IETF Logo Mail Archive

[dnsext] Issues in WGLC of dnssec-bis-updates

Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 07 February 2012 15:18 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA31521F870A; Tue, 7 Feb 2012 07:18:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328627905; bh=edB7vTVuhI59HSIRpvP3542/c+wzXRwFUulN37mcXmc=; h=Date:From:To:Message-ID:MIME-Version:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=IjKLqID6ygRu95SHi9DZeAxEPB6AKr/6GFzQcbTMNwjjehVU93zOLdH5KARxF1YeV OI89UplmwrnwLXfwp89uONyLXc3stdFVDFgCxoyeTWz2glR/89jvSCS5sqH1SXXJDk k5Z7K4VlHHlRUVz6GThoqKgj423R+8vFzIhpod5M=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A8CF21F870A for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 07:18:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.608
X-Spam-Level:
X-Spam-Status: No, score=-2.608 tagged_above=-999 required=5 tests=[AWL=-0.009, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SH6Ue42SSbSJ for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 07:18:23 -0800 (PST)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 50AD021F85B5 for <dnsext@ietf.org>; Tue, 7 Feb 2012 07:18:23 -0800 (PST)
Received: from crankycanuck.ca (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 40A901ECB41D for <dnsext@ietf.org>; Tue, 7 Feb 2012 15:18:22 +0000 (UTC)
Date: Tue, 07 Feb 2012 10:18:20 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsext@ietf.org
Message-ID: <20120207151820.GE9478@crankycanuck.ca>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

Dear colleagues,

We're still in the WGLC on dnssec-bis-updates, but we have some
pending issues to sort out.

At the moment, we have several issues that have been raised in the
WGLC, but not much in the way of proposed resolution.  Sam Weiler says
he is tracking them; and many of the issues have been fairly minor,
but I want to make sure that we don't go back into a long period of
benign neglect of this document, so I'd like to hear some responses.

The following are substantive issues that require more than minor
changes to the document, and for which we need some answers.  I'm
raising them now in the hopes that we can get them closed before WGLC
ends.

A reminder that WGLC ends at the same time (this) Friday ends.

ISSUE 1: Indeterminacy of Indeterminate

In http://www.ietf.org/mail-archive/web/dnsext/current/msg12176.html,
Mohan Parthasarathy argues that RFC 4033 and RFC 4035 have
inconsistent definitions of "Indeterminate".  RFC 4033 says this is
what Indeterminate means, in section 5:

   Indeterminate: There is no trust anchor that would indicate that a
      specific portion of the tree is secure.  This is the default
      operation mode.

RFC 4035 has this definition in section 4.3: 

   Indeterminate: An RRset for which the resolver is not able to
      determine whether the RRset should be signed, as the resolver is
      not able to obtain the necessary DNSSEC RRs.  This can occur when
      the security-aware resolver is not able to contact security-aware
      name servers for the relevant zones.

These two do seem to be inconsistent.  In particular, the latter
apparently can happen when a security-aware resolver with an
appropriate trust anchor can't find an upstream that can handle the DO
bit.  Does anyone have an opinion on what to do about this?  We will
need to come to some very strong agreement quickly, or it will not be
addressed in this document.

    DEFAULT ACTION: none.  Without proposed text that finds strong
    support, this issue will be left out of the document.  

ISSUE 2: Ignoring CNAME signatures

Jiankang Yao has suggested in
http://www.ietf.org/mail-archive/web/dnsext/current/msg12166.html that
language be added to permit ignoring unsigned CNAME records under some
circumstances.  I am already on the record as personally opposing this
change, but surely I'm not the only voice here.  Does anyone have an
opinion about this?

    DEFAULT ACTION: none.  Without proposed text that finds very
    strong support, this proposed change will not be included.  If a
    change is to be added along these lines, it will require a
    separate last call on its own, because it is a major change to the
    protocol.

ISSUE 3: Alter section 5.10

Paul Hoffman requests a change to section 5.10 in
http://www.ietf.org/mail-archive/web/dnsext/current/msg12173.html.
Speaking only personally, I cannot see any objection to the proposed
sentence, "If a site has only a single trust anchor, the information
in this entire section can safely be skipped."  I'm less sure about
the motivational sentences; I'm not even sure they're true.  Does
anyone have any thoughts?

    DEFAULT ACTION: Include the "If a site has only a single trust
    anchor …" sentence, and exclude the other proposed sentences.

ISSUE 4: Request to change the language in 5.6

This is also a request from Paul Hoffman, in the same review.  Is
there any objection to his first formulation?  I believe his second
formulation would actually be a significant change to the protocol,
and as shepherd I cannot accept it without a fairly strong signal from
the WG.

    DEFAULT ACTION: Use the first formulation proposed ("In order to
    interoperate with implementations that ignore this rule on
    sending, resolvers need to allow either the DO bit to be set or
    unset when receiving responses.")

ISSUE 5: The CD bit redux

Mark Andrews argues in
http://www.ietf.org/mail-archive/web/dnsext/current/msg12133.html that
the advice always to set the CD bit is bad advice.  Does anyone else
want to take up his line of argument?  If not, I'll rule that he's in
the rough on this.

Wouter Wijngaards suggests that the discussion around this is too
long, and one of the editors agrees.  To find fault where it belongs,
the long appendix on this is there at my insistence, because several
people previously argued that it was necessary to expose the
consequences of different approaches to setting the CD bit, and yet my
finding was that there was rough consensus in favour of the "always
set" approach.  In the absence of overwhelming support in favour of
removing the discussion, I think it should stay.  If you think it
should be altered, then you need to offer replacement text and not ask
that someone come up with it.  Keep in mind that the text, long as it
is, was the subject of protracted discussion.

    DEFAULT ACTION: none.

Best regards,

Andrew

-- 
Andrew Sullivan
ajs@anvilwalrusden.com
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email