Re: [secdir] Secdir review of draft-ietf-dnsop-dnssec-validator-requirements-04
Daniel Migault <daniel.migault@ericsson.com> Thu, 29 June 2023 14:59 UTC
Return-Path: <daniel.migault@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D92BC15106C; Thu, 29 Jun 2023 07:59:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-6O5mnoA-Hs; Thu, 29 Jun 2023 07:59:43 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2054.outbound.protection.outlook.com [40.107.223.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C987C151061; Thu, 29 Jun 2023 07:59:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gv1o4bF2QBvwSsTEWNwp/hAkNgTVjO70LYHzwwkFsV+f5nsxKAvIq0oSnK/GN7bWxJYhshtqYRioZCvc0UM77c6Z54eSqvXp4coCUb3wOzKdLzVQXCxUTgn7ojQcZOQnJUhbJ4y49duTRvXc95x2IqHMZBf8ocoZZeDEKVTcH8hPsjj+olhk8TSxBkTS3QZ8lLJPbC+lfLIBdPTS5HhbjEB2AHRE8mLdJeW6HcXwPLxzOcdeVTJFGyz7iCOnDUXrRoKiqKbUkh+hHCrkA+KiZJtHiDeNe5w6nUqUPYgzIqwtxkXBCl03EaleSUxIF+WEs1BSKqcG2CWl8OJMiRDBFQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=W0qblcZclf7hsSduYP6nWFCOepmyjEUGRXjvhPTIx+c=; b=H3IXIFKL2RTDvge5C3GQUW0Qv6O3oyyfJDNfrQkEgj0YBtJ4DH0WKokl8g2XRamD+NG9GISyJiQNEWG5HrZTgruvciIA+pE7yeeD5L7VRVdB+rpS7nKgzSpuievA28wgHuAcyfwv8MGHeclu0L81cQ6/XoYM87UcWPGLreiWf9gp/8B/21NkDguK23tl/40Ykzuxmr5m0FSuyH5slNqio8QWYjYQkj0LriUuREWOzxUQvUMqpD3Maf3V7asW9C1x57jMLwZxnYTuglVL0LR3ymoajWUnwL7yYdBy/hVDFGRxTVamjA8tPMP6fwHIS0ASr7PMOA8RJsm+tSENqdUNQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W0qblcZclf7hsSduYP6nWFCOepmyjEUGRXjvhPTIx+c=; b=KIi8rewr7IxQlEpwIBd4gQfO8F7Cqh12VbbaIxaxnG0IFFZZi+fIMZM7e2sdU8oy+RZhvGqNjly1ypGPSZ0WGQqilPeN3Ioa+R9OvfJRUMCHtCBx5gd+8cZ7eD0/yIEI5Oj3IqunWGTmaQ2e6H3I2cnE+L4RMlppM7oX9/X/KV4=
Received: from DM6PR15MB3689.namprd15.prod.outlook.com (2603:10b6:5:1fb::27) by SA0PR15MB4016.namprd15.prod.outlook.com (2603:10b6:806:84::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.26; Thu, 29 Jun 2023 14:59:35 +0000
Received: from DM6PR15MB3689.namprd15.prod.outlook.com ([fe80::9b42:ec9c:9834:910]) by DM6PR15MB3689.namprd15.prod.outlook.com ([fe80::9b42:ec9c:9834:910%3]) with mapi id 15.20.6521.024; Thu, 29 Jun 2023 14:59:35 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Charlie Kaufman <charliekaufman@outlook.com>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-dnsop-dnssec-validator-requirements.all@ietf.org" <draft-ietf-dnsop-dnssec-validator-requirements.all@ietf.org>
Thread-Topic: Secdir review of draft-ietf-dnsop-dnssec-validator-requirements-04
Thread-Index: AQHZgHMwrXOqw55hUkW55+iUeWnvJ6+h5cFS
Date: Thu, 29 Jun 2023 14:59:34 +0000
Message-ID: <DM6PR15MB368989D7B026C7EF743B1FB9E325A@DM6PR15MB3689.namprd15.prod.outlook.com>
References: <MW2PR1901MB46832CE7DF4440FF02CA80D3DF739@MW2PR1901MB4683.namprd19.prod.outlook.com>
In-Reply-To: <MW2PR1901MB46832CE7DF4440FF02CA80D3DF739@MW2PR1901MB4683.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR15MB3689:EE_|SA0PR15MB4016:EE_
x-ms-office365-filtering-correlation-id: 590cb6cf-1d45-4d86-2aa8-08db78b173a0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CBdrKME/WCvfw2puo5zGOusG/DvNJqPfJMZMtSqEgbCm9ezjTa0GJ8cYiyNQwdnrAcRvFEEx56xHDQWgBFSaYsqrYegERfMHISaFzSP3ngXnZMztTdeMnKIqnA+p2oZrdfkwrs9ntjR7BhWWoL0jXkcX1nEdADNUzBU26XgOUpETcVJfC+XgQwPNEoVkkMJxNwzdsDPkKLciCCu6pAxrKkYJqCyQkcPZc7DgBlPzYRWKfzSsWeVV1bpX1doH2LHno4ltNzCLE8Ws+42gSjiF0190y9Bt+wN4g0YCZtwnxeW9z6FYssoCWlXopEc+TgkxqmFEpTzqa4UkSMkbNFLw0jYkO+2foWoxBzsv5FKfb9w16d/coWChMtHeMTJfDBC6VBwdFzS5JbO1zku6zndoXFaGfQ8RB26KnksqHrIjTg/sWXS+8tBXuaD78WD/4dWycvDjf9Ma+H4UUZ0cA9+Ekaz86cMGFcH6RCknAUeStH2GOp09gIUgBMLrUrAbG9wJUwXWtEuCZ+6Q7HvYVrNgYZ5ChLwjex+hgoJg8bExoBIe5cZ4TDE+8zP2tiwEMJoiPtpM9PewbyJ0Q9MkzZ9CmMsBaAcX56JhM+t1Yl2dNJD+AGH0Wfql26Ub8lTTQSJ+H7pfRw+5HYHFYo4xsJDiDHzq+qWn9GhvHCUSAIsfygTYzVXoVwzEvH+XBpcQUXC/
