IETF Logo Mail Archive

Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Sam Hartman <hartmans-ietf@mit.edu> Thu, 05 March 2015 14:35 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72CF31A0046 for <ietf@ietfa.amsl.com>; Thu, 5 Mar 2015 06:35:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O9dJFCOBT48n for <ietf@ietfa.amsl.com>; Thu, 5 Mar 2015 06:35:34 -0800 (PST)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 517E01A0033 for <ietf@ietf.org>; Thu, 5 Mar 2015 06:33:03 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 3568B2064F; Thu, 5 Mar 2015 09:31:38 -0500 (EST)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBnLCOf_p7O3; Thu, 5 Mar 2015 09:31:37 -0500 (EST)
Received: from carter-zimmerman.suchdamage.org (c-50-177-26-195.hsd1.ma.comcast.net [50.177.26.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Thu, 5 Mar 2015 09:31:37 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4F481813FF; Thu, 5 Mar 2015 09:32:29 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
References: <tsl8ufoh9ko.fsf@mit.edu> <2DF7230C-D1D8-4B21-9003-B336108A38CB@vpnc.org> <20150224172649.GX1260@mournblade.imrryr.org> <tslvbircj0d.fsf@mit.edu> <0325DF3F-17F3-4400-BDEA-EDB5334BF35C@frobbit.se> <20150225180227.GT1260@mournblade.imrryr.org> <7AB921D35A7F9B23A53BD11A@JcK-HP8200.jck.com> <tslvbip8io6.fsf@mit.edu> <54F09A35.9060506@qti.qualcomm.com> <54F78650.6070503@qti.qualcomm.com> <20150305064513.GH1260@mournblade.imrryr.org>
Date: Thu, 05 Mar 2015 09:32:29 -0500
In-Reply-To: <20150305064513.GH1260@mournblade.imrryr.org> (Viktor Dukhovni's message of "Thu, 5 Mar 2015 06:45:13 +0000")
Message-ID: <tsl4mpzplaa.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/QrD1shEGe6grgy5RHVk3NSzHbMs>
X-Mailman-Approved-At: Thu, 05 Mar 2015 08:06:52 -0800
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, ietf@ietf.org, Pete Resnick <presnick@qti.qualcomm.com>, F?ltstr?m Patrik <paf@frobbit.se>, Mark Nottingham <mnot@mnot.net>, John C Klensin <john-ietf@jck.com>, Sam Hartman <hartmans-ietf@mit.edu>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 14:35:40 -0000

>>>>> "Viktor" == Viktor Dukhovni <ietf-dane@dukhovni.org> writes:

    Viktor> On Wed, Mar 04, 2015 at 04:25:20PM -0600, Pete Resnick wrote:
    >> >I'm going to ask Patrik to publish a revised ID at this point,
    >> which I >expect to see in the next couple of days.
    >> 
    >> The new version of the document (-12) is out, announcement
    >> attached. It is now Informational, it removes the discussion of
    >> flag "D" for NAPTR, and adds a bit of discussion to security
    >> considerations. I would appreciate folks giving it a sniff and
    >> making sure it addresses your earlier concerns. If so, I'll go
    >> ahead and ballot it for the 12-March IESG telechat.

    Viktor> I think this still fails to acknowledge Sam Hartman's
    Viktor> concerns about the change in the security model from (often
    Viktor> with TLS) application configured trust anchors that may be
    Viktor> specific to the expected peer, to likely the ICANN DNSSEC
    Viktor> root trust-anchor, or perhaps an enterprise DNS trust-anchor
    Viktor> for an internal domain.

    Viktor> While such a change in the trust model may well be
    Viktor> applicable, there remains in the draft a claim that
    Viktor> indirection through DNSSEC is fundamentally not different
    Viktor> from indirection through a TLS authenticated HTTP redirect.
    Viktor> That claim is likely too bold.  Future users of this RR need
    Viktor> to consider the issues more carefully.

The claim in the draft is:
>   comparison, and that the change in what hostname to use is secured by
>   DNSSEC so that it can be trusted in a similar way as a redirect in
>   HTTP using TLS.

I'm actually OK with that claim in an informational RFC because of the
word similarly.
I think the current version is good enough for informational.
I think Eliot's proposal 


>A simple way to address the concern that Sam raised is to note that
>DNSSEC's trust model is largely binary, and not subject to alternative
>trust anchors.  That is- parent zone administrator's keys may either be
>trusted or not.  

would improve the text, but I'm OK with the draft as-is.
Thanks for diligent work resolving raised concerns.

v2.23.0 | Report a Bug | By Email