Re: [dnsext] Issues in WGLC of dnssec-bis-updates
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Tue, 07 February 2012 15:35 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8817321F87DD; Tue, 7 Feb 2012 07:35:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328628904; bh=be+jBzBbnr39h9hcpMgf/+RAcDhWpiHevIVh/QSQuw0=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=ebUZyD82XBQkZHnHWRBnbvoCBF86HcYw1pWkHSbVDfaaMPO+uWNCP1IkS+DFJ0aYJ 6Nn39tWLnrsTXcXkDj2cxKxgPuBYST/ZE6ZUD29QeA7+w26uevDdxtsfTL9VluyMYx 8PqmIxsQicIl4xLcH6SNxo0WR53SOtKuJfv1ZRu8=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4993421F8816 for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 07:35:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.833
X-Spam-Level:
X-Spam-Status: No, score=-1.833 tagged_above=-999 required=5 tests=[AWL=-0.329, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BRfSIpLhPRku for <dnsext@ietfa.amsl.com>; Tue, 7 Feb 2012 07:35:02 -0800 (PST)
Received: from rotring.dds.nl (rotring.dds.nl [85.17.178.138]) by ietfa.amsl.com (Postfix) with ESMTP id D3F9421F87F5 for <dnsext@ietf.org>; Tue, 7 Feb 2012 07:35:01 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by rotring.dds.nl (Postfix) with ESMTP id EA4F358CFB for <dnsext@ietf.org>; Tue, 7 Feb 2012 16:34:59 +0100 (CET)
Received: from [192.168.254.3] (195-241-9-117.adsl.dds.nl [195.241.9.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rotring.dds.nl (Postfix) with ESMTPSA id C394258CEF for <dnsext@ietf.org>; Tue, 7 Feb 2012 16:34:53 +0100 (CET)
Message-ID: <4F31449C.9040604@nlnetlabs.nl>
Date: Tue, 07 Feb 2012 16:34:52 +0100
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111101 SUSE/3.1.16 Thunderbird/3.1.16
MIME-Version: 1.0
To: dnsext@ietf.org
References: <20120207151820.GE9478@crankycanuck.ca>
In-Reply-To: <20120207151820.GE9478@crankycanuck.ca>
X-Enigmail-Version: 1.1.2
X-Virus-Scanned: clamav-milter 0.97.3 at rotring
X-Virus-Status: Clean
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Andrew, I support the default actions you describe. Below are reasons for things I feel more strongly about. > ISSUE 1: Indeterminacy of Indeterminate I feel the first (4033) is a better description. I personally use a definition for this as: this portion of the tree does not have a trust anchor above it (higher up the hierarchy), and therefore is not secure, insecure, or bogus. Note that with the root trust anchor the indeterminate state no longer occurs, since we know everything is covered by that trust anchor. > ISSUE 2: Ignoring CNAME signatures The change requested seems impossible (not compatible with deployed code, and not future compatible with intended feature too) to me, thus I support no change. Best regards, Wouter On 02/07/2012 04:18 PM, Andrew Sullivan wrote: > Dear colleagues, > > We're still in the WGLC on dnssec-bis-updates, but we have some > pending issues to sort out. > > At the moment, we have several issues that have been raised in the > WGLC, but not much in the way of proposed resolution. Sam Weiler says > he is tracking them; and many of the issues have been fairly minor, > but I want to make sure that we don't go back into a long period of > benign neglect of this document, so I'd like to hear some responses. > > The following are substantive issues that require more than minor > changes to the document, and for which we need some answers. I'm > raising them now in the hopes that we can get them closed before WGLC > ends. > > A reminder that WGLC ends at the same time (this) Friday ends. > > ISSUE 1: Indeterminacy of Indeterminate > > In http://www.ietf.org/mail-archive/web/dnsext/current/msg12176.html, > Mohan Parthasarathy argues that RFC 4033 and RFC 4035 have > inconsistent definitions of "Indeterminate". RFC 4033 says this is > what Indeterminate means, in section 5: > > Indeterminate: There is no trust anchor that would indicate that a > specific portion of the tree is secure. This is the default > operation mode. > > RFC 4035 has this definition in section 4.3: > > Indeterminate: An RRset for which the resolver is not able to > determine whether the RRset should be signed, as the resolver is > not able to obtain the necessary DNSSEC RRs. This can occur when > the security-aware resolver is not able to contact security-aware > name servers for the relevant zones. > > These two do seem to be inconsistent. In particular, the latter > apparently can happen when a security-aware resolver with an > appropriate trust anchor can't find an upstream that can handle the DO > bit. Does anyone have an opinion on what to do about this? We will > need to come to some very strong agreement quickly, or it will not be > addressed in this document. > > DEFAULT ACTION: none. Without proposed text that finds strong > support, this issue will be left out of the document. > > ISSUE 2: Ignoring CNAME signatures > > Jiankang Yao has suggested in > http://www.ietf.org/mail-archive/web/dnsext/current/msg12166.html that > language be added to permit ignoring unsigned CNAME records under some > circumstances. I am already on the record as personally opposing this > change, but surely I'm not the only voice here. Does anyone have an > opinion about this? > > DEFAULT ACTION: none. Without proposed text that finds very > strong support, this proposed change will not be included. If a > change is to be added along these lines, it will require a > separate last call on its own, because it is a major change to the > protocol. > > ISSUE 3: Alter section 5.10 > > Paul Hoffman requests a change to section 5.10 in > http://www.ietf.org/mail-archive/web/dnsext/current/msg12173.html. > Speaking only personally, I cannot see any objection to the proposed > sentence, "If a site has only a single trust anchor, the information > in this entire section can safely be skipped." I'm less sure about > the motivational sentences; I'm not even sure they're true. Does > anyone have any thoughts? > > DEFAULT ACTION: Include the "If a site has only a single trust > anchor …" sentence, and exclude the other proposed sentences. > > ISSUE 4: Request to change the language in 5.6 > > This is also a request from Paul Hoffman, in the same review. Is > there any objection to his first formulation? I believe his second > formulation would actually be a significant change to the protocol, > and as shepherd I cannot accept it without a fairly strong signal from > the WG. > > DEFAULT ACTION: Use the first formulation proposed ("In order to > interoperate with implementations that ignore this rule on > sending, resolvers need to allow either the DO bit to be set or > unset when receiving responses.") > > ISSUE 5: The CD bit redux > > Mark Andrews argues in > http://www.ietf.org/mail-archive/web/dnsext/current/msg12133.html that > the advice always to set the CD bit is bad advice. Does anyone else > want to take up his line of argument? If not, I'll rule that he's in > the rough on this. > > Wouter Wijngaards suggests that the discussion around this is too > long, and one of the editors agrees. To find fault where it belongs, > the long appendix on this is there at my insistence, because several > people previously argued that it was necessary to expose the > consequences of different approaches to setting the CD bit, and yet my > finding was that there was rough consensus in favour of the "always > set" approach. In the absence of overwhelming support in favour of > removing the discussion, I think it should stay. If you think it > should be altered, then you need to offer replacement text and not ask > that someone come up with it. Keep in mind that the text, long as it > is, was the subject of protracted discussion. > > DEFAULT ACTION: none. > > Best regards, > > Andrew > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMUScAAoJEJ9vHC1+BF+N8EoP/0tmCJfE1muvqPaTT1f3fa32 7Fn3/7pBqlV8yPGBk00T+ntDCep/EHk/yU1Yk1nDRLIltufSPFc5LDeU+04p2Nkq ZOTO3W8uTu8ZQmHM68Ol84zFlog0DFe42V0XOYv9wUI6CNXCiaTyC9q4pjTZw8dR HnoPRPjdIphQuuDWOWAnO/w/gODKqk//CiAHMHosn2H2yQBBujl14Ard3iQKbz0q ytoIPua0z4EYrL9gAl0BkOctVzhtmE4mGEan6AOcvGwxxlDVIRDvgLGvN7bvFxe7 3faUVaLH6wGhYmCHoPYd1Kxm/zLUMhXKkYtLuJ/ICZGyh3hqX6hI17fBtKYccKGf ZPYK/CQ0YLWhKVFl/qTuKXMzcU2A3OmcBcsLWNncIlS2zMjju9Nsvr8qkWXQiP6x lru874L65DhyFuk2/CJz4vfO2sbZmyJinF5P2TVyKz6mKHH7cWj6r+7E6dnKCrc2 W57L0clDml5koNfzQlsWoMuBZGu5Xk+xbhb35CcaLabfx9H1ESqTVDe9w/cOufPV w3OJITPd1SyeglSc1zAheF1ydamkGOf40j4YOwzLJ/A8YOTEjxjmIMEbX+Vg6IIV Gpi5Xrh4WeuJxRBRVyTzg+69dEHdgpqtq+WYVTKgypzZvgO1SWOj+5m3bB+uM0bH ToMTKFX0K4TuqvOC2UDy =JvrZ -----END PGP SIGNATURE----- _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] What is indeterminate Mark Andrews
- Re: [dnsext] What is indeterminate Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates bmanning
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Eric Brunner-Williams
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Edward Lewis
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mark Andrews
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Mohan Parthasarathy
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates W.C.A. Wijngaards
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Samuel Weiler
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Andrew Sullivan
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Paul Hoffman
- Re: [dnsext] Issues in WGLC of dnssec-bis-updates Wes Hardaker