Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt

Tony Finch <dot@dotat.at> Tue, 16 December 2014 10:47 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 443C51ACD2D for <dnsop@ietfa.amsl.com>; Tue, 16 Dec 2014 02:47:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.51
X-Spam-Level:
X-Spam-Status: No, score=-1.51 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1kLTfFcbulrz for <dnsop@ietfa.amsl.com>; Tue, 16 Dec 2014 02:47:36 -0800 (PST)
Received: from ppsw-52.csi.cam.ac.uk (ppsw-52.csi.cam.ac.uk [131.111.8.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A22831A1A92 for <dnsop@ietf.org>; Tue, 16 Dec 2014 02:47:36 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:33050) by ppsw-52.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1Y0pfB-0000uo-Dn (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 16 Dec 2014 10:47:33 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1Y0pfB-00013A-69 (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 16 Dec 2014 10:47:33 +0000
Date: Tue, 16 Dec 2014 10:47:33 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Rubens Kuhl <rubensk@nic.br>
In-Reply-To: <A086A53B-5187-4498-8BE3-117CFD203DC6@nic.br>
Message-ID: <alpine.LSU.2.00.1412161043250.26100@hermes-1.csi.cam.ac.uk>
References: <20141216011517.21875.32371.idtracker@ietfa.amsl.com> <A086A53B-5187-4498-8BE3-117CFD203DC6@nic.br>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/zUSOX7V8Ta5lOxcHLDsKeK0NWEc
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 10:47:39 -0000

Rubens Kuhl <rubensk@nic.br> wrote:
>
> My feedback to a possible -01 version is to add something related to not
> consider NTAs for the upper hierarchy of a failed DNSSEC domain. For
> instance, even if I see a good number of .gov domains failed DNSSEC,
> adding a NTA configuration for .gov would not be considered good
> operational practice, unless .gov itself starts failing DNSSEC
> validation.

That is a good point. Happily I think the draft already makes it hard for
operators to do that, since an NTA will be automatically removed if its
zone validates (section 10).

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Fisher, German Bight: West or northwest 6 to gale 8, backing southwest 5 to 7.
Rough or very rough. Squally showers, rain later. Good, occasionally moderate.