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB3689.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(346002)(366004)(39860400002)(396003)(376002)(451199021)(2906002)(186003)(44832011)(30864003)(38070700005)(55016003)(316002)(82960400001)(86362001)(33656002)(8676002)(966005)(110136005)(45080400002)(7696005)(478600001)(122000001)(38100700002)(71200400001)(8936002)(66574015)(5660300002)(66476007)(91956017)(9686003)(41300700001)(66946007)(66556008)(66446008)(83380400001)(64756008)(76116006)(53546011)(52536014)(6506007)(10090945012); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zU/qH2EGgxDKJAI0kwvaQnyrjl8CRry3OloqKf8DS9lfeM0Erk1/77AbsS7U59yBptdxA6x02xgHNPM+BdibPqJK8rJzckfHiP5zqtZczdJhEtYKnxrHeRsHQicBkVHRBW/t+yEfgmN4QVBW2yTqHPZp/dXIKJOeddT2pYXVEhPNNdzp2w1fIj/D/aULkj0dfRZftSRzZvMc/H5KKoauco6N4gsq4x3q5RlHTb3b2CDGMcaLIB/SeisPQ7z24d2D7RDP2Sy9rxsqBBsXM8TE0tZKtJ7bj1JplPz969Pq2ZDkUj+UeanCPtkNa/K3B5AiWYNTejHAvb+VXwx6s6qjRT8xetqhGTGemX3yx5R7u4TcjorX7kwqBQjR1VeClArcjRPQhBPou/EnadtgE6wCzHaRd/ZNW/TlT3mRjQyaErxEhwdPpX1T8tycYEt8a9DYkE2xybSfiODm0cd3Xujnz2UZ+Vo0jw6E3/ykXnmLmZ4UfhJpyOhdGkQIFTyioaBxry2XmzPvJDfSQrWDJTRmEidfV05xxvnEr30l8t2geANt5ZQkrW4w2cFpClZ7P6qPBQ5eJKxa54Xckm1Fr747EJhUVvP1xBcFg96k9gMIMN7d519uYr/qgRbujm2e6W9q0MSduucPN7VnHTY7piN/SMz2qOtrbvRD52bhg234GZ0DYmOPceBGkOxvePX2LMgf2Ud96sy4I9fG8gPtnpas+DWpSzOSnYoU1CoPznNhqqcDgfeTpP7e5QfPETBFDIj7Rze7EldKjA1ObK66QXPM0AhGrKySnAmNt9nno958Y7UiZjlVbfHT1JhBgX/xnfXJ2+cqzdvx5JCLN6ds9j+gRy7+H4/parR9tOM85uxZ5JcKJ/Nwxv9I29sYcYY8+nJSs9mJ8+QTQTCUcSbbNBfWcZ4K+/nfomLtsf6gvWM1CjDqI3L8zeSWGxzOqFHX7YukNgj6Cpnt72naRO6WinXl7tWu0l/7rakJO/zjurz+7WiVWjGL0N9d2RP+Gs93zmGWL+Wdcv2HzsfU+2otry6pWljB+9LZ4OJGm1gZ6FSJPTd9WI/ke+zHqfYIoST7bPiMjgGcqJVnKFlfBKwXRRTK0Qm/YICRALhShVmAZOjF8FuAxRR9XU78nKRKSgpHT1853F0Hg9PioWY1tfWl92BrS6wBwrdcff4EV8G2rJoJlzOWID6f8OvEHf2uNto7Vt+5L+/vXToIE7Pm50fbtiJy7wckq0GS+psPIIk+LAuAIjf48nCKHfjSlfaNZ3sl3vRjcNJrt4C9KcyS2HuSiHEiC/NhfmleSfW+mlMh+NKBYnTCU+iqM6iuQ+JKK7pf3VzDD2XL9Q/WlaV9SsD/XHekEfDKEKdO5XhDsij941+0snHkKb8VN6pezk849jvuTUnkxow1HbWJrayQfYHrc2UeqishGxUY7x8tqmhi8lxvMxe2Y9YluiyVa/gwr9RAbAhZwV/E8P/huB6EGG5em1z94Jsq32CYVH6WZRUvrQ3++ug7USI3Q2ueF4UiQdHt/M7fKR8SBhTPUv/xndrD1+ZsKf7p/Ktsl7icGO2iA2HdQ4jMwgdqiHrjHMwbEpqVJT47G1YSvzAxc8odvEA4bDCHleE5ZjAcxsP4zAYYIRdun7BJQnJVP21Rv/WkITzKQ8UH8T4O4wadKIhZCnDR6tQIAw==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB3689.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 590cb6cf-1d45-4d86-2aa8-08db78b173a0
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jun 2023 14:59:34.7461 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SZucTe1q9uGrfHNMIehpdO2c1PdFNZPFeXT2pN2GuagcvcKZEuEP5gk2osT4hSz0q/UnedonMi3pdgOGzJ2q0EW0OFZax2y9b9hlQvRm0OM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR15MB4016
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/dNNKWdNfeCiCgv0tPD5mDTnIDG4>
Subject: Re: [secdir] Secdir review of draft-ietf-dnsop-dnssec-validator-requirements-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2023 14:59:47 -0000
Hi, Thanks for your review. The current version is a significant re-write of the version you reviewed. In the light of the following comment: """ Reword. This document is not about avoiding responsibility or liability; it's about doing the right thing. """ You can find the current version here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ We removed many discussions, considerations that are not intended to a DRO as well as those not actionable by a DRO. I believe that was a major concerns of our document and the document is now much concise, clearer and addressing the sues you raised. You can find a more detailed response on the high level comments below. Yours, Daniel ________________________________________ From: Charlie Kaufman <charliekaufman@outlook.com> Sent: Saturday, May 6, 2023 7:35 PM To: secdir@ietf.org; iesg@ietf.org; draft-ietf-dnsop-dnssec-validator-requirements.all@ietf.org Subject: Secdir review of draft-ietf-dnsop-dnssec-validator-requirements-04 Reviewer: Charlie Kaufman Review result: Has Serious Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This I-D has problems. First, there are an excessively large number of typos and awkwardly worded sentences with sometimes make it's interpretation difficult. I've listed the first few I found below but was eventually exhausted. <mglt> We did proceed to a major rewrite and believe we addressed that issue. </mglt> Perhaps more importantly, the recommendations talk about what a DNSSEC Resolver Operator should do, but have little guidance on how to do it. Mostly, this I-D illuminates problems with the existing DNSSEC deployment which makes if difficult for operators know what to do in all cases. It recommends automation in many cases, but that's really a recommendation to the implementers of DNSSEC resolvers rather than the operators. <mglt> I agree that the previous version had considerations that were outside the scope of the DRO. In some case, the recommendation was more targeting the implementers I agree. This includes the management of the TTL for example which has been removed. Our primary goal for automation was to insist on limiting manual intervention by the DRO and them being prepared wit the right tooling to perform some specific operations. In some cases, such as TA Updates, DNSOP have defined mechanisms. We recommend the DRO to enable these mechanisms. In other cases, it is part of the DRO to set the right tooling (scripts) to fullfill some tasks. For example to retrieve the up-to-date TAs. In that case, our recommendation is mostly for the DRO to leverage on existing piece of software. In some case, that software is embedded in the resolver it is using. I believe the current version clarifies the need to automate procedure and provides more guidance on the tooling aspect versus the mechanisms that are implemented by the resolver implementer. Writing these lines, I realise that any time we mention a DNSOP defined mechanism I always had in mind this will be made available to the DRO, and the DRO only has to enable it. If that is unclear I am happy to clarify that. </mglt> The fundamental problem with DNSSEC Resolvers is that there is no way for them to encode information about failures in the responses they send to clients that would allow the clients to decide how to handle them. DNSSEC recognizes the existence of unsigned records, and resolvers can return a single bit of status information to the effect that certain information was not