IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

"Ralf Weber" <dns@fl1ger.de> Tue, 12 May 2015 10:23 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6F621A702A for <dnsop@ietfa.amsl.com>; Tue, 12 May 2015 03:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.847
X-Spam-Level:
X-Spam-Status: No, score=0.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_NET=0.611, HOST_EQ_STATICB=1.372, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAq5qEhoQ2Me for <dnsop@ietfa.amsl.com>; Tue, 12 May 2015 03:23:11 -0700 (PDT)
Received: from smtp.guxx.net (static.85-10-208-173.clients.your-server.de [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id E404E1A0029 for <dnsop@ietf.org>; Tue, 12 May 2015 03:23:10 -0700 (PDT)
Received: by nyx.guxx.net (Postfix, from userid 107) id CD6E05F4093C; Tue, 12 May 2015 12:23:07 +0200 (CEST)
Received: from [64.89.227.170] (dhcp-24-214.ripemtg.ripe.net [193.0.24.214]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 5D54D5F400E0; Tue, 12 May 2015 12:23:06 +0200 (CEST)
From: Ralf Weber <dns@fl1ger.de>
To: Evan Hunt <each@isc.org>
Date: Tue, 12 May 2015 12:23:03 +0200
Message-ID: <CCA8C063-A09C-4BC6-9E88-EA060248C623@fl1ger.de>
In-Reply-To: <20150511172008.GA7209@isc.org>
References: <553EBF02.3050703@gmail.com> <CAJE_bqc-T75k3sQZKtAF1VHp49biGn+Es5v5FivNSz5e3oB-Cg@mail.gmail.com> <CAHw9_iL9RLp0jynT0m_D6dGZYhmdonvBC-5ifTdB63eh5gvBeg@mail.gmail.com> <CAJE_bqesFPG6d3UsFmtFRjUBQqfifHkaBMR0sXAaNKuN10HL4A@mail.gmail.com> <CAHw9_iLbx_soi1+LaSwMKarLcT1kBCrFdaX8diwMVZp70KeePA@mail.gmail.com> <20150509185028.GB74933@isc.org> <CAJE_bqcJN+RL8NF5NoLTL2y6-mpC1Maf8y_msie7MgYxkV4B3A@mail.gmail.com> <20150511172008.GA7209@isc.org>
MIME-Version: 1.0
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/zy2c8ZGZFQRf2xvY8Gy2BBXkFFU>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 10:23:11 -0000

Moin!

On 11 May 2015, at 19:20, Evan Hunt wrote:

>> Does this mean:
>>
>> A: All implementations that conform to this document should prefer the
>>  NTA over the positive anchor in such a case, or
>> B: This is implementation-dependent, but if an implementation allows
>>  the coexistence of positive and negative anchors, it should prefer
>>  the NTA, or
>> C: something else?
>
> Good point.  I personally favor A, but would be fine with B.
>
> I'd be interested in input from other implementors; if there's a
> constituency for B then fine, but if we're all going to allow
> coexistence anyway, we might as well specify it that way.
We (Nominum) currently do A and are fine with it. The text Warren
just sends out with regards to that looks ok, although I would
go with a MAY for the warning. In practice this will not happen
that much as most people configure the root as there only trust
anchor and do NTAs down the tree.

So long
-Ralf

v2.23.0 | Report a Bug | By Email