IETF Logo Mail Archive

Re: [homenet] [DNSOP] Fwd: New Version Notification for draft-mglt-homenet-dnssec-validator-dhc-options-02.txt

Daniel Migault <mglt.ietf@gmail.com> Tue, 22 October 2013 12:49 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6EF11E819F; Tue, 22 Oct 2013 05:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.48
X-Spam-Level:
X-Spam-Status: No, score=-2.48 tagged_above=-999 required=5 tests=[AWL=0.119, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0bqh5aBsRxFg; Tue, 22 Oct 2013 05:49:41 -0700 (PDT)
Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id E2E6811E8164; Tue, 22 Oct 2013 05:49:32 -0700 (PDT)
Received: by mail-we0-f177.google.com with SMTP id x55so7947368wes.22 for <multiple recipients>; Tue, 22 Oct 2013 05:49:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PbouCr0hn0WeJuHTjuqCZyjJLinKrqsaFcPrrP2Dnno=; b=jPnCMwzvyDfN4DtpmusU6wqzUbLh7nsgVTkcB8lweYkIS7MCLHEf158F18+WQmST2j qGzsMUtBfXqh4GQJkrOOrDRMg35Xm1VLX+hb/Tye2JWsW0wtcpw0BxmLQAU5cy1TsCvd jGhzDdGBz0MWYhtPra81+mk6S1PnFTU7ISc1jYfa9AYGBmI3Sf+0NZixYkmzCjTlTInb 6MAgcSn/U5wpM1WWhEGbPoGFKKdwIF/PwfLP/VUewkhmpDbPqJILpPTL9Vr7eUHUNpee EPdD04M4DX4aqn34mltaFi2v9b1S24Kf59AwuuxjmIoHxxEAFtHURFIN1LIirJJ++gaA Zp4A==
MIME-Version: 1.0
X-Received: by 10.194.122.168 with SMTP id lt8mr484049wjb.76.1382446172055; Tue, 22 Oct 2013 05:49:32 -0700 (PDT)
Received: by 10.194.41.138 with HTTP; Tue, 22 Oct 2013 05:49:31 -0700 (PDT)
In-Reply-To: <829622C6-AE6A-45DC-B650-E7E2A5D9DC31@hopcount.ca>
References: <20131021071220.8650.43280.idtracker@ietfa.amsl.com> <CADZyTknNZD_L8Jr1zndAH7_Ckd7Ga-d=y1twF4KT9=NONXzjpA@mail.gmail.com> <alpine.LFD.2.10.1310211341050.24547@bofh.nohats.ca> <829622C6-AE6A-45DC-B650-E7E2A5D9DC31@hopcount.ca>
Date: Tue, 22 Oct 2013 14:49:31 +0200
Message-ID: <CADZyTkmTqvbuzyhZqJUP6Fb7fMCmAEmyXEjLiBx1PS6NM2urMg@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Content-Type: multipart/alternative; boundary="089e011777af01ac7104e953d5a5"
Cc: "homenet@ietf.org" <homenet@ietf.org>, Paul Wouters <paul@cypherpunks.ca>, dnsop <dnsop@ietf.org>
Subject: Re: [homenet] [DNSOP] Fwd: New Version Notification for draft-mglt-homenet-dnssec-validator-dhc-options-02.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2013 12:49:41 -0000

Hi Joe,

Thank you for your comment. draft-jabley-dnsop-validator-
bootstrap-00 is mentioned in the draft. We would like to extend this to
other non root KSKs. Otherwise we do not see contradictions with what is
mentioned in draft-jabley-dnsop-validator-bootstrap-00.
As mentionned "[...] and believe the principle described in these documents
[ draft-jabley-dnsop-validator-bootstrap-00, and
I-D.jabley-dnssec-trust-anchor] SHOULD be applied by the validators".

Best Regards,
Daniel


On Mon, Oct 21, 2013 at 8:27 PM, Joe Abley <jabley@hopcount.ca> wrote:

>
> On 2013-10-21, at 14:16, Paul Wouters <paul@cypherpunks.ca> wrote:
>
> > For CPE devices, I think querying for the root key without dnssec to
> > use as time and possible TA is something it could possibly prompt the
> > user for. It would work without DHCP and not require new DHCP options.
> > CPE devices could also insecurely query for the proper ICANN website and
> > grab the trust anchor bundle (i.e. what unbound-anchor does) and use the
> > certificate of ICANN.
>
> See also draft-jabley-dnsop-validator-bootstrap-00.
>
>
> Joe
>



-- 
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58

v2.23.0 | Report a Bug | By Email