[dnsext] Issues in WGLC of dnssec-bis-updates
Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 07 February 2012 15:18 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA31521F870A; Tue, 7 Feb 2012 07:18:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328627905; bh=edB7vTVuhI59HSIRpvP3542/c+wzXRwFUulN37mcXmc=; h=Date:From:To:Message-ID:MIME-Version:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=IjKLqID6ygRu95SHi9DZeAxEPB6AKr/6GFzQcbTMNwjjehVU93zOLdH5KARxF1YeV OI89UplmwrnwLXfwp89uONyLXc3stdFVDFgCxoyeTWz2glR/89jvSCS5sqH1SXXJDk k5Z7K4VlHHlRUVz6GThoqKgj423R+8vFzIhpod5M=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A8CF21F870A for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 07:18:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.608
X-Spam-Level:
X-Spam-Status: No, score=-2.608 tagged_above=-999 required=5 tests=[AWL=-0.009, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SH6Ue42SSbSJ for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 07:18:23 -0800 (PST)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 50AD021F85B5 for <dnsext@ietf.org>; Tue, 7 Feb 2012 07:18:23 -0800 (PST)
Received: from crankycanuck.ca (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 40A901ECB41D for <dnsext@ietf.org>; Tue, 7 Feb 2012 15:18:22 +0000 (UTC)
Date: Tue, 07 Feb 2012 10:18:20 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsext@ietf.org
Message-ID: <20120207151820.GE9478@crankycanuck.ca>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
Dear colleagues, We're still in the WGLC on dnssec-bis-updates, but we have some pending issues to sort out. At the moment, we have several issues that have been raised in the WGLC, but not much in the way of proposed resolution. Sam Weiler says he is tracking them; and many of the issues have been fairly minor, but I want to make sure that we don't go back into a long period of benign neglect of this document, so I'd like to hear some responses. The following are substantive issues that require more than minor changes to the document, and for which we need some answers. I'm raising them now in the hopes that we can get them closed before WGLC ends. A reminder that WGLC ends at the same time (this) Friday ends. ISSUE 1: Indeterminacy of Indeterminate In http://www.ietf.org/mail-archive/web/dnsext/current/msg12176.html, Mohan Parthasarathy argues that RFC 4033 and RFC 4035 have inconsistent definitions of "Indeterminate". RFC 4033 says this is what Indeterminate means, in section 5: Indeterminate: There is no trust anchor that would indicate that a specific portion of the tree is secure. This is the default operation mode. RFC 4035 has this definition in section 4.3: Indeterminate: An RRset for which the resolver is not able to determine whether the RRset should be signed, as the resolver is not able to obtain the necessary DNSSEC RRs. This can occur when the security-aware resolver is not able to contact security-aware name servers for the relevant zones. These two do seem to be inconsistent. In particular, the latter apparently can happen when a security-aware resolver with an appropriate trust anchor can't find an upstream that can handle the DO bit. Does anyone have an opinion on what to do about this? We will need to come to some very strong agreement quickly, or it will not be addressed in this document. DEFAULT ACTION: none. Without proposed text that finds strong support, this issue will be left out of the document. ISSUE 2: Ignoring CNAME signatures Jiankang Yao has suggested in http://www.ietf.org/mail-archive/web/dnsext/current/msg12166.html that language be added to permit ignoring unsigned CNAME records under some circumstances. I am already on the record as personally opposing this change, but surely I'm not the only voice here. Does anyone have an opinion about this? DEFAULT ACTION: none. Without proposed text that finds very strong support, this proposed change will not be included. If a change is to be added along these lines, it will require a separate last call on its own, because it is a major change to the protocol. ISSUE 3: Alter section 5.10 Paul Hoffman requests a change to section 5.10 in http://www.ietf.org/mail-archive/web/dnsext/current/msg12173.html. Speaking only personally, I cannot see any objection to the proposed sentence, "If a site has only a single trust anchor, the information in this entire section can safely be skipped." I'm less sure about the motivational sentences; I'm not even sure they're true. Does anyone have any thoughts? DEFAULT ACTION: Include the "If a site has only a single trust anchor …" sentence, and exclude the other proposed sentences. ISSUE 4: Request to change the language in 5.6 This is also a request from Paul Hoffman, in the same review. Is there any objection to his first formulation? I believe his second formulation would actually be a significant change to the protocol, and as shepherd I cannot accept it without a fairly strong signal from the WG. DEFAULT ACTION: Use the first formulation proposed ("In order to interoperate with implementations that ignore this rule on sending, resolvers need to allow either the DO bit to be set or unset when receiving responses.") ISSUE 5: The CD bit redux Mark Andrews argues in http://www.ietf.org/mail-archive/web/dnsext/current/msg12133.html that the advice always to set the CD bit is bad advice. Does anyone else want to take up his line of argument? If not, I'll rule that he's in the rough on this. Wouter Wijngaards suggests that the discussion around this is too long, and one of the editors agrees. To find fault where it belongs, the long appendix on this is there at my insistence, because several people previously argued that it was necessary to expose the consequences of different approaches to setting the CD bit, and yet my finding was that there was rough consensus in favour of the "always set" approach. In the absence of overwhelming support in favour of removing the discussion, I think it should stay. If you think it should be altered, then you need to offer replacement text and not ask that someone come up with it. Keep in mind that the text, long as it is, was the subject of protracted discussion. DEFAULT ACTION: none. Best regards, Andrew -- Andrew Sullivan ajs@anvilwalrusden.com _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] What is indeterminate Mark Andrews
- Re: [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates bmanning
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Eric Brunner-Williams
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Samuel Weiler
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Wes Hardaker