Advance request for opt-in and experiments
"Olaf M. Kolkman" <olaf@NLnetLabs.nl> Thu, 06 July 2006 07:58 UTC
From: "Olaf M. Kolkman" <olaf@NLnetLabs.nl>
Subject: Advance request for opt-in and experiments
Date: Thu, 06 Jul 2006 09:58:36 +0200
Lines: 197
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Apple-Mail-18--80659004"
Content-Transfer-Encoding: 7bit
Cc: iesg-secretary@ietf.org, IETF DNSEXT WG <namedroppers@ops.ietf.org>, Jari Arkko <jari.arkko@piuha.net>
X-From: owner-namedroppers@ops.ietf.org Thu Jul 06 10:14:15 2006
Return-path: <owner-namedroppers@ops.ietf.org>
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.1
To: Mark Townsley <townsley@cisco.com>
X-Pgp-Agent: GPGMail 1.1.2 (Tiger)
X-Mailer: Apple Mail (2.752.2)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Message-ID:
Message-ID: <20140418072215.2560.75331.ARCHIVE@ietfa.amsl.com>
Hello Mark, This is a proto request for two documents. Olaf Kolkman will be the shepherd for both. Please publish draft-ietf-dnsext-dnssec-experiments-03 on the standards track and publish draft-ietf-dnsext-dnssec-opt-in-09 as an experimental rfc. Questions: 1) Have the chairs personally reviewed this version of the ID and do they believe this ID is sufficiently baked to forward to the IESG for publication? Yes we have reviewed both document. 2) Has the document had adequate review from both key WG members and key non-WG members? Do you have any concerns about the depth or breadth of the reviews that have been performed? Yes. draft-ietf-dnsext-dnssec-opt-in has quite a long history and thorough and in-depth discussion a few years ago also see below. Both opt-in and dnssec-experiments have been last called together and were reviewed (among others) by: Sam Weiler (http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg00576.html) Ed Lewis (http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg00440.html) Andrew Sullivan (http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg00330.html) Mark Kosters (http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg00309.html) Thierry Moreau (http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg00305.html) Scott Rose (http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg00316.html) Rodney Joffe(http://ops.ietf.org/lists/namedroppers/namedroppers.2006/ msg00335.html) Thomas Nartan (thread starting at: http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg00308.html). 3) Do you have concerns that the document needs more review from a particular (broader) perspective (e.g., security, operational complexity, someone familiar with AAA, etc.)? No we do not. 4) Do you have any specific concerns/issues with this document that you believe the ADs and/or IESG should be aware of? For example, perhaps you are uncomfortable with certain parts of the document, or whether there really is a need for it, etc., but at the same time these issues have been discussed in the WG and the WG has indicated it wishes to advance the document anyway. It is probably good to have some historic background on the documents. The OPT-in document has been around for a long time. In 2002 it lead to heated debates which resulted in a conclusion that opt-in was technically solid but there was no rough consensus to add opt-in to the spec. (http://ops.ietf.org/lists/namedroppers/namedroppers.2003/msg01007.html) The chairs then suggested to make sure that opt-in did not end up as an I-D tombstone but was to be published as informational draft. Adding the boilerplate has been on the WG todo list for a very long time. In the mean time the working group has created DNSSECbis and has thought about the possible transition mechanisms to DNSSEC-ter (for deploying NSEC3). One of the possible transition mechanism can also be used to run experiments on production systems without interfering with production data. This technology has been described in the dnssec-experiments draft. After dnssec-experiments was published as an I-D, the editors of OPT-IN (also the editor of opt-in) suggested to update OPT-IN to fit in the frame work of dnssec-experiments, in other words opt-in being the first application of dnssec-experiments. Currently the OPT-IN technology is making its comeback in the NSEC3 specification. Times seem to have changed since OPT-IN does not seem to be as contentious as 4 years ago. 5) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? We think it is solid. Active members are aware of this document and key members of the working group have reviewed the documents. There were no objections raised against the document. There was some clarification work needed after version of 'experiment' and version 8 of 'opt-in. 6) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize what are they upset about. No. See the history above. 7) Have the chairs verified that the document adheres to _all_ of the ID nits? (see http://www.ietf.org/ID-nits.html). yes 8) For Standards Track and BCP documents, the IESG approval announcement includes a writeup section with the following sections: draft-ietf-dnsext-dnssec-experiments This document describes how algorithm identifiers can be used to perform experiments within a DNSSECbis environment without that the published data is marked as "bogus" by validating resolvers that do not partake in the experiments. The document explains why this methodology works and describes how experiments are to be defined. Besides, it suggests that algorithm identifiers can be used to introduce non-backward compatible DNSSEC features into the protocol. The first application of this methodology will be an experiment with "opt-in" [draft-ietf-dnsext-dnssec-opt-in]. It is possible that the methodology will be used for the introduction of current DNSSEC extensions currently under development in DNSEXT, the NSEC3 work. draft-ietf-dnsext-dnssec-opt-in opt-in is a method to disable the authenticated denial of existence for a range of domain names in a zone. It has been developed to generate a sparse set of NSEC RRs in a zone that contains mostly delegations i.e. to opt-in the secure delegations. The span of delegations for which authenticated denial is not available is still indicated using an NSEC resource record. 'NSEC-bit' in the type bitmap of the NSEC RDATA is used to signal the different semantic of the opt-in type NSEC RR. opt-in is a methodology that is backwards incompatible with DNSSEC; in order to perform a trial the methodology described in draft-ietf-dnsext-dnssec-experiments is applied. --Olaf ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
- Advance request for opt-in and experiments Olaf M. Kolkman
- Re: Advance request for opt-in and experiments Sam Weiler
- Re: Advance request for opt-in and experiments Roy Arends
- Re: Advance request for opt-in and experiments Edward Lewis
- Re: Advance request for opt-in and experiments David Blacka
- Re: Advance request for opt-in and experiments Edward Lewis
- Re: Advance request for opt-in and experiments Roy Arends
- Re: Advance request for opt-in and experiments David Blacka
- Re: Advance request for opt-in and experiments Edward Lewis
- Re: Advance request for opt-in and experiments David Blacka
- Re: Advance request for opt-in and experiments Edward Lewis
- Re: Advance request for opt-in and experiments David Blacka
- Re: Advance request for opt-in and experiments Edward Lewis
- Re: Advance request for opt-in and experiments David Blacka
- RE: Advance request for opt-in and experiments Hallam-Baker, Phillip
- RE: Advance request for opt-in and experiments Edward Lewis
- RE: Advance request for opt-in and experiments Hallam-Baker, Phillip