IETF Logo Mail Archive

Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16

Samuel Weiler <weiler@watson.org> Mon, 12 March 2012 19:55 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2096621E80C5; Mon, 12 Mar 2012 12:55:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1331582145; bh=kDLwe2x1/KWWNZ2Ga9YU1onC0AnWM2wGC9fWpFYs0Lg=; h=Date:From:To:In-Reply-To:Message-ID:References:MIME-Version:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=LyM9i68Yfi6KgM6ZQT0M4iIPVH6OBuiCTUWPPAw8XAwrC/4KVcpJjjfoKagKn1Vra WVkDVeBD+r27FV+TD3VXV/mN8uCUU67pKxgkAbo/bQLZ3WPii5A3LwBjLvLXZW2XNb GJOWzjHO12ngWeIvLKqTu5iiaMPCFjzs2NWlg9Wk=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C230221E808F for <dnsext@ietfa.amsl.com>; Mon, 12 Mar 2012 12:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.406
X-Spam-Level:
X-Spam-Status: No, score=-2.406 tagged_above=-999 required=5 tests=[AWL=0.193, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l3jhoEa-P2eu for <dnsext@ietfa.amsl.com>; Mon, 12 Mar 2012 12:55:35 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 6EB0121E809B for <dnsext@ietf.org>; Mon, 12 Mar 2012 12:55:32 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id q2CJtVbK093688; Mon, 12 Mar 2012 15:55:31 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id q2CJtVwF093684; Mon, 12 Mar 2012 15:55:31 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Mon, 12 Mar 2012 15:55:31 -0400
From: Samuel Weiler <weiler@watson.org>
To: Matthijs Mekking <matthijs@nlnetlabs.nl>
In-Reply-To: <4F2967EF.8070502@nlnetlabs.nl>
Message-ID: <alpine.BSF.2.00.1203121544450.39342@fledge.watson.org>
References: <20120120054939.GD4365@mail.yitter.info> <20120120142243.GE4944@mail.yitter.info> <4F2967EF.8070502@nlnetlabs.nl>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Mon, 12 Mar 2012 15:55:32 -0400 (EDT)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Wed, 1 Feb 2012, Matthijs Mekking wrote:

> 1a. Nit
> The second paragraph raises concerns when a resolver adopts a more
> restrictive security policy. On the first read, it is not immediately
> obvious why there can be unnecessary validation failures. Perhaps a
> small explanation is needed, that the restrictive policy is requiring
> all signatures to validate?

Perhaps.  I decided not to change anything on this pass.

> 2b.
> The section states that a signed zone MUST include a DNSKEY for each
> algorithm present in the zone's DS RRset and expected trust anchors for
> the zone. I argue if MUST is too strong, and would vote for SHOULD, for
> the reason that the expected trust anchors and DS RRset are being
> maintained outside the administrative boundaries of the zone owner.

The MUST should stay.  (The MUST must stay?)  You're right about 
administrative boundaries, but things break if these rules aren't 
followed.  They really are a MUST.

> 3. Section 6.4. Erros in RFC 5155
>
> I would like to see some clarifying or guiding text about the
> contradiction in this RFC on the Flags field I posted earlier to this list:
>
> Section 8.2 of RFC 5155 states that a validator MUST ignore NSEC3 RRs
> with a Flag fields value other than zero or one. But in the IANA
> Considerations section, bits 0-6 are available for assignment.
>
> However, assigning a meaning to one of the bits 0-6 would break NSEC3
> conformance because that would allow for Flag fields value larger than
> one and that conflicts with the rule in Section 8.2 . As a result,
> assigning a meaning to one of the bits 0-6 in the NSEC3 Flag fields
> would require an update at the resolver side to ignore the bits it does
> not implement, regardless of the total outcome value of the Flag fields.
> Such a requirement allows for a more flexible approach for future
> updates of the NSEC3 Flag fields, with a nice backwards compatibility
> property.

I understand the reasoning, but I'm not entirely sure what you're 
proposing.  And it does sound like a real change.  And one that may 
not match current code.  I'm not sure this is a great idea.

-- Sam
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email