On 5 Oct 2015, at 16:12, Joe Abley wrote:
Hi Paul,
On 5 Oct 2015, at 15:35, Paul Hoffman wrote:
A document called "DNSSEC Trust Anchor Publication for the Root Zone"
that says nothing about the most common KSK publication practice,
that is, by resolver software developers, is woefully incomplete.
I am confused by that. The KSK maintainer publishes trust anchors for
the root zone. Software developers produce code that consumes those
trust anchors. Perhaps we are missing a shared understanding of the
word "publish" here, but I don't see what common KSK publication
practice you're referring to.
Hrm. I'm pretty sure that most people would agree that software is
published, and that config comes with that published software. The KSK
is often part of that config.
Of course "the KSK maintainer publishes trust anchors for the root
zone". So do other organizations. It seems like many people who say they
want this document published want this document to be how ICANN/IANA
publishes the trust anchors.
If instead the document is supposed to be about current ICANN
publication only, then the document should be retitled, given a
better abstract, and give the actual URLs for the current KSK and
describe the formats used for the current data. It should not make
speculation about other URLs nor about other format options.
I don't understand the comment about the title or the abstract (see
above).
Maybe you are thinking that only ICANN can publish the trust anchor? If
so, I would certainly disagree. Anyone can publish it, and that's a
feature.
I fully agree that the document should use actual URLs for the current
KSK. As far as I can see, all the URLs mentioned in the document are
URLs that work today, and have been stable since 2010. I don't see any
speculation about other URLs.
Can you explain more fully what problem you see?
The URL for retrieving the CSR is
<http://data.iana.org/root-anchors/
key-label.csr>, with "key-label" replaced by the key label of the
corresponding KSK.
The URL for retrieving a signed X.509 certificate is <http://
data.iana.org/root-anchors/key-label.crt>, with "key-label" again
replaced as described above.
Those are templates, not URLs. ICANN does not publish anything at
http://data.iana.org/root-anchors/key-label.csr (unless you consider
giving a 404 to be publishing...).
Templates are speculative: you can plug in different values that change
over time. That is not what ICANN publishes. Yes, you designed it to be
a template, but that is not what ICANN publishes.
If this document is going to be published by anyone, it should state
exactly how ICANN publishes things, not how it might it different future
circumstances.
It should not talk about the publication of possible future KSKs
because that is not what ICANN is doing now.
I don't understand that, either. The scheme developed at ICANN in
2009/2010 was designed to facilitate publication of multiple trust
anchors, specifically to allow future KSK rolls. You're saying we
shouldn't document that because a KSK roll hasn't happened, yet?
There is a difference between "how ICANN publishes the KSK" and "how
ICANN might publish the KSK". Please pick the one you want so that the
WG can decide if that's what they want you to publish. Mixing those two
ideas up will not help anyone who is reading the published document.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
