Re: [DNSOP] General comments on draft-kumari-ogud-dnsop-cds-01
Marc Lampo <marc.lampo.ietf@gmail.com> Thu, 28 February 2013 07:23 UTC
Return-Path: <marc.lampo.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA02221F8AF2 for <dnsop@ietfa.amsl.com>; Wed, 27 Feb 2013 23:23:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GrIm8nyikN8s for <dnsop@ietfa.amsl.com>; Wed, 27 Feb 2013 23:23:06 -0800 (PST)
Received: from mail-ve0-f182.google.com (mail-ve0-f182.google.com [209.85.128.182]) by ietfa.amsl.com (Postfix) with ESMTP id C913721F8ACE for <dnsop@ietf.org>; Wed, 27 Feb 2013 23:23:05 -0800 (PST)
Received: by mail-ve0-f182.google.com with SMTP id ox1so1473706veb.41 for <dnsop@ietf.org>; Wed, 27 Feb 2013 23:23:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=pS6QPL3nYr5kv6pRFw0XmG/zqdNbxrtr2+XnrBR6YzU=; b=YqNuzs5B+ibhmx7YOxtVwuDWJI5QJ8UjiR41J5B+s4uqtPWa325HfwyFU5bsIvZw6d 8uPr160jZoc/34j8PqWA72eL7sSmS/Y9ETY5x4HXdxL7KowrKDmaj7HhbhHHv88MpjMT ldfY9APcDHZPnZxdtaL/9hc0q0MzWkIV+NlyiGGDOiTxPanxPpGezK6ZIjWqVaaKQOap 2NzSuBXmUB6FLDFMOuGV92c2gAXVuEQcrCxfCtVbrbY+VUDWhFQaWC3wqeFple5fXoYA A+a2x/TH6B9TC5z2fwJCQ+bLfUxhBUQwXfb4iaL3JgPbnYMLZZvj4lwb9+yl5/ColN5n 3pxA==
MIME-Version: 1.0
X-Received: by 10.220.40.9 with SMTP id i9mr2122780vce.23.1362036185314; Wed, 27 Feb 2013 23:23:05 -0800 (PST)
Received: by 10.58.163.100 with HTTP; Wed, 27 Feb 2013 23:23:05 -0800 (PST)
In-Reply-To: <4AAE2A31-DBD9-4D4D-B233-FFF5A44D4041@neustar.biz>
References: <20130218210600.19691.97544.idtracker@ietfa.amsl.com> <31B601E4-AE9E-48B2-8D6F-5E8FE6044FE2@kumari.net> <alpine.LFD.2.03.1302191020390.7608@nohats.ca> <512BDC8B.3070602@ogud.com> <alpine.LFD.2.03.1302251722090.4548@nohats.ca> <512CCEB4.3040403@ogud.com> <4AAE2A31-DBD9-4D4D-B233-FFF5A44D4041@neustar.biz>
Date: Thu, 28 Feb 2013 08:23:05 +0100
Message-ID: <CAB0C4xO48fhbU46rFg_cj2xFMkoyurdhxpbDX+nHDUMbfuWPHw@mail.gmail.com>
From: Marc Lampo <marc.lampo.ietf@gmail.com>
To: Edward Lewis <ed.lewis@neustar.biz>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] General comments on draft-kumari-ogud-dnsop-cds-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 07:23:07 -0000
Hello, somewhat more words but in line with what I was suggesting, a couple of days ago, about adding "operation code" to CDS RDATA. This still feel like a good idea, worth elaborating, I'd see. I support this. Kind regards, Marc Lampo On Thu, Feb 28, 2013 at 7:56 AM, Edward Lewis <ed.lewis@neustar.biz> wrote: > Having quickly read the -01 for Automating DNSSEC delegation trust > maintenance: > > I'd like to propose a twist. Comparing to X.509, a CDS record is kinda > sorta like a key signing request. For that reason I want to see an explicit > "request" in the RDATA and not have anything implied. > > I would suggest that the RDATA of it *not* be the same as the DS record. > There should be an explicit RDATA element instructing the parent what to do > with the request. Probably some other ancillary data will be needed too. > > I would not specify how the parent "discovers" the CDS. Just as for AXFR, > knowing how AXFR works is different from why it is called. I say this > because in some scenarios I can see the parent scanning the children and in > others there will be an event driven reason to look for the CDS set at a > child. In some cases "scraping" is optimal, in some cases "explicit" is > optimal. > > The CDS has to do this: > > 1. Let the parent know whether it is a request for new DS records or whether > this is a request to delete DS records. (Plural referring to the fact that > a SEP might have more than one DS record.) > > 2. Let the parent know when this request was first posted (so that the > parent can tell if it did this one before). I.e., a 32 bit timestamp viewed > as a yyymm-etc. like the RRSIGs do. Or it could be the serial number of the > zone when the request was added (although that might be hard for a tool to > determine). But - goal is - something to let the parent know when this > request appeared so that the parent can guess whether it has already > responded to it. > > 3. Let the parent know the RDATA of the DS records that are desired. > > What #3 hints at is the case where DS records are requested for a DNSKEY > that is not (yet) published in the child zone. There is a DS record in the > root zone for a ccTLD that points to no existing record - an example that > this is done. > > I'd like to see one CDS per DNSKEY state change. It is up to the child to > groom the CDS set, that is, once the parent has granted the request (which > can be seen by asking the parent) the child has the onus to remove the CDS - > but as protocol designers we have to account for the case where a child does > not remove a CDS (ever), and might in fact have a CDS to add a key and > another to delete the key. > > Other considerations. I left off "urgent" or "due time" because those > features generally are overkill. For urgent matters, that falls under the > "why" category and not the "how" category. And "how" is what we need to > define. > > For example, a zone has KSKs with footprints/ids of 11111 and 22222 and is > flipping to the latter: > > zone.tld. 1800 IN CDS DELETE 20130201000000 11111 7 1 > DFB91171CF0FB1DC48B2CEB8DD9A173CC1A28E55 2 > 4052E3B1BF483C993C018AA3513065A61E7FE842C60C03F44B0ACCFFE011E0A7 > zone.tld. 1800 IN CDS ADD 20130201000000 22222 7 1 > DFB91171CF0FB1DC48B2CEB8DD9A173CC1A28E55 2 > 4052E3B1BF483C993C018AA3513065A61E7FE842C60C03F44B0ACCFFE011E0A7 > > The hash in the DELETE is over kill. Perhaps for that just the footprint is > needed (unless you want to delete one or the other hash only). > > Here's a meltdown case that I want to smooth over (with hashes elided): > > zone.tld. 1800 IN CDS ADD 20130201000000 22222 7 ... > zone.tld. 1800 IN CDS DELETE 20130301000000 22222 ... > > In this case, the child forgot to remove the add request when it decided to > do the delete. (No intention of allowing the timestamp to be a schedule - > even though I show a future date in the example, I did that just for > convenience.) The parent should know then to delete what it has for 22222, > whether or not it ever added the DS. (E.g., if the two records popped up > together with the same timestamp.) > > PS - looking at the email addresses for the authors: so it is true, Warren > and George are the same person! > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Fwd: New Version Notification for draft-k… Warren Kumari
- Re: [DNSOP] Fwd: New Version Notification fordraf… Stephan Lagerholm
- Re: [DNSOP] Fwd: New Version Notification fordraf… Olafur Gudmundsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-ku… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-ku… Jacques Latour
- Re: [DNSOP] Fwd: New Version Notification for dra… Marc Lampo
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-ku… Scott Rose
- Re: [DNSOP] New Version Notification for draft-ku… Antoin Verschuren
- Re: [DNSOP] Fwd: New Version Notification for dra… Olafur Gudmundsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Olafur Gudmundsson
- [DNSOP] General comments on draft-kumari-ogud-dns… Edward Lewis
- Re: [DNSOP] General comments on draft-kumari-ogud… Marc Lampo
- Re: [DNSOP] General comments on draft-kumari-ogud… Edward Lewis
- Re: [DNSOP] General comments on draft-kumari-ogud… Tony Finch
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Tony Finch
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Olafur Gudmundsson
- Re: [DNSOP] General comments on draft-kumari-ogud… Edward Lewis
- Re: [DNSOP] General comments on draft-kumari-ogud… Edward Lewis
- Re: [DNSOP] General comments on draft-kumari-ogud… Tony Finch
- Re: [DNSOP] General comments on draft-kumari-ogud… Stephan Lagerholm
- Re: [DNSOP] General comments on draft-kumari-ogud… Tony Finch
- Re: [DNSOP] General comments on draft-kumari-ogud… Edward Lewis
- Re: [DNSOP] General comments on draft-kumari-ogud… Olafur Gudmundsson
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Stephan Lagerholm
- Re: [DNSOP] General comments on draft-kumari-ogud… Antoin Verschuren
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Antoin Verschuren
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Antoin Verschuren
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Antoin Verschuren
- Re: [DNSOP] General comments on draft-kumari-ogud… Olafur Gudmundsson
- Re: [DNSOP] General comments on draft-kumari-ogud… Antoin Verschuren
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Hoffman
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Ralf Weber
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Hoffman
- Re: [DNSOP] General comments on draft-kumari-ogud… Miek Gieben
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Hoffman
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- [DNSOP] F2F meeting in Orlando Re: General commen… Olafur Gudmundsson
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] F2F meeting in Orlando Re: General co… Paul Hoffman
- Re: [DNSOP] General comments on draft-kumari-ogud… Chris Thompson
- Re: [DNSOP] F2F meeting in Orlando Re: General co… Olafur Gudmundsson
- Re: [DNSOP] F2F meeting in Orlando Re: General co… Paul Hoffman
- Re: [DNSOP] F2F meeting in Orlando Re: General co… Olafur Gudmundsson
- Re: [DNSOP] General comments on draft-kumari-ogud… Tony Finch
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Tony Finch
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Doug Barton
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Mark Andrews
- Re: [DNSOP] General comments on draft-kumari-ogud… Johan Ihrén
- Re: [DNSOP] General comments on draft-kumari-ogud… Mark Andrews
- Re: [DNSOP] General comments on draft-kumari-ogud… Doug Barton
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Doug Barton
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Doug Barton
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Doug Barton
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Doug Barton
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Doug Barton
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Alan Clegg
- Re: [DNSOP] General comments on draft-kumari-ogud… Doug Barton
- Re: [DNSOP] General comments on draft-kumari-ogud… Paul Wouters
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley
- Re: [DNSOP] General comments on draft-kumari-ogud… Doug Barton
- Re: [DNSOP] General comments on draft-kumari-ogud… Joe Abley