IETF Logo Mail Archive

Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>

Mark Andrews <marka@isc.org> Mon, 05 October 2015 22:19 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF4C71A6EFB for <dnsop@ietfa.amsl.com>; Mon, 5 Oct 2015 15:19:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 345OyvtNfzML for <dnsop@ietfa.amsl.com>; Mon, 5 Oct 2015 15:19:23 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26C4E1A00B8 for <dnsop@ietf.org>; Mon, 5 Oct 2015 15:19:22 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 0360C34930F; Mon, 5 Oct 2015 22:19:16 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 133E3160034; Mon, 5 Oct 2015 22:20:57 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id E7629160070; Mon, 5 Oct 2015 22:20:56 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Vi40gPRDKACF; Mon, 5 Oct 2015 22:20:56 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 90F3E160034; Mon, 5 Oct 2015 22:20:56 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 418B83938699; Tue, 6 Oct 2015 09:19:13 +1100 (EST)
To: Suzanne Woolf <suzworldwide@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <20150928114202.823.19868.idtracker@ietfa.amsl.com> <0E4AA958-7740-4602-A3CF-D2E481DBC15E@hopcount.ca> <20150928155325.GA63874@gaon.net> <20150929095301.32c3e6a3@casual> <13F1D87F-1C07-40EB-86B0-564C4109C9B0@virtualized.org> <1973252D-924F-4EF1-A38F-5EC01AD331F6@gmail.com> <FDD04DCC-59C5-41F5-8CAF-1EF31CD65A34@virtualized.org> <63E1E01E-C172-4A0F-B434-F796546BB657@gmail.com> <C4FA9FA6-76E3-4FF3-862B-C5C0DF75C761@kirei.se> <D1C15986-603E-4932-B551-0497638D9849@vpnc.org> <02869F43-87A4-4797-8FD3-276C02DF665D@kirei.se> <EEA946B1-8BF3-4AB7-99D2-4C8CDCCF0EC0@vpnc.org> <F412CE02-C0BA-425E-BBF9-3A40B2B5FEA7@vpnc.org> <9F52E6FC-E503-4E3A-9998-363BF514CC1A@hopcount.ca> <D2C7120E-D13A-4372-8A8D-FE16DDDB5AEA@vpnc.org> <6CE2A233-0CD3-4490-BDDE-A0E82B305F05@hopcount.ca> <97AFB21E-9233-4753-8F89-A6AC6C6B079B@vpnc.org> <A1B41B27-AFB0-4B42-9F46-AA1D8D5D00F6@hopcount.ca> <D3A29F92-2A24-4CEC-93CF-164BD2497C1E@vpnc.org> <BFB819A9-9C50-4049-A5F0-5054CD86EC94@hopcount.ca> <70FA923D-C067-492E- A1EA-7B88754C2D5B@gmail.com>
In-reply-to: Your message of "Mon, 05 Oct 2015 17:42:26 -0400." <70FA923D-C067-492E-A1EA-7B88754C2D5B@gmail.com>
Date: Tue, 06 Oct 2015 09:19:13 +1100
Message-Id: <20151005221913.418B83938699@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/wkEdGoFaZqJ7Up6t5FpCtQFvCyc>
Cc: dnsop WG <dnsop@ietf.org>, Joe Abley <jabley@hopcount.ca>
Subject: Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 22:19:25 -0000

For BIND is is essentially useless as we use DNSKEYs as our trust
anchors.  You can go from a DNSKEY to a DS record.  You can't go
from a DS record to a DNSKEY, you can only select from a set of
DNSKEYs the one or more (not that I expect that to ever happen)
that matches a DS.

If you are going to publish trust anchors they should be easy to
use.  No one types in DS or DNSKEY records so data length really
shouldn't be a consideration.  They are all entered using cut-and-paste.
There is no reason to only publish DS records.

Mark

In message <70FA923D-C067-492E-A1EA-7B88754C2D5B@gmail.com>, Suzanne Woolf writ
es:
> All,
> 
> First, thanks to the engaging on this.
> 
> On Oct 5, 2015, at 5:20 PM, "Joe Abley" <jabley@hopcount.ca> wrote:
> > 
> > Perhaps it's time to sit back and wait for others here to express an opinio
> n.
> 
> I'd like to hear opinions from others in the WG with an operational interest 
> in the DNSSEC root trust anchor. 
> 
> Does this document meet a need you have? If so, how well does it meet the nee
> d, and what would it take (if anything) for the document to meet that need mo
> re effectively?
> 
> I'm trying not to put the mechanics (whether/how/by whom published) ahead of 
> the actual purpose of publishing.
> 
> 
> thanks,
> Suzanne
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email