signed. But if data has invalid signatures, the prescribed action of a DNSSEC resolver is to discard the information (even if they are invalid for as minor a reason as that the signature has recently expired because the zone signer failed to deploy updated signatures on a timely basis). Some clients respond to this problem by switching to a resolver that does not enforce DNSSEC, which is probably not optimal. A more correct response is probably to ask the user whether to make an exception in each (unique) case, but that is not easily available as an option. <mglt> I think in the old version as well as in the new version we have emphasise on the DRO to be able to communicate with the other actors involved in the DNS. So far we are recommending to provide extended errors to the client, the ability for authoritative server, and encourage reporting. We received some comments that it was unclear whether extended error are used with client or something else. I guess the current version is clearer. The recommendation you suggest that is informing a DNS client whether DNSSEC has been validated or not is interesting, but as far as I know, it does not exist and sounds like a new work to be done. I am unsure such work would be adopted by dnsop as setting cd is probably how this could be implemented. There might be some space where such indication mght make sense when DNSSEC and TLS are combined. Typically, without TLS, unless DNSSEC validation is performed by the client, the client cannot trust the response (even when received from a trusted resolver that has performed the DNSSEC validation). With TLS it could make sense to indicate DNSSEC were present and implicitly signature validation succeeded. The extended errors are expected to guive more information to the DNS client but we do not designed a mechanism for teh client to accept the unsigned or RRsets with a validation failure. This is likey to involve some sort of GUI and falls in the category of new work. Such new work are not mentioned as these are expected to be implemented by the resolver vendors and not the DRO, but it also carry the message that DNSSEC deployment is complex.... and actually one purpose of this document is to show that DNSSEC can be deployed quite easily. </mglt> DNSSEC resolvers can be configured to ignore errors is certain parts of the name tree when it is known they are incorrectly configured, but there also there is little practical guidance as to when such an action is appropriate. <mglt> We do refer to negative trust anchor recommendations that have its own document. </mglt> At best, this document explains to DNSSEC Resolver Operators why their job is hard and the stakes involved in getting it wrong. With luck, it would also inspire someone to address some of the challenges in the administration of DNSSEC. <mglt> Actually we are trying to mention that DRO can be done properly with some minimal effort. We also want to highlight that willing to have some specific settings - such as specif rules to handle the cache, specific trust model -- can become very easily complex, and maybe should be avoided. The version you reviewed was probably providing too much discussions on corner cases, risks evaluation giving an impression of an unnecessary complexity. I believe the current document addresses this concern. </mglt> Section 13 (Transport Recommendations) has recommendations