Re: [Last-Call] [Ext] Opsdir last call review of draft-ietf-dnsop-dnssec-bcp-03
Paul Hoffman <paul.hoffman@icann.org> Sun, 25 September 2022 20:27 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FB64C14F6E7; Sun, 25 Sep 2022 13:27:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUW9MUgv7a4b; Sun, 25 Sep 2022 13:27:24 -0700 (PDT)
Received: from ppa5.dc.icann.org (ppa5.dc.icann.org [192.0.46.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09AB6C14F727; Sun, 25 Sep 2022 13:27:23 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa5.dc.icann.org (8.17.1.5/8.17.1.5) with ESMTPS id 28PKRL02017033 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 25 Sep 2022 20:27:21 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.29; Sun, 25 Sep 2022 13:27:19 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0986.029; Sun, 25 Sep 2022 13:27:19 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: dnsop <dnsop@ietf.org>
CC: "draft-ietf-dnsop-dnssec-bcp.all@ietf.org" <draft-ietf-dnsop-dnssec-bcp.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: [Ext] [Last-Call] Opsdir last call review of draft-ietf-dnsop-dnssec-bcp-03
Thread-Index: AQHY0R01+cttgpIkIEaO7ZIHC1Fu4A==
Date: Sun, 25 Sep 2022 20:27:19 +0000
Message-ID: <E701F7EB-1D38-4415-BC09-48E0268CAA71@icann.org>
References: <166412950464.63261.16113770307028490009@ietfa.amsl.com> <YzClZZNzLnpTVjJ7@straasha.imrryr.org>
In-Reply-To: <YzClZZNzLnpTVjJ7@straasha.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: multipart/signed; boundary="Apple-Mail=_3C5256CE-6E0A-4B49-8986-DAA78122B051"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-09-25_01,2022-09-22_02,2022-06-22_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/GV6sa8EGaTrFg_LQR8Fx95JuFe8>
Subject: Re: [Last-Call] [Ext] Opsdir last call review of draft-ietf-dnsop-dnssec-bcp-03
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2022 20:27:26 -0000
On Sep 25, 2022, at 12:00 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > On Sun, Sep 25, 2022 at 11:11:44AM -0700, Gyan Mishra via Datatracker wrote: > >> The document reads well and is ready for publication. >> >> I do not see any issues with the draft. > > I largely concur, but do have a few comments: > > In the final two sentences of: > > 1. Introduction > > [...] It also points to the relevant > IANA registries that relate to DNSSEC. It does not, however, point > to standards that rely on zones needing to be signed by DNSSEC. > > it is not completely obvious to me (and perhaps more so to the uninitiated) what > the final sentence is about. Is this about DANE and the like? An example could > make this clear. Yes, it was (at least) about DANE; added. > > It may be worth mentioning in: > > 1.1. DNSSEC as a Best Current Practice > > Some observers note that, more than 15 years after the DNSSEC > specification was published, it is still not widely deployed. Recent > estimates are that fewer than 10% of the domain names used for web > sites are signed, and only around a third of queries to recursive > resolvers are validated. However, this low level of implementation > does not affect whether DNSSEC is a best current practice; it just > indicates that the value of deploying DNSSEC is often considered > lower than the cost. Nonetheless, the significant deployment of > DNSSEC beneath some top-level domains (TLDs), and the near-universal > deployment of DNSSEC for the TLDs in the DNS root zone, demonstrate > that DNSSEC is suitable for implementation by both ordinary and > highly sophisticated domain owners. > > that part of the reluctance to deploy has been immaturity of tools, and lack of > skilled technical staff. At least the tooling has undergone significant > improvement recently, and further automation is in active development. I would rather not speculate on the reasons for the low rate of adoption, particularly because the reasons might change with the adoption rate remaining low. > > In: > > 2. DNSSEC Core Documents > > * [RFC3110] defines how to use the RSA signature algorithm (although > refers to other documents for the details). RSA is still the most > popular signing algorithm for DNSSEC. > > it may be worth mentioning that ECDSA P256 adoption is now almost as widely > deployed for zone signing as RSA (by count of signed zones). The paragraph is about RSA, not about algorithms in general. Your point is good, however, so I have changed the sentence to say "RSA is still among the most popular...", and added the sentence "ECDSA and EdDSA have become very popular signing algorithms in recent years" in the section below. > In: > > 3. Additional Cryptographic Algorithms and DNSSEC > > [...] > The GOST signing algorithm [RFC5933] was also adopted, but has seen > very limited use, likely because it is a national algorithm specific > to a very small number of countries. > > GOST is more than merely unpopular, the underlying revision of the GOST > algorithms have been deprecated and replaced, and RFC 8624 lists GOST as "MUST NOT" > for signing. That is being rectified in the DNSOP WG, albeit too slowly to be reflected in this document. > > I take issue with the next paragraph: > > Implementation developers who want to know which algorithms to > implement in DNSSEC software should refer to [RFC8624]. Note that > this specification is only about what algorithms should and should > not be included in implementations: it is not advice for which > algorithms that zone operators should and should not sign with, nor > which algorithms recursive resolver operators should or should not > validate. > > Sure, the opening sentence of Section 3.1 reads: > > The following table lists the implementation recommendations for > DNSKEY algorithms. > > but an attentive operator should and will indeed take this advice into > consideration. Many have already, and adoption of the deprecated algorithms 5 > and 7 have declined by ~95% from their peak values. This document is not the place to re-litigate the scope of RFC 8624, not is it a good place to say what "an attentive operators should" do other than to read the listed RFCs. --Paul Hoffman
- [Last-Call] Opsdir last call review of draft-ietf… Gyan Mishra via Datatracker
- Re: [Last-Call] Opsdir last call review of draft-… Viktor Dukhovni
- Re: [Last-Call] [Ext] Opsdir last call review of … Paul Hoffman
- Re: [Last-Call] [Ext] Opsdir last call review of … Viktor Dukhovni
- Re: [Last-Call] [Ext] Opsdir last call review of … Rob Sayre