Re: [DNSOP] [Technical Errata Reported] RFC8078 (5049)

Mark Andrews <marka@isc.org> Wed, 28 June 2017 04:21 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 664A9126B6D for <dnsop@ietfa.amsl.com>; Tue, 27 Jun 2017 21:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PP_MIME_FAKE_ASCII_TEXT=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTRt0YloyDeU for <dnsop@ietfa.amsl.com>; Tue, 27 Jun 2017 21:21:34 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6402127867 for <dnsop@ietf.org>; Tue, 27 Jun 2017 21:21:34 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 962D0349421; Wed, 28 Jun 2017 04:21:30 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 49E1D160048; Wed, 28 Jun 2017 04:21:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0BD6916004F; Wed, 28 Jun 2017 04:21:30 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 1ftbvSS0Ld_i; Wed, 28 Jun 2017 04:21:29 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id AEA03160048; Wed, 28 Jun 2017 04:21:29 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 863D87CA0CFF; Wed, 28 Jun 2017 14:21:27 +1000 (AEST)
To: Dick Franks <rwfranks@acm.org>
Cc: Jan Včelák <jv@fcelda.cz>, IETF DNSOP WG <dnsop@ietf.org>, tjw ietf <tjw.ietf@gmail.com>, Matthijs Mekking <matthijs@pletterpet.nl>, Ondřej Caletka <Ondrej.Caletka@cesnet.cz>, Ólafur Guðmundsson <olafur@cloudflare.com>, Suzanne Woolf <suzworldwide@gmail.com>, pwouters@redhat.com, bclaise@cisco.com, Olafur Gudmundsson <olafur+ietf@cloudflare.com>, RFC Editor <rfc-editor@rfc-editor.org>
From: Mark Andrews <marka@isc.org>
References: <20170623105434.22478B810AB@rfc-editor.org> <CAN6NTqyBg74NF-F8imGiK0ArwxAbhc0uE_xXbX-No+Le8E9DUg@mail.gmail.com> <CAKW6Ri7npS57gupPrUc2aGhsg21u8csx+69GKrCFkeQ6H5Dnxw@mail.gmail.com> <9284fde5-ea75-a25a-3aa1-2e521753dc3e@cesnet.cz> <519c2cb0-0239-e28f-e4e8-6dcb13459d3d@pletterpet.nl> <CAKW6Ri5hsUEFuWmVp1UNauk=C7HykdiA9stQoMcdDs6gd6+axg@mail.gmail.com> <cfed78ae-0133-e883-f579-3a9ca92ccab0@pletterpet.nl> <CAKW6Ri55OMz2ZO27XVNeEYTqscx6hJk+VqTE7p8DyV53uQ0YmA@mail.gmail.com> <20170627145452.623CB7C84E77@rock.dv.isc.org> <CAM1xaJ8UniCt+8CnO70_6GM9e6TvyN-0BVC69MRmaXcM78kviQ@mail.gmail.com> <CAKW6Ri6jCkm09UoJCoBe6c9jMsMjO4OihnCtzSmewnXQXv4qdw@mail.gmail.com>
In-reply-to: Your message of "Tue, 27 Jun 2017 19:38:55 +0100." <CAKW6Ri6jCkm09UoJCoBe6c9jMsMjO4OihnCtzSmewnXQXv4qdw@mail.gmail.com>
Date: Wed, 28 Jun 2017 14:21:27 +1000
Message-Id: <20170628042127.863D87CA0CFF@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zYnrONDm3iJ6Ajnx3eAQeJh9Gl8>
Subject: Re: [DNSOP] [Technical Errata Reported] RFC8078 (5049)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2017 04:21:36 -0000

In message <CAKW6Ri6jCkm09UoJCoBe6c9jMsMjO4OihnCtzSmewnXQXv4qdw@mail.gmail.com>, Dick Franks writes:
> On 27 June 2017 at 18:10, Jan Včelák <jv@fcelda.cz> wrote:
>
> >8
>
> There is plenty other alternative ways to express DS DELETE request.
> > But I would prefer accepting this simple erratum rather than
> > researching all the other options (which we should have done when
> > revising the drafts of this document).
> >
>
> There is no point in moaning that things could/should have been done
> better.
>
> What is needed now is methodical use-case analysis based on RFC8078 as it
> exists now and tested against a real implementation.  The time to rewrite
> the RFC will come if/when we discover we are unable to live with it. We
> have not reached that point yet.

I can't go from RFC8078 to a working implementation because the
existing description is not clear enough to do it.  I don't think
anyone can do it.

With the proposed errata fix I could write code.  For CDS the RRset
is a single RR with a rdata of 0x00 0x00 0x00 0x00 0x00.  For CDNSKEY
the RRset is a single RR with a rdata of 0x00 0x03 0x00 0x00 0x00.

In both cases the RRset needs to be signed and validitation needs
to return that the answer is secure before it can be acteded on.

Mark

> --Dick
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org