IETF Logo Mail Archive

Re: [dnsext] Issues in WGLC of dnssec-bis-updates

bmanning@vacation.karoshi.com Wed, 08 February 2012 12:32 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 687B621F864E; Wed, 8 Feb 2012 04:32:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328704340; bh=6vq9m/npI/b2IxCcY7MdPPVw0THznV6l5Zw5QUq5Yxg=; h=Date:From:To:Message-ID:References:Mime-Version:In-Reply-To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=fE7LAlMmZHC3IZ8MayQavxvY4zSEDRygwA0j36KTs51i1rzRo8mfjxA+rc+iKSLAQ RjnispLXt0XFSa8NPX3XWDH2ZCaNfi8yXC1e5v7Sovhp89LGwphn3OQPHYvtX65YDC iAJg0AE5qVBqpAFRvVZdVnc8E8MSFtbMHhpxrWJo=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D45F921F864E for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 04:32:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.35
X-Spam-Level:
X-Spam-Status: No, score=-6.35 tagged_above=-999 required=5 tests=[AWL=0.249, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJNwcnRarrDi for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 04:32:15 -0800 (PST)
Received: from vacation.karoshi.com (vacation.karoshi.com [198.32.6.68]) by ietfa.amsl.com (Postfix) with ESMTP id A673B21F8635 for <dnsext@ietf.org>; Wed, 8 Feb 2012 04:32:14 -0800 (PST)
Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id q18CW3aB027668; Wed, 8 Feb 2012 12:32:03 GMT
Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id q18CW2bl027667; Wed, 8 Feb 2012 12:32:02 GMT
Date: Wed, 08 Feb 2012 12:32:02 +0000
From: bmanning@vacation.karoshi.com
To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Message-ID: <20120208123202.GC25766@vacation.karoshi.com.>
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4F31449C.9040604@nlnetlabs.nl>
User-Agent: Mutt/1.4.1i
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Tue, Feb 07, 2012 at 04:34:52PM +0100, W.C.A. Wijngaards wrote:
> -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1
> Hi Andrew,
> I support the default actions you describe.  Below are reasons forthings I feel more strongly about.
> > ISSUE 1: Indeterminacy of Indeterminate
> I feel the first (4033) is a better description.  I personally use adefinition for this as: this portion of the tree does not have a trustanchor above it (higher up the hierarchy), and therefore is not secure,insecure, or bogus.  Note that with the root trust anchor theindeterminate state no longer occurs, since we know everything iscovered by that trust anchor.

	Which root?  The ICANN root?  My corporate root?
	Folks use IP and DNS in networks that may not be connected to the 
	"public" Internet and thus to the ICANN root key.
	So I would say that there is existence proof that you can find 
	the ICANN root trust anchor in an indeterminate state.  I would 
	hope your code is agile enough to cope.


> > ISSUE 2: Ignoring CNAME signatures
> The change requested seems impossible (not compatible with deployedcode, and not future compatible with intended feature too) to me, thus Isupport no change.
> Best regards,   Wouter

/bill
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email