Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

All The call for adoption period has ended and there has been enough consensus to adopt this and work on this. thank you tim On Fri, May 1, 2020 at 7:51 PM Wes Hardaker wrote: > Joe Abley writes: > > > Anyway, I am fairly confident in saying that there are legitimate, > > normal operational

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Joe Abley writes: > Anyway, I am fairly confident in saying that there are legitimate, > normal operational processes that can result in orphan glue, and that > it's not correct to infer that they all exist for reasons of poor > hygiene. For the record: I certainly (and I doubt Paul) envisioned

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

In a sense, a glue record with the same owner name as a zone cut could be equivalent to a glue record with an owner name that is subordinate to a zone cut. I don't have enough of the spec in my head to know why they would definitively be different from the protocol perspective. I realise it's n

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Hi John, On 1 May 2020, at 14:23, John R Levine wrote: >> On Thu, Apr 30, 2020 at 9:44 PM John Levine wrote: >>> I think it's benign to allow any sort of record as an immediate child >>> of the domain, since you need to go two levels down for split zones. >>> That handes the nominet and zz--zz

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

On Thu, Apr 30, 2020 at 9:44 PM John Levine wrote: I think it's benign to allow any sort of record as an immediate child of the domain, since you need to go two levels down for split zones. That handes the nominet and zz--zz cases. Is there any chance that a user trying to reach https://examp

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Hi Bob, On 1 May 2020, at 14:02, Bob Harold wrote: > Is there any chance that a user trying to reach https://example.com could get > the orphan glue A record for example.com instead of the A record in the real > zone? If the A record is orphan glue, there is no real zone (by being orphaned, i

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

On Thu, Apr 30, 2020 at 9:44 PM John Levine wrote: > In article you write: > >Yep, I suspect some of the bigger TLDs probably couldn't opt in to this > >draft simply because they're full of, um, "history". Until that history > >is cleaned, they probably couldn't deploy it. > > It's not just his

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

In article you write: >Yep, I suspect some of the bigger TLDs probably couldn't opt in to this >draft simply because they're full of, um, "history". Until that history >is cleaned, they probably couldn't deploy it. It's not just history. All of the nominet TLDs and many Verisign TLDs have signe

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Hi Mark, On 30 Apr 2020, at 19:52, Mark Andrews wrote: > On 1 May 2020, at 08:39, Wes Hardaker wrote: > >> Yep, I suspect some of the bigger TLDs probably couldn't opt in to this >> draft simply because they're full of, um, "history". Until that history >> is cleaned, they probably couldn't

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

> On 1 May 2020, at 08:39, Wes Hardaker wrote: > > Joe Abley writes: > >> Well, for example there are some 28,000 examples of orphan glue in the >> ORG zone. > > Yep, I suspect some of the bigger TLDs probably couldn't opt in to this > draft simply because they're full of, um, "history". Un

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Joe Abley writes: > Well, for example there are some 28,000 examples of orphan glue in the > ORG zone. Yep, I suspect some of the bigger TLDs probably couldn't opt in to this draft simply because they're full of, um, "history". Until that history is cleaned, they probably couldn't deploy it. >

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Hi Wes. On 30 Apr 2020, at 17:41, Wes Hardaker wrote: > I've just pushed the -04 version of the draft that has a fairly major > overhaul of the problem statement. I'd appreciate if it helps clarify > the technical reasons why deployment of the bit would be beneficial in > ways that are unrelate

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Tim Wicinski writes: > Following up on Petr's suggestion that the "DNSEC Transparency" mechanism is > documented > and somewhat tested.  FYI, the new version (-04) that I just published hopefully clarifies better why this draft is useful with or without DNSEC Transparency. DNSSEC Transparency w

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Hi Joe, Sorry for the delay (Paul and I did a bit of back and forth with text changes that took a bit longer, but made it better!) > This draft needs a more compelling problem statement, and a clear description > of why other controls > (e.g. reputational, contractual) are insufficient. [It's

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

In article you write: > >My understanding of the draft is that it attempts to prevent a key to sign >a RRset it is not necessarily authoritative for. If that's what it means, that's what it should say. As I read it, the flag it defines says that the zone will only sign NS and DS and perhaps th

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Tim Wicinski wrote Mon, 20 Apr 2020 14:03:03 -0400: > This starts a Call for Adoption for draft-pwouters-powerbind I am interested in the idea of a DNSSEC transparency system, i.e. externally verifiable append-only logs of observed DNSSEC data, and do support adoption of draft-pwouters-powerbind

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Following up on Petr's suggestion that the "DNSEC Transparency" mechanism is documented and somewhat tested. I totally agree on this idea and can assure the WG that if this draft is adopted, this will be one of the conditions on progressing forward. tim On Thu, Apr 23, 2020 at 1:46 AM Petr Špač

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

My understanding of the draft is that it attempts to prevent a key to sign a RRset it is not necessarily authoritative for. I think the WG should work on this, and support adoption of the draft. I am happy to review further version of the draft. Yours, Daniel On Tue, Apr 28, 2020 at 4:27 PM Wes Ha

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Joe Abley writes: > On Apr 27, 2020, at 18:28, Wes Hardaker wrote: > > > Thanks for the comments. I'm working on a more clear rewrite of the > > introduction. I'd love your feedback on it once I get it wrapped up. > > Yes, for sure! Happy to do that. Half done. Either tonight or tomorrow.

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

In article , Brian Dickson wrote: >The two example zones I would reference would be ".uk", and ".jp", where >there are SLDs immediately below the TLD, and additional SLD-like >delegations or non-delegations further down in the zones. I think you will find ENTs in more TLDs than not. They certai

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

On Mon, 27 Apr 2020, Brian Dickson wrote: The other would be the kind that are multiple-depth delegation zones, where the Public Suffix List is already kind of necessary. What I think is needed is a way to explicitly declare the places where the depth is > 1 (if a normal flat delegation-only

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

On Mon, Apr 27, 2020 at 3:28 PM Wes Hardaker wrote: > Joe Abley writes: > > > This draft needs a more compelling problem statement, and a clear > > description of why other controls (e.g. reputational, contractual) are > > insufficient. [It's also possible that the draft just needs a clearer > >

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

On Apr 27, 2020, at 18:28, Wes Hardaker wrote: > Thanks for the comments. I'm working on a more clear rewrite of the > introduction. I'd love your feedback on it once I get it wrapped up. Yes, for sure! Happy to do that. Joe ___ DNSOP mailing list

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Joe Abley writes: > This draft needs a more compelling problem statement, and a clear > description of why other controls (e.g. reputational, contractual) are > insufficient. [