Re: [DNSOP] Alissa Cooper's No Objection on draft-ietf-dnsop-negative-trust-anchors-10: (with COMMENT)
Olafur Gudmundsson <olafur@cloudflare.com> Thu, 09 July 2015 15:29 UTC
Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C131B2AA0 for <dnsop@ietfa.amsl.com>; Thu, 9 Jul 2015 08:29:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UzL402LQLNh1 for <dnsop@ietfa.amsl.com>; Thu, 9 Jul 2015 08:29:14 -0700 (PDT)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 685BD1B2A9B for <dnsop@ietf.org>; Thu, 9 Jul 2015 08:29:13 -0700 (PDT)
Received: by lbbpo10 with SMTP id po10so77239598lbb.3 for <dnsop@ietf.org>; Thu, 09 Jul 2015 08:29:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gGSzNYb9ydYJcG36RdLBOw41vBiZz6K0Qcv0KmfRjVc=; b=UtGhkwNp9gQiyOeomuXBDxSL+y2k5ObkX1GiV+89UPAlF5zoTwwFJS9TBnz8dOeqtH 7jEjiXpgW91DA7/GGWp1AttByJdre+j2i20gnq5OVq++JtQxTgT0AbJiHkhZmY8d4/MM nCS+9KTAOCNxi9ofNC/a78F9rkFqy95U2Jro0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=gGSzNYb9ydYJcG36RdLBOw41vBiZz6K0Qcv0KmfRjVc=; b=S/IcN1owbe2vVG8b0+0C7KshoHAdI8leYbgATYufTapULmgrcx7DRJ7l6WLrMlEDHk gObsV77qr0T2Yp/vQ29Ht0Xd9dwtNP4ZdKfjLKxfDFzAXpHuTeixYJIazxwyXBea/GG3 5/xUVQj1RRVautuKll/A/QH5WVv2PJmTKjZ/SpIQJqvZlAXXBbBjUh3VJ4FPzhsSo8NR DTcwflLCkOBTTPNQAjSx1yeLflXX5XiT8wA4Z6+kccg8p7UWK7MmMGZs1j4+vnoWER+Z tsyy52gMck6eMWfp4VqfOCCVOfZR1ZitZTkjNSVOdF4DlMthQoaYYOiQ5OrK3qybqbxD M6CQ==
X-Gm-Message-State: ALoCoQmx2El8v7TjMT7N9MfvorvNf1ZArXstoZ4UJ+ksp19LZdBCFYXTQjYqQZzi3uK63LXvifuc
MIME-Version: 1.0
X-Received: by 10.112.137.97 with SMTP id qh1mr7336580lbb.1.1436455751791; Thu, 09 Jul 2015 08:29:11 -0700 (PDT)
Received: by 10.152.111.134 with HTTP; Thu, 9 Jul 2015 08:29:11 -0700 (PDT)
In-Reply-To: <16533673-B804-4F47-9427-3D2701E66344@gmail.com>
References: <20150708225400.20543.78092.idtracker@ietfa.amsl.com> <CAHw9_iJ9LPDhhdDby4QW6K354P7rEuxOjTbAVdSmd2td7AAJnw@mail.gmail.com> <20150709031114.GA78479@isc.org> <16533673-B804-4F47-9427-3D2701E66344@gmail.com>
Date: Thu, 09 Jul 2015 11:29:11 -0400
Message-ID: <CAN6NTqwSqg0Y3_fPuM9Xs3OQ9gi2QuJUaBWXjGuRmbs01_M-Rw@mail.gmail.com>
From: Olafur Gudmundsson <olafur@cloudflare.com>
To: Suzanne Woolf <suzworldwide@gmail.com>
Content-Type: multipart/alternative; boundary="089e01182818d24da1051a72eac0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/tTkB8CljPHtnbuhCwCDqwSXTl0A>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, draft-ietf-dnsop-negative-trust-anchors.ad@ietf.org, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>, Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>, draft-ietf-dnsop-negative-trust-anchors.shepherd@ietf.org, Evan Hunt <each@isc.org>, draft-ietf-dnsop-negative-trust-anchors@ietf.org
Subject: Re: [DNSOP] Alissa Cooper's No Objection on draft-ietf-dnsop-negative-trust-anchors-10: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 15:29:16 -0000
On Thu, Jul 9, 2015 at 9:23 AM, Suzanne Woolf <suzworldwide@gmail.com> wrote: > (No hats, and no strong feelings-- a minor point.) > > On Jul 8, 2015, at 11:11 PM, Evan Hunt <each@isc.org> wrote: > > > On Wed, Jul 08, 2015 at 09:50:09PM -0400, Warren Kumari wrote: > >> Less flippantly, it is in this email: > >> https://www.ietf.org/mail-archive/web/dnsop/current/msg13004.html I > >> don't think that we have a really good motivation for a week, other > >> than that is feels sort of like a good, human scale timeframe to > >> recheck on things. We really want there to be a limit on the lifetime, > >> a week felt right... > > > > Yep, that's pretty much it, right there. A day isn't enough (we had > > feedback from customers to this effect) but anything longer than a week > > strikes me as much too likely to fall off operators' radar. Though the > > limit is arbitrary, I do believe that we need to assert *some* limit, > > on this approximate time scale. > > OK, so….vendor feedback from customers sounds like a motivation that's > perfectly appropriate to document. "There's limited experience with what > this value should be, but at least one large vendor has documented customer > feedback suggesting that a week is reasonable based on expectations of how > long failures take to fix or to be forgotten. Operational experience may > further refine these expectations." > > Agreed that there MUST be an expiration set (Sec. 2) but MUST (or even > MUST NOT) always seems weird to me on a specific value, especially given > that there's a SHOULD in Sec. 2 about letting the operator set the duration. > > How about: "NTAs MUST expire automatically when their configured lifetime > ends. The lifetime SHOULD NOT exceed a week." > > This allows for enforcement in code if Evan wants, without requiring it. > :-) > > Strictly speaking the minimum time needed for a Negative Trust anchor is something like Domain_Operator_reaction_time + Parent_reaction_time + Parent DS TTL + DNSKEY TTL We do not know how long the reaction times are for either the domain operator nor the Parent, once both have acted we the change is still hostage of the TTL values selected by the two operators. >From a large sample of DNSKEY and DS I have (few months old) majority of parents set DS TTL to a day or more. Com./net./org/info/root are 1D. fr./ovh. are 2D Thus if a domain in fr. requires a negative trust anchor the MINIMAL time needed for that trust anchor is 3 days. On the other hand a domain in com.br is a day. Summary: giving out a general conservative rule is OK, as predicting the the total recovery time is impossible as only the lower bound can be estimated. Olafur
- [DNSOP] Alissa Cooper's No Objection on draft-iet… Alissa Cooper
- Re: [DNSOP] Alissa Cooper's No Objection on draft… Warren Kumari
- Re: [DNSOP] Alissa Cooper's No Objection on draft… Evan Hunt
- Re: [DNSOP] Alissa Cooper's No Objection on draft… Jaap Akkerhuis
- Re: [DNSOP] Alissa Cooper's No Objection on draft… Suzanne Woolf
- Re: [DNSOP] Alissa Cooper's No Objection on draft… Olafur Gudmundsson
- Re: [DNSOP] Alissa Cooper's No Objection on draft… Evan Hunt
- Re: [DNSOP] Alissa Cooper's No Objection on draft… Livingood, Jason