IETF Logo Mail Archive

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

Warren Kumari <warren@kumari.net> Sun, 19 January 2020 02:17 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FC71120043 for <dnsop@ietfa.amsl.com>; Sat, 18 Jan 2020 18:17:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kdpbzzZfls-R for <dnsop@ietfa.amsl.com>; Sat, 18 Jan 2020 18:17:35 -0800 (PST)
Received: from mail-qk1-x742.google.com (mail-qk1-x742.google.com [IPv6:2607:f8b0:4864:20::742]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 115DA12003E for <dnsop@ietf.org>; Sat, 18 Jan 2020 18:17:34 -0800 (PST)
Received: by mail-qk1-x742.google.com with SMTP id c16so26797387qko.6 for <dnsop@ietf.org>; Sat, 18 Jan 2020 18:17:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=e7QocVtD8H/T5gEjloHkZynQnx6TeiqI4CJnwJeAb0A=; b=0pm3HnAqbEpuKPAxv4+/PUJFBSbkYfcwkzd5vaH/WQMlJ7DWmT+uxSQ1DuI61RhV1G BIAWybwpDtbQYaaRjDACAUc2fulaTSt7oc3REtLdxptWlXnFiHWFpfQA5wIRupDXtIkp j50s8/J2jHo9HwRZ1GMNWJsvg3FaCNRYHvj+7+y1eKSmUkXtWhN1oWJ96uJnXpOMsAw1 EdfE+td8Pc2v1sUt8b/+GRE2O7ENp16340cMR4EtaN5mNqgnqIokiB9PtYdOuK+iB27T WE1+65UBfGwJbWfoLOELNAGe5qh3bDJ/YJ9mmwd4SBQGL5Zmb5d2btHrflOI0uM08RJZ 12oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e7QocVtD8H/T5gEjloHkZynQnx6TeiqI4CJnwJeAb0A=; b=YUo9IOc2tWciSUTz7c88H5BYjcnzX7Ga9GoBi879+vH27LLmxpH0njohtVgLizQ0K7 6Zlcks6UUDdVARmcBN12F5oIlw5q3019r2bpj+oCPckvdXGz2mRsLW19VxwHwBBeWk7N nZX2sMIoNKVQXKi5FaQ1Ygwzq/pDVKCPXQrh5Jmrw6yNx/H5+HrF+ZoSghMC0gLK5w5G e86tetNGHZJ/1K5HZcoNXFhB7O1GpC9IM0M0ZZiGJbbJ/jvtYsimWHhCFm8WH95FcksM EtpNTT0adiDs2mw1hitjTQIWSlSH0vxVzAPf8RMAzcUCeTm23QHAaLp4SIKmMsvbNWYG iKMw==
X-Gm-Message-State: APjAAAU2KIRIZodrwmxAQywBkwlV4sTrPKCu9P7pkQCGOMxYWi5KbcHU 3tOPGkDNXr1jYV4W4zaR+MXwpiX59D8MG/WxFSKURw==
X-Google-Smtp-Source: APXvYqzc3uRATODQHuW0c4gS0TvlETNsJUgEnsid7YzEyOpZYktwZUEg4uqQb0eyGEoar9X+6h/VhWuNultE7+boZ1A=
X-Received: by 2002:a05:620a:166a:: with SMTP id d10mr44431644qko.37.1579400253221; Sat, 18 Jan 2020 18:17:33 -0800 (PST)
MIME-Version: 1.0
References: <CAHw9_iLFuSbdA2TFS4Qd2dAzDFJyJgfQGY1+T2c2JQZ3WTat_A@mail.gmail.com> <CAHw9_iJJx3nJx8tZABXkJMnuoS+ALAoSq6q98JT2SOR-1uAPxw@mail.gmail.com> <CAHPuVdV=XDKNPv+hjhncqo_vdGtgnZc=sHHCL_4fipBT6kKZcA@mail.gmail.com>
In-Reply-To: <CAHPuVdV=XDKNPv+hjhncqo_vdGtgnZc=sHHCL_4fipBT6kKZcA@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Sat, 18 Jan 2020 21:16:57 -0500
Message-ID: <CAHw9_i+xne8vfbGbcC9Hipi_dXx-94=+b=+aEY4dU6-i8R=zHw@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: draft-ietf-dnsop-multi-provider-dnssec@ietf.org, dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vYCZhN5eQTVO6GSd_ho28ENihW4>
Subject: Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jan 2020 02:17:38 -0000

On Sat, Jan 18, 2020 at 8:43 PM Shumon Huque <shuque@gmail.com> wrote:
>
> Hi Warren,
>
> Sorry for the delay - I just got back from a vacation, and am catching up with email.
>
> I will respond to your comments in the next day or two. Thanks for your patience!

No worries, I just wanted to make sure y'all had seen this, and that I
hadn't missed something / wasn't causing delay.

W


>
> Shumon.
>
> On Sat, Jan 18, 2020 at 5:58 PM Warren Kumari <warren@kumari.net> wrote:
>>
>> Checking in again...
>> W
>>
>> On Sun, Jan 12, 2020 at 9:23 PM Warren Kumari <warren@kumari.net> wrote:
>> >
>> > Hi there,
>> >
>> > Firstly, thank you for a well written and easy to understand document.
>> >
>> > I have some comments which I think should be addressed before I start
>> > IETF LC, but they are small enough that if you'd much prefer you can
>> > just address them after during / after LC (if changes are needed), or
>> > during IESG review.
>> > Please let me know LOUDLY which you'd prefer.
>> >
>> > 1: Section 3: 3. Validating Resolver Behavior
>> > I think it would be very useful to mention that this document doesn't
>> > require any changes to the behavior of validating resolvers
>> > themselves. It might also be worth mentioning somewhere that this is
>> > also largely true for authoritative servers - this isn't really a
>> > protocol change, rather an operational / process set of changes.
>> >
>> > 2: " Zone owners will want to deploy a DNS service that responds as
>> >    efficiently as possible with validatable answers only, and hence it
>> >    is important that the DNSKEY RRset at each provider is maintained
>> >    with the active ZSKs of all participating providers."
>> > This is somewhat ambiguous - it sounds like the zone owner may want to
>> > deploy a service that is only efficient with verifiable answers (and
>> > might be inefficient with bogus ones :-))
>> >
>> > 3: A question -- "Authenticated Denial Considerations"
>> > Some CDNs and similar do funny things with e.g CNAMEs, or may do
>> > something like generate ACME records or similar. What happens if
>> > provider A creates e.g _acme-challenge.example.com (or www.example.com
>> > IN 600 CNAME some-long-account-number.cdn.net) and doesn't tell
>> > provider B? I understand that the owner names *should* be consistent,
>> > but I think it is worth adding some text here along the lines of "here
>> > be dragons" or similar...
>> >
>> > 4: The document uses one inceanse of RFC2119 language (RECOMMENDED) -
>> > please either drop this, or add the 2119 / 8174 boilerplate.
>> >
>> > Again, I'm willing to start IETF LC, or wait till you've posted a new
>> > version, but please let me know.
>> > W
>> >
>> >
>> > --
>> > I don't think the execution is relevant when it was obviously a bad
>> > idea in the first place.
>> > This is like putting rabid weasels in your pants, and later expressing
>> > regret at having chosen those particular rabid weasels and that pair
>> > of pants.
>> >    ---maf
>>
>>
>>
>> --
>> I don't think the execution is relevant when it was obviously a bad
>> idea in the first place.
>> This is like putting rabid weasels in your pants, and later expressing
>> regret at having chosen those particular rabid weasels and that pair
>> of pants.
>>    ---maf



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email