven.io>
Message-ID: <166975285782.49773.2533442815448387784@ietfa.amsl.com>
Date: Tue, 29 Nov 2022 12:14:17 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sMh1Ku3k13PSUvREy9s4uCmkUbU>
Subject: [DNSOP] Paul Wouters' Discuss on draft-ietf-dnsop-rfc5933-bis-12: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2022 20:14:17 -0000
Paul Wouters has entered the following ballot position for draft-ietf-dnsop-rfc5933-bis-12: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5933-bis/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I agree with Roman's DISCUSS on the stream of the document, and his proposed solution. Additionally, I have some items: According to RFC6840 [RFC6840], Section 5.2 systems that do not support these algorithms may ignore the RRSIG, DNSKEY and DS records created with them. I do not read that as "may" (lowercase), but more as a MUST. That is, returning a ServFail when you see these is not allowed. The "may" here means that thiswould be a valid response. Zone Signing field should be changed to "N". I believe I already mentioned this before. This change should NOT be made. The deprecated value is one that was only valid for Zone Signing. Deprecating the algorithm should not change its existing function. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- RFC 4033 [RFC4033], RFC 4034 [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security Extensions, called DNSSEC. This document could be the first user of using [BCPxx] (draft-ietf-dnsop-dnssec-bcp, currently at RFC Editor) instead of referencing an incomplete set of what DNSSEC is. Note: Algorithm numbers 23 and 5 are used in this document as an example, since the actual numbers have not yet been assigned. This note should be more clearly marked using [brackets] so that the RFC Editor knows it is meant for them to remove/update and/or the authors to update upon their allocation and updated examples
- [DNSOP] Paul Wouters' Discuss on draft-ietf-dnsop… Paul Wouters via Datatracker