Re: [Gen-art] Gen-art LC review: draft-ietf-dnsop-maintain-ds-03

Robert Sparks <> Fri, 08 July 2016 22:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7F7AA12D945 for <>; Fri, 8 Jul 2016 15:24:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.326
X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id odBSm6RfFDb9 for <>; Fri, 8 Jul 2016 15:24:10 -0700 (PDT)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DA91812D196 for <>; Fri, 8 Jul 2016 15:24:09 -0700 (PDT)
Received: from unnumerable.local ([]) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id u68MO6CM079637 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=OK); Fri, 8 Jul 2016 17:24:07 -0500 (CDT) (envelope-from
X-Authentication-Warning: Host [] claimed to be unnumerable.local
To: Paul Kyzivat <>
References: <> <>
From: Robert Sparks <>
Message-ID: <>
Date: Fri, 08 Jul 2016 17:24:06 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Gen-art] Gen-art LC review: draft-ietf-dnsop-maintain-ds-03
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Jul 2016 22:24:12 -0000

There's not much beyond nits for the _authors_ to deal with.
The process problem is one for Joel (the responsible AD) and the rest of 
the IESG.

I think a "ready with nits and a process problem" sends a better signal 
to the people who can _do_ something about it than a "not ready" would.


On 7/8/16 5:18 PM, Paul Kyzivat wrote:
> (Just to Gen-art)
> Wow. I don't understand how you arrived at that summary. Based on the 
> rest of the review I was expecting to be at least Not Ready. Are my 
> standards wrong?
>     Thanks,
>     Paul
> On 7/8/16 4:32 PM, Robert Sparks wrote:
>> I am the assigned Gen-ART reviewer for this draft. The General Area
>> Review Team (Gen-ART) reviews all IETF documents being processed
>> by the IESG for the IETF Chair.  Please treat these comments just
>> like any other last call comments.
>> For more information, please see the FAQ at
>> <>.
>> Document: draft-ietf-dnsop-maintain-ds-03
>> Reviewer: Robert Sparks
>> Review Date: 8 Jul 2016
>> IETF LC End Date: 11 Jul 2016
>> IESG Telechat date: Not yet scheduled for a telechat
>> Summary: Ready, but with nits and perhaps a process problem
>> Potential process problem:
>> This document intends to move RFC7344 from Informational to PS in place
>> (without republishing RFC7344. The intent to do so is buried at the end
>> of the document (the abstract doesn't mention it). The Last Call for the
>> document does not make it clear that _this_ document is elevating 
>> RFC7344.
>> (It at least mentions it, which is good, but the writeup about the
>> elevation
>> can be read to say "we're considering this elevation somewhere else,
>> keep it
>> in mind while evaluating this document").
>> There is no hint from the subject line that this is a call to bring 
>> RFC7344
>> onto the standards track. Unless there is some other communication 
>> effort
>> that I've missed on a quick search, I think it is very likely that most
>> of the IETF community outside the dnsop working group missed this 
>> intent.
>> I strongly encourge a last call focusing _specifically_ on moving 
>> RFC7344
>> to the standards track without republication.
>> My personal feedback on elevating RFC7344 without republishing is 
>> that it's
>> not the right thing to do. At the very least "Category: Informational"
>> appears in the document itself, and that will not change. If the IESG
>> decides to proceed with this as currently formulated, count me in the
>> deep rough.
>> Nits:
>> In 1.2, "that decision SHOULD be fully under the child domain's 
>> control"...
>> Why is that a 2119 SHOULD? I think this is commentary on that it 
>> would be
>> a bad idea for someone else to unilaterally decide to turn of DNSSEC for
>> a child domain? Why not just say that (it would be even better to expand
>> on _why_ it's a bad idea. If you really think this is the right way 
>> to say
>> what you mean, and you keep 2119, please talk about when it would be 
>> ok to
>> not follow that SHOULD.
>> In 1.3, consider pointing to Appendix A of RFC7344 to better define RRR.
>> In the Security Considerations, you have "Users SHOULD" and "all options
>> SHOULD be considered". These are not meaningul uses of 2119 - please use
>> prose to say what you really mean. If you want to keep them, please talk
>> about when it would be ok to not follow the SHOULD. I think you're 
>> trying
>> to say "Completing the rollover via an unsigned state is dangerous and
>> should
>> only be used as a last resort" or something similarly strong.
>> Consider pointing back to the 5 scenarios you spell out in section 1.2
>> in the
>> security considerations section. The asserted existance of 
>> operational and
>> aoftware limitations that necessitate turning off DNSSEC to facilitate a
>> change
>> of operator is certainly a major security consideration.
>> Consider doing more to the DNS Security Algorithms Number registry than
>> the current instructions indicate. Simply adding a reference to this
>> document
>> to the row for number 0 does not convey that this "reserved" number is
>> actually
>> being _used_ in a protocol, and that when it is it's an algorithm number
>> that
>> is not a number for an algorithm. I don't know how to say that 
>> cleanly, but
>> the registry should say more than simply "reserved" if this document is
>> approved.
>> Typo-nit: s/digiest/digest/
>> _______________________________________________
>> Gen-art mailing list