Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Wed, 25 January 2012 11:46 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4256921F85B4; Wed, 25 Jan 2012 03:46:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1327491986; bh=tGX2fPU8zzcgtAsFeSLvD14M6sAzNeviQpp4XQBwo48=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=mh3RBReTgmIgDgvuG1DYXos+vGN48t5wFCI8gYv4MgbAUjikHm4QUrZJOTIuC2Zyy bKc78caV/u/2F6QIVZDezop6xClgBJMzi4bBoitUkGlKyCB8KSQr8mn0CJSwH3V5JW Rm8FOuh4D/dnDQWhpE3y2T3wtpPwsZi1IQRaqqBI=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E9D21F85B4 for <dnsext@ietfa.amsl.com>; Wed, 25 Jan 2012 03:46:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.915
X-Spam-Level:
X-Spam-Status: No, score=-1.915 tagged_above=-999 required=5 tests=[AWL=-0.411, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IVtx8gI5apdB for <dnsext@ietfa.amsl.com>; Wed, 25 Jan 2012 03:46:25 -0800 (PST)
Received: from rotring.dds.nl (rotring.dds.nl [85.17.178.138]) by ietfa.amsl.com (Postfix) with ESMTP id 12B6421F85AF for <dnsext@ietf.org>; Wed, 25 Jan 2012 03:46:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by rotring.dds.nl (Postfix) with ESMTP id 3069458CC7 for <dnsext@ietf.org>; Wed, 25 Jan 2012 12:46:23 +0100 (CET)
Received: from [192.168.254.3] (195-241-9-117.adsl.dds.nl [195.241.9.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rotring.dds.nl (Postfix) with ESMTPSA id 298F05845B for <dnsext@ietf.org>; Wed, 25 Jan 2012 12:46:18 +0100 (CET)
Message-ID: <4F1FEB8D.1080703@nlnetlabs.nl>
Date: Wed, 25 Jan 2012 12:46:21 +0100
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111101 SUSE/3.1.16 Thunderbird/3.1.16
MIME-Version: 1.0
To: dnsext@ietf.org
References: <20120120054939.GD4365@mail.yitter.info> <20120120142243.GE4944@mail.yitter.info> <a06240801cb3f4c060c50@[192.168.129.98]>
In-Reply-To: <a06240801cb3f4c060c50@[192.168.129.98]>
X-Enigmail-Version: 1.1.2
X-Virus-Scanned: clamav-milter 0.97.2 at rotring
X-Virus-Status: Clean
Subject: Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have reviewed, carefully, and support publication. Some (additional) comments, they have little substance. The section and appendix on CD bits are long. Not wrong, but long. With the root trust anchor deployed, not having a covering trust anchor is unlikely. The last validating resolver is the one that can be trusted, upstream validating resolvers are connected via some network transport, and trust may therefore not be advisable. Section 6.2 is correct. But its tone is loose. It is about lenient acceptance of the SEP flag. Please say that, or say that the proper setting of the SEP flag is defined in its RFC. Thanks to Sam, David and Rob for editing. Best regards, Wouter On 01/20/2012 05:55 PM, Edward Lewis wrote: > Comments. > > In 2005 it was too soon to publish, now it is not. And at this point > there may be more and more wrinkles in the DNSSEC specs, but we need to > get out at least this (first) update. > > Some comments: > > Pressence has a presence in the document. It shouldn't (the spelling, I > mean). > > 5.9's title is misleading. The content is good, it's about answering > from cache in the face of a CD query. But "always doing CD" only > applies to elements that will do their own validation. > > 5.4 could optionally make the point that a validator that expects all > signatures to be good and/or all chains to work is vulnerable to > malicious insertions of gibberish-based signatures. It's harder to > construct a good chain than a false chain. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPH+uMAAoJEJ9vHC1+BF+NnZYQAIsY6q3t5ogVfOwtt3fBy1og YFwK69nmP8B/SBmJjaXgQIkevBS0lOOqWvnwpGo2moxZfmDvNVHIZqlRv1Yab6NQ bsWCGP9JfgrGd1l8mqfO08yDOGMcGAZSNsgToa+2cG9zyLfBzowZOx0hAmRXp4bQ Yclz4zexSUxeCYSIF6I73xWJ2E61Ld+SxLfS2PdazIVF6NPPj1lek5IpqZ+mk3gy jSRLUQnm70vDEoS7uosCQfkpHyFzwrjEWdaVTHG7IBNiZ1J8fO4qSob0+44lqr4O LZcnCybQvcb43324321STQaCer+QScvl6UJymbU+YZS9ALO00gVhu2oDYslV+XOC jA39v5ssTUAA4BPHf3x6D7oPU39nz/j6sFEw5Gvoj2rskaWex0WNDeLA4+i5HzV0 RvevpjnGvE0yrcqxIu9ZVwOKBAqTp8HnRyedC3+4PH9mOuT+RxTADjGySdZOREcf +mSgGsoHkEIMjl0v1+S5bpdyq8dGNLn2kojjH8vm5e9HFKu4ITH10MPUiyOzvDf1 U4akvAk13k5CWiHPbFJX92uUgQ6C1Kd6l6u62wEFFAayv68aejIHn3CZQpTdmXTp K5NFlVISL158i1KZ4jtNK+Em4Hk0YJvNsDdMzSUeaJrwtIXSuyMdfSenCfmaHEkl InejDsWOP+VLUJ5+zIOI =UJX8 -----END PGP SIGNATURE----- _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updat… Andrew Sullivan
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Andrew Sullivan
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Edward Lewis
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… W.C.A. Wijngaards
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mohan Parthasarathy
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mohan Parthasarathy
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mohan Parthasarathy
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Warren Kumari
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Michael StJohns
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Matthijs Mekking
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Paul Hoffman
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Blacka, David
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mohan Parthasarathy
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews