Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

Warren Kumari <warren@kumari.net> Mon, 31 July 2017 15:42 UTC

Return-Path: <warren@kumari.net>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1BAE132580 for <homenet@ietfa.amsl.com>; Mon, 31 Jul 2017 08:42:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GJg7TmX-PfXm for <homenet@ietfa.amsl.com>; Mon, 31 Jul 2017 08:42:45 -0700 (PDT)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FC50132579 for <homenet@ietf.org>; Mon, 31 Jul 2017 08:42:41 -0700 (PDT)
Received: by mail-vk0-x22d.google.com with SMTP id r199so28401036vke.4 for <homenet@ietf.org>; Mon, 31 Jul 2017 08:42:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eMEyy9C2YYPp51g/PGQrTvoDnbPRV+zRIz5WQefJylY=; b=dFglkmrNev33Xe0ByhynU4vRuFET1Fp9BqkjSy2Dlu4oChHNai5qKGKmhKsTWTYqdM cYWpKa76W7ak15piVAr8mUfF6KJdvgsyruVCgbEaTd6tBfYCaIpuF4dd2BupISpFvDQj g7G0HhsSrcpb2y02qKNBZEesl5cTAkAPpuGOUdPVIeBTY1k/MFAu9VzvBM6ayQsD1/SZ aTS7SoYxlfBfDWYkGYVNg2DbQElWG3iG9+dszwF8yxVBMw2U6cWBgeYpMixK5ZUwKm1u OUhFv39fWCbZgsnMYfQyZk6mYRzWqcKvBM1NtrkfN2X9G0EDy1+ognWPVkpBwzsiBx42 lMAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eMEyy9C2YYPp51g/PGQrTvoDnbPRV+zRIz5WQefJylY=; b=kBk78CN19129TmTWGinUu3UOal0SYMumTuW+qd4ijZrD/OAEUgwI+Hf33Y/7sGVtbl 6laC+JmzPxxOBujXpX2m/c1Rxvmt4axg4X08IvJV2sDO/W17dYX4hsYcqDTUVCxKY0BG OaTtJgikuozvQ4MIf9INOqgbiE3bpNBWUpxA1aWQ3nwKJPl1gALnXoMR/d1f7QBYqkFg 4h2YR/b3iUZWgJH9wsoGFDT2pbxyYs6JPn/nyhnXttQcvIPUE7pxlq8ubZBfazoI0nXB iSf5wTjNSvzKaxOqTQRmXkZBRvtKIHB9pTUl8Exx/gHoQQDEMuwZhLIpliuBZgmGS9g1 z/Jg==
X-Gm-Message-State: AIVw113yfJ0yCBRqHS/3C1YtlD/SsECPJQVgH2eWMahrw5c4+x2LPrYf kuFVF86hfMsTEcK/xXa1Iwubtg86BrGa
X-Received: by 10.31.120.12 with SMTP id t12mr10151230vkc.29.1501515760494; Mon, 31 Jul 2017 08:42:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.9.231 with HTTP; Mon, 31 Jul 2017 08:42:00 -0700 (PDT)
In-Reply-To: <916EEEB9-3709-492B-8E19-5C832B11AFC2@fugue.com>
References: <150127266271.25329.18484770769960144@ietfa.amsl.com> <20170731050206.1A431806F1C2@rock.dv.isc.org> <916EEEB9-3709-492B-8E19-5C832B11AFC2@fugue.com>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 31 Jul 2017 11:42:00 -0400
Message-ID: <CAHw9_iKamMKHxovw7cxhHsZgrZvMLp2oUjchRVcTMA75tFbosw@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Mark Andrews <marka@isc.org>, homenet@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/FJJXarTfafZC19-viZFmmFBGOZg>
Subject: Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 15:42:48 -0000

On Mon, Jul 31, 2017 at 5:36 AM, Ted Lemon <mellon@fugue.com> wrote:
> On Jul 31, 2017, at 1:02 AM, Mark Andrews <marka@isc.org> wrote:
>
> The delegatation is INSECURE and SIGNED not UNSIGNED.  The wording
> here is *important*.
>
>
> Can you explain what the distinction is, and what the problem is that you
> see in point five?   The reason I ask is that we explicitly changed the
> wording from "insecure" to "not signed" because someone else said that it
> wasn't clear what "insecure" meant.   It seems to me that the current
> language is explicit and unambigious; I think this is better than being
> "correct."   So what is the bad outcome that might occur as a result of
> using the term "not signed" rather than "insecure"?


Having recently had exactly this discussion with someone, this area is
fraught with opportunities for misunderstandings.

Let's take example.com as an example[0]. The .com zone is signed.
Example Corp hired a DNS geek, who signed the example.com zone, but
never quite got around to publishing a DS record in the parent.

There is now a signed, insecure delegation to a signed zone; the
delegation itself is signed (.com is a signed zone and so there there
is an RRSIG for the NS for example.com), but there is no DS record, so
it is insecure.

It really is an insecure delegation, not an unsigned delegation --
calling it unsigned would be confusing to many people. The person I
was discussing it with wasn't aware of the term "insecure delegation"
and assumed that it meant an "unsigned delegation", which is, um,
difficult to achieve in a non-NSEC3 OO zone...

I spend an almost infinite amount of time[1] trying to explain this
very point (to someone who understands DNSEEC) over the phone - it's
tricky to communicate without a whiteboard and / or diagram.
I ended up opening an issue on the terminology-bis document to get it
added: https://github.com/DNSOP/draft-ietf-dnsop-terminology-bis/issues/26#issuecomment-314275871


W
[0]: For the purpose of discussion, let's pretend that .COM uses NSEC,
not NSEC3 with Opt-Out.
[1]: Ok, perhaps it wasn't almost infinite, but it sure felt like it...

>
>
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf