IETF Logo Mail Archive

Re: [dnsext] Issues in WGLC of dnssec-bis-updates

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 09 March 2012 00:25 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2E4B21E801B; Thu, 8 Mar 2012 16:25:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1331252737; bh=K5EQ18GFCga0ApRrsnYUuxhUXdSvxzlOdUcPhRCfljM=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=mHkCuy+8KVrKl48OfpiKPsSw7RP6lPuAT/g+ed3vac63IlABJftFfXrdEsrJkhxUk xsAcp3wgP1RhQbcIGUR+OT18MTQKnsatlsXz6M32IJXyz51zwz26CBvRUnZn7h5je+ qwcpf7EoSXY2v0jLSTps7X9Yx2DyWdKcoE63lHlc=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67D3021E801B for <dnsext@ietfa.amsl.com>; Thu, 8 Mar 2012 16:25:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.7
X-Spam-Level:
X-Spam-Status: No, score=-102.7 tagged_above=-999 required=5 tests=[AWL=-0.101, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bFu4Toxv2DTF for <dnsext@ietfa.amsl.com>; Thu, 8 Mar 2012 16:25:35 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id CF3C621E800C for <dnsext@ietf.org>; Thu, 8 Mar 2012 16:25:35 -0800 (PST)
Received: from [10.20.30.101] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q290PVfn085150 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 8 Mar 2012 17:25:32 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1257)
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <alpine.BSF.2.00.1203081827340.31973@fledge.watson.org>
Date: Thu, 08 Mar 2012 16:25:30 -0800
Message-Id: <E044D96B-7642-433F-A8A6-EB123D3DC1DD@vpnc.org>
References: <20120207151820.GE9478@crankycanuck.ca> <alpine.BSF.2.00.1203081827340.31973@fledge.watson.org>
To: Samuel Weiler <weiler@watson.org>
X-Mailer: Apple Mail (2.1257)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Mar 8, 2012, at 3:35 PM, Samuel Weiler wrote:

> I know that Andrew posted a closing summary of this discussion.  I'm quoting the opening message since it provides much more context.
> 
> There are a couple of these default actions that I'm uneasy with.
> 
> 
> On Tue, 7 Feb 2012, Andrew Sullivan wrote:
> 
>> ISSUE 3: Alter section 5.10
>> 
>> Paul Hoffman requests a change to section 5.10 in
>> http://www.ietf.org/mail-archive/web/dnsext/current/msg12173.html.
>> Speaking only personally, I cannot see any objection to the proposed
>> sentence, "If a site has only a single trust anchor, the information
>> in this entire section can safely be skipped."  I'm less sure about
>> the motivational sentences; I'm not even sure they're true.  Does
>> anyone have any thoughts?
>> 
>>   DEFAULT ACTION: Include the "If a site has only a single trust
>>   anchor ?" sentence, and exclude the other proposed sentences.
> 
> If this document were aimed at operators, the above would make more sense.  Since this is a doc for implementers, the "ignore this section" guidance is dangerous -- the implementer of a validating resolver does not know what trust anchor(s) an operator will configure.  I prefer to not include this sentence.

This is actually a good point. I withdraw my previous wording, and suggest instead that the following be added as a separate paragraph before 5.10.1:

   When not presented with the situation that more than one trust
   anchor is configured, DNSSEC validators SHOULD NOT expose policy
   choices such as those shown in these subsections in configuration
   options. That is, these policy choices SHOULD only be exposed
   when there are multiple options.
 

>> ISSUE 4: Request to change the language in 5.6
>> 
>> This is also a request from Paul Hoffman, in the same review.  Is
>> there any objection to his first formulation?  I believe his second
>> formulation would actually be a significant change to the protocol,
>> and as shepherd I cannot accept it without a fairly strong signal from
>> the WG.
>> 
>>   DEFAULT ACTION: Use the first formulation proposed ("In order to
>>   interoperate with implementations that ignore this rule on
>>   sending, resolvers need to allow either the DO bit to be set or
>>   unset when receiving responses.")
> 
> I think the two formulations are equivalent, except that the second is stated in clearer and more normative language.  Yes, this is a change, but it's one we need to make.  Let's use the less muddled form of it.


FWIW, I agree with Sam here: my second proposal ("Because some implementations ignore this rule on sending, the rule for receivers is now that they MUST NOT expect the DO bit to be set as it was sent.") is the one I prefer. I proposed the first because I thought the second would be hard for some people to swallow.

--Paul Hoffman

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email