that seem sound but I'm not sure they are possible. It would seem they would apply to any DNS resolver (though because DNSSEC involves large records, DNSSEC aware resolvers might be more affected). MTU values vary across different parts of the Internet, and I'm not aware of any general purpose solution to the problem. It might be better to refer to some other spec on based practices trying to run over UDP (assuming there is one). <mglt> Well... this is clearly something the DRO would be responsible to do. I agree that also applies to non DNSSEC resolver.... but DNSSEC likely reveals such issue. As far as I can tell more generic spec are likely to be more generic. We did not change this section. We also added a section on secure transport, in that case, we did not repeat the TLS BCP bu simply refer to the specific document. </mglt> Detailed feedback: From the Abstract: "DNSSEC Resolver Operators (DRO) as well as operational recommendations that DNSSEC validators operators" What's the difference between a DNSSEC Resolver Operator and a DNSSEC validator operator? I believe these are the same people. "in order to implement sufficient trust that makes DNSSEC validation output accurate." Awkward wording. Not sure what you are trying to say. "include," -> "include" From Introduction: "The purpose of a DNSSEC Resolver Operator (DRO) is to provide DNSSEC validation in to their users." Reword. The purpose of a DNSSEC Resolver is to transparently perform DNSSEC validation for its clients. A DNSSEC Resolver Operator (DRO) is a person, whose purpose is best discussed with philosophers. :-) "two part:" -> "two parts:" "owner of the private being the" -> "owner of the private key being the" "As such differ the confidence into the Trust to designate which DNSKEY RR is legitimate." Reword. Not sure what you were trying to say. "be associated their respective" -> "be associated with their respective" "As TAs need to be managed over time, the trust also concerns the management procedure of the TA. This is the main concern of this document." This is ambiguous. It could refer to the procedures the operator of the TA follows in signing zones, but I believe what you're referring to here is the DRO's task of managing the set of TAs that the DR should trust. "appropriated libraries" -> "appropriate libraries" From Section 5: "A DRO needs to be able to enable DNSSEC validation with sufficient confidence they will not be held responsible in case their resolver does not validate the DNSSEC response." Reword. This document is not about avoiding responsibility or liability; it's about doing the right thing. "A DRO MUST provide a mean to..." -> "A DRO MUST provide a means to..." "Note that time synchronization is a sensible operation." You probably mean to say a "security sensitive" operation. From Section 7.2.2: "Avoiding the configuration file to be updated prevents old configuration file to survive to writing error on read-only file systems." Reword. Awkward. From Section 11: "One inconvenient to such strategy i sthat it does not let one DRO to take advantage of more recent cryptographic." Reword. Awkward. --Charlie Sent from Outlook<http://aka.ms/weboutlook>
- [secdir] Secdir review of draft-ietf-dnsop-dnssec… Charlie Kaufman
- Re: [secdir] Secdir review of draft-ietf-dnsop-dn… Daniel Migault
- Re: [secdir] Secdir review of draft-ietf-dnsop-dn… Daniel Migault