Re: [dnsext] Issues in WGLC of dnssec-bis-updates
Paul Hoffman <paul.hoffman@vpnc.org> Fri, 09 March 2012 02:07 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6FD221F84EF; Thu, 8 Mar 2012 18:07:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1331258865; bh=IKWuEl+jdPAPXewjs/SEM+fyRgvcK1T1rkq4hvKRi3Y=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=lDbRkze5jD5BQOP441WdwBgSKGNHTdeiSPJj7Pe+9d1JQnw2ImYQHInP0iqBQ/ax1 j8A6019UoJWyvtp8PsOMyW0uEv+gHvUGiJrAKWr8Sf9i58/umCyYWZlSquBBN9NCWb 11hG5fPvxPf7CFiSogTt1TZpPYMTeVO8G2iNMx8Y=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B714021F84EF for <dnsext@ietfa.amsl.com>; Thu, 8 Mar 2012 18:07:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.7
X-Spam-Level:
X-Spam-Status: No, score=-102.7 tagged_above=-999 required=5 tests=[AWL=-0.101, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tbTbsk0MLFmV for <dnsext@ietfa.amsl.com>; Thu, 8 Mar 2012 18:07:43 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 1DD3621F84E7 for <dnsext@ietf.org>; Thu, 8 Mar 2012 18:07:43 -0800 (PST)
Received: from [10.20.30.101] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q2927cHU088143 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 8 Mar 2012 19:07:39 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1257)
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20120309010514.GD88825@mail.yitter.info>
Date: Thu, 08 Mar 2012 18:07:38 -0800
Message-Id: <E6FC9533-E23F-4E35-9B15-52A995CCF2AC@vpnc.org>
References: <20120207151820.GE9478@crankycanuck.ca> <alpine.BSF.2.00.1203081827340.31973@fledge.watson.org> <E044D96B-7642-433F-A8A6-EB123D3DC1DD@vpnc.org> <20120309010514.GD88825@mail.yitter.info>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
X-Mailer: Apple Mail (2.1257)
Cc: Samuel Weiler <weiler@watson.org>, dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Mar 8, 2012, at 5:05 PM, Andrew Sullivan wrote: > On Thu, Mar 08, 2012 at 04:25:30PM -0800, Paul Hoffman wrote: >> On Mar 8, 2012, at 3:35 PM, Samuel Weiler wrote: >> >> This is actually a good point. I withdraw my previous wording, and suggest instead that the following be added as a separate paragraph before 5.10.1: >> >> When not presented with the situation that more than one trust >> anchor is configured, DNSSEC validators SHOULD NOT expose policy >> choices such as those shown in these subsections in configuration >> options. That is, these policy choices SHOULD only be exposed >> when there are multiple options. > > I am opposed to that text. If the WG really strongly wants it, I'll > withdraw my objection, but I'm strongly opposed to it because I find > it both confusing and untestable. I know what this is about, and I > still had to read that twice to parse it. Also, what would be a case > where a validator might permit this? When is it ok? And so on. > > Moreover, I don't think we should be trying to boss around people and > tell them how to make their software: if 50 years of evidence in > favour of eliminating pointless options in software hasn't taught us > to do it yet, I see no hope that a confusing paragraph in an RFC is > going to push us over the top. OK, I can see that. Maybe we should just drop my original objection. >>>> DEFAULT ACTION: Use the first formulation proposed ("In order to >>>> interoperate with implementations that ignore this rule on >>>> sending, resolvers need to allow either the DO bit to be set or >>>> unset when receiving responses.") >>> >>> I think the two formulations are equivalent, except that the >>> second is stated in clearer and more normative language. Yes, >>> this is a change, but it's one we need to make. Let's use the >>> less muddled form of it. >> >> >> FWIW, I agree with Sam here: my second proposal ("Because some >> implementations ignore this rule on sending, the rule for receivers >> is now that they MUST NOT expect the DO bit to be set as it was >> sent.") is the one I prefer. I proposed the first because I thought >> the second would be hard for some people to swallow. >> > > My reasoning was that the first formulation, though more awkward and > so on, is not actually a protocol change. The second formulation is. > The first one says, "People are violating this bit of the protocol, > and you should know about that and act according to how you think > best." The second one says, "The protocol said that you could rely on > this, and now you MUST NOT." I think that an actual protocol change, > no matter how teensy we might think it is, needs evidence that the WG > agrees; so far, we have one commenter and two document editors, but > nobody else who's spoken on it. Therefore, WG participants, if you > agree with Sam's proposed change please weigh in. Otherwise, I don't > feel very comfortable sending it to the IESG, and will have to > highlight this change in the PROTO write-up. I agree with Andrew that this is a protocol change. I agree with Sam that this proposed change is clearer than the wording Andrew chose from my first message. --Paul Hoffman _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] What is indeterminate Mark Andrews
- Re: [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates bmanning
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Eric Brunner-Williams
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Samuel Weiler
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Wes Hardaker