IETF Logo Mail Archive

Re: [dnsext] Issues in WGLC of dnssec-bis-updates

Eric Brunner-Williams <ebw@abenaki.wabanaki.net> Wed, 08 February 2012 14:48 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C69221F85EE; Wed, 8 Feb 2012 06:48:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328712481; bh=XgvSscUgJisTgwetuFjJxMRjJwoG68a2j6M3CpPHC2Q=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:Reply-To:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:Content-Type:Content-Transfer-Encoding: Sender; b=rSPsbBbywOFBnnm8UWH5ggMGMlYFau/wyZwbIBCJsUDsKmf6RlxZMwI/B1n/HZX6G n96HDHssuDp26oMXe9wNysKQntVHhYp88wRsGDAS1SQbLGpW/ed/WF34T6nzOqHlBv Cm+yUa3PEPOe4tNS+ukeoIYwk/qq2+Fc8eXrefl0=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 773DC21F85EE for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 06:47:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XF4Cz7jqShQI for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 06:47:59 -0800 (PST)
Received: from nic-naa.net (nic-naa.net [65.99.1.132]) by ietfa.amsl.com (Postfix) with ESMTP id 9B42D21F85EC for <dnsext@ietf.org>; Wed, 8 Feb 2012 06:47:57 -0800 (PST)
Received: from limpet.local (cpe-67-255-2-48.twcny.res.rr.com [67.255.2.48]) by nic-naa.net (8.14.4/8.14.4) with ESMTP id q18C4SVK057683 for <dnsext@ietf.org>; Wed, 8 Feb 2012 07:04:28 -0500 (EST) (envelope-from ebw@abenaki.wabanaki.net)
Message-ID: <4F328B16.7030006@abenaki.wabanaki.net>
Date: Wed, 08 Feb 2012 09:47:50 -0500
From: Eric Brunner-Williams <ebw@abenaki.wabanaki.net>
Organization: wampumpeag
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: dnsext@ietf.org
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl> <20120208123202.GC25766@vacation.karoshi.com.>
In-Reply-To: <20120208123202.GC25766@vacation.karoshi.com.>
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ebw@abenaki.wabanaki.net
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On 2/8/12 7:32 AM, bmanning@vacation.karoshi.com wrote:
>> I feel the first (4033) is a better description.  I personally use adefinition for this as: this portion of the tree does not have a trustanchor above it (higher up the hierarchy), and therefore is not secure,insecure, or bogus.  Note that with the root trust anchor theindeterminate state no longer occurs, since we know everything iscovered by that trust anchor.
> 	Which root?  The ICANN root?  My corporate root?
> 	Folks use IP and DNS in networks that may not be connected to the 
> 	"public" Internet and thus to the ICANN root key.

Futher, there exists one or more networks connected to the "public"
Internet (non-locally routed prefixes) for which the IANA root zone
does not completely determine the root zone, and for which one or more
zone-restricted trust anchors would be insufficient.

> 	So I would say that there is existence proof that you can find 
> 	the ICANN root trust anchor in an indeterminate state.

Agree.

Eric
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email