IETF Logo Mail Archive

Re: [DNSOP] Fracturing the protocol - was Re: Updated cheese-shop.

Shane Kerr <shane@time-travellers.org> Mon, 29 February 2016 14:12 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72C461B31EE for <dnsop@ietfa.amsl.com>; Mon, 29 Feb 2016 06:12:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BaBJpf_w5DjR for <dnsop@ietfa.amsl.com>; Mon, 29 Feb 2016 06:12:24 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D4241B31ED for <dnsop@ietf.org>; Mon, 29 Feb 2016 06:12:24 -0800 (PST)
Received: from [2001:470:78c8:2:224:9bff:fe13:3a9c] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1aaOYd-0000ZW-M3; Mon, 29 Feb 2016 14:12:19 +0000
Date: Mon, 29 Feb 2016 15:12:20 +0100
From: Shane Kerr <shane@time-travellers.org>
To: Edward Lewis <edward.lewis@icann.org>
Message-ID: <20160229151220.7d7e9643@pallas.home.time-travellers.org>
In-Reply-To: <D2F9A5BA.13FE2%edward.lewis@icann.org>
References: <D2F9A5BA.13FE2%edward.lewis@icann.org>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/tChuk3alkmMZsIHi8TD6Y6avzzE>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Fracturing the protocol - was Re: Updated cheese-shop.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 14:12:26 -0000

Ed,

At 2016-02-29 12:51:16 +0000
Edward Lewis <edward.lewis@icann.org> wrote:

> On 2/25/16, 17:58, "DNSOP on behalf of Warren Kumari"
> <dnsop-bounces@ietf.org on behalf of warren@kumari.net> wrote:
> 
> >We have recently updated "Believing NSEC records in the DNS root"
> >(https://tools.ietf.org/html/draft-wkumari-dnsop-cheese-shop-01).  
> 
> My objection to this document is based on the draft's proposal to specify
> a change to the protocol based on the data being carried in one particular
> deployment of the protocol.

Interesting concern, although I don't see how it can be otherwise. We
don't know what the properties of future protocols will be, so I don't
know how we can specify the behavior of resolvers using such protocols
would be.

> If the DNS is built to assume that the root zone is DNSSEC signed with
> NSEC records and this is then "burned into software" the other
> inter-networks will be given the choice of having to turn on DNSSEC and
> NSEC for their root zone or developing other software.  (Or...other
> inconvenient mitigations.)

Can't a couple sentences address this concern?

"If the root zone is not DNSSEC signed with NSEC records then the
Cheese Shop is closed and this document does not apply. Resolvers MUST
continue to work in such an environment."

Cheers,

--
Shane

v2.23.0 | Report a Bug | By Email