On Mon, 8 Jan 2024, Tim Wicinski wrote:
Subject: [DNSOP] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
From my previous comments (still unaddressed, were my comments rejected?)
there are 13 root servers.
I would really like to see this changed. We keep trying to tell people
that are not DNS insiders that the world does not depend on just 13
physical machines. This will cause that confusion to strengthen again.
It is in DNS master file format
Maybe use "zone file presentation format" instead of "master file format"
This still stands as well.
Perhaps a recommendation could be to check with ZONEMD and do an AXFR,
eg recomend implementing RFC 8806 - "Running a Root Server Local to a
Resolver".
Comes with added bonuses on top of a signature on all the root glue.
I still think this would also still be good to mention.
[[ This section talks about sending the DO bit, but does not actually
talk about validating the response to the priming query. This became
important after the root KSK rollover in 2018 because some resolvers
apparently were validating and only had the old KSK, but were still
sending RFC 8145 telemetry even after failing to validate their
priming response. ]]
I said before:
Nothing much can be done here other than advising implementers to check
if the obtained DNSKEY RRset no longer contains any KSK that is
configured as part of the software, and then doing some kind of
exponential back-off to slow down the query rate?
The comment was removed but no text was added for this ? Should there be?
I also wrote before:
So now I do think the document is ready, but I think it would be nice to
mention ZONEMD and local root configurations as methods to protect
against spoofed glue.
So, nothing blocking I guess, but some "really nice to get fixed" items remain.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
