Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Viktor Dukhovni <> Thu, 05 March 2015 07:14 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 312E01B29FA for <>; Wed, 4 Mar 2015 23:14:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1kFQ9TD_hy3s for <>; Wed, 4 Mar 2015 23:14:10 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C05381B29F9 for <>; Wed, 4 Mar 2015 23:14:10 -0800 (PST)
Received: by (Postfix, from userid 1034) id 3E715282FCC; Thu, 5 Mar 2015 07:14:09 +0000 (UTC)
Date: Thu, 5 Mar 2015 07:14:09 +0000
From: Viktor Dukhovni <>
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Mar 2015 07:14:12 -0000

On Thu, Mar 05, 2015 at 07:56:09AM +0100, Eliot Lear wrote:
> Victor,
> A simple way to address the concern that Sam raised is to note that
> DNSSEC's trust model is largely binary, and not subject to alternative
> trust anchors.  That is- parent zone administrator's keys may either be
> trusted or not.  On the other hand, I don't know that this is the draft
> to take on that issue.  It's a fundamental difference between the two
> models and there are pluses and minuses to each, and it's perhaps worth
> exploring, but in this draft?

I don't see a need to explore the details in this draft, rather it
just needs to avoid claiming equivalence.  Just don't pretend the
issue is not there.  

So for me it would be enough to note that DNSSEC introduces a new
trust model than application designers need to consider when the
URI DNS record is introduced into application designs.

If that's good enough for Sam too, then perhaps he or I can write
a sentence or two saying essentially that to replace the IMHO overly
strong claim that DNSSEC indirection is essentially the same as
HTTP redirects.