IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Paul Vixie <vixie@isc.org> Mon, 03 October 2011 15:46 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEECB21F8BB5; Mon, 3 Oct 2011 08:46:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317656797; bh=3TQlt1Uo/A3EQfsFSw3jT2ezkAX5rUUm+2RvqdtbY50=; h=Date:From:To:Message-ID:In-Reply-To:References:Mime-Version: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=OKYtx8S3LHr+Mr9Xs/Vbeza7q721V0avpTEllmpVWyTkMbJXncbXlUQEcQ08qIwcD IK5DRGyN19gIeLXzmlP5ZVJ65Rq/9O/fKNEhDtMy1HdfnIBrAKutJLTwdPcFM7T7Sl oU865dN88Vwk59gILFZDNE9bBjjwWu3TCyiwpiCo=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA60E21F8BB7 for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 08:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.54
X-Spam-Level:
X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GZj8eLEOAogx for <dnsext@ietfa.amsl.com>; Mon, 3 Oct 2011 08:46:15 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id A3E3021F8BAD for <dnsext@ietf.org>; Mon, 3 Oct 2011 08:46:15 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 419CDC9423 for <dnsext@ietf.org>; Mon, 3 Oct 2011 15:49:05 +0000 (UTC) (envelope-from vixie@isc.org)
Received: from unknown (75-54-222-121.lightspeed.rdcyca.sbcglobal.net [75.54.222.121]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 22573216C3B for <dnsext@ietf.org>; Mon, 3 Oct 2011 15:49:05 +0000 (UTC) (envelope-from vixie@isc.org)
Date: Mon, 3 Oct 2011 15:49:02 +0000
From: Paul Vixie <vixie@isc.org>
To: dnsext@ietf.org
Message-ID: <20111003154902.000049f1@unknown>
In-Reply-To: <alpine.LSU.2.00.1110031523351.30178@hermes-2.csi.cam.ac.uk>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <201110010458.26859.vixie@isc.org> <D3890C96-DA07-4BA1-AB57-1A81EA2ED477@icsi.berkeley.edu> <201110011736.27664.vixie@isc.org> <alpine.LSU.2.00.1110031523351.30178@hermes-2.csi.cam.ac.uk>
Organization: ISC
X-Mailer: Claws Mail 3.7.8cvs47 (GTK+ 2.16.6; i586-pc-mingw32msvc)
Mime-Version: 1.0
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Mon, 3 Oct 2011 15:26:36 +0100
Tony Finch <dot@dotat.at> wrote:

> Paul Vixie <vixie@isc.org> wrote:
> > i've got a draft in production that adds an EDNS option "send
> > chain" where the option payload is any ancestor of the QNAME and
> > indicates the requestor's deepest validated trusted domain name.
> > this will solicit a longer trust chain (all the RRSIG, DNSKEY, DS
> > RRs) between this ancestor and the QNAME.
> 
> What about support for lookaside trust anchors?

i don't think we should enshrine lookaside in dnssec validation, so i
was not planning to incorporate that in a "send chain" edns option
proposal.

complete support for lookaside would include support for ISP-layer data
replacement (perhaps under government mandate), as well as enterprise
(private keys), and the quasi-public deployment aid represented by DLV.

none of these things have a place in my long term vision for ubiquitous
DNSSEC, though i have championed DLV as an early deployment aid.
-- 
Paul Vixie
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email