Re: [DNSOP] The DNSOP WG has placed draft-wessels-edns-key-tag in state "Candidate for WG Adoption"

Bob Harold <> Thu, 05 November 2015 17:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A268D1B3117 for <>; Thu, 5 Nov 2015 09:02:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jNQPwdmJbmsT for <>; Thu, 5 Nov 2015 09:01:59 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C13331B310C for <>; Thu, 5 Nov 2015 09:01:59 -0800 (PST)
Received: by ykdv3 with SMTP id v3so52056275ykd.0 for <>; Thu, 05 Nov 2015 09:01:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XaAeZ3SWegtpvETJzn2CrFA/tUflnZJZZxvV/LuwGws=; b=vqdLYJKyeQJt9ivtvDbHUk0YN8SsQ6LOiuzLTaP+LF5yghHIlq8T7jbRnyMELeqDir Z3yF3+7WkAmYU6gS5ZBI49fovG0Ve7ViGUoi/8eDqLtxZss7Bb3ahAtytjAMGQ9QWZC+ 1GSEgLNFFpP0dtUOrXrVB6rSoBZNvd81pAqQkwYODWzyiOk5TOcK9dx/NPZCPNo4Stce /foKxs1+2wdDzcYBwp6zuXZ1jNZody+RqwnJLL9A3czlQQw7NbfdA8ZosXneOa5G3W8h 0F+XSPAN8TvCYTqTHdVJloE2XSv6zdhD3Klm5ZsgydxglXwC26dod1qSrWk4J+KcSOZu QdwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=XaAeZ3SWegtpvETJzn2CrFA/tUflnZJZZxvV/LuwGws=; b=fsFwYFMjX2mGGFKfDPUZBRVyxGAgucjm1t5rnZDGlPOy3PrLE/ZryQvrgfOiwaP7qx YPb+oDPSwvPU2bPa8mvWj8ClOZ2MzmznJF7nY3zZkM3Ini2fupWntPAFkqXYQuXuoDJ4 tMNhcCakwKSpokH5y6H3qDrscwBxCEEb4Nm3OsecD3NHQ+z0fsw3t9QF0RSQl0GgMw5M KhyEUWgFp+IGYkqvmvuJxLSUQ8V43M8G6yAYT9cUrKTgizKaqIsENcolGVrHd1pls1oG uSC4/wf5N2LxvaedgOhnxQysUpkA25H1ABH9j4M/tYSsBS2rXYI82bJ0fY8pcWR5SG7X p8Hg==
X-Gm-Message-State: ALoCoQnzsmDT+RvCiJu/WbqvYXdnU43JR75mPjGscHIDC3xEaqgSdMD8xQx3sQ3hx7T+ptBNLePd
MIME-Version: 1.0
X-Received: by with SMTP id r184mr6988480ywb.115.1446742918434; Thu, 05 Nov 2015 09:01:58 -0800 (PST)
Received: by with HTTP; Thu, 5 Nov 2015 09:01:58 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Thu, 5 Nov 2015 12:01:58 -0500
Message-ID: <>
From: Bob Harold <>
To: IETF Secretariat <>
Content-Type: multipart/alternative; boundary=001a114d71d8bc558d0523ce15aa
Archived-At: <>
Subject: Re: [DNSOP] The DNSOP WG has placed draft-wessels-edns-key-tag in state "Candidate for WG Adoption"
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Nov 2015 17:02:01 -0000

On Wed, Nov 4, 2015 at 9:19 PM, IETF Secretariat <> wrote:

> The DNSOP WG has placed draft-wessels-edns-key-tag in state
> Candidate for WG Adoption (entered by Tim Wicinski)
> The document is available at
> I freely admit to not being an expert on DNSSEC.  Some questions, if they
make sense:

5.2.1 - If the Stub Resolver is validating, then perhaps the recursive
resolver should just pass the stub resolver's list of keys, so the Auth
server knows whether the stub can validate with the new keys?  The
Recursive will likely send other queries with its own key set, so the Auth
server can get both sets of information - but will it understand the
difference, or should we send forwarded keys separately?

In general, this lets us know that some servers have the new key, but is
there any way in the process where we can mark a key as 'old' but still
usable and wait until resolvers quit sending it, before we remove it?  Or
is that too complicated?

Bob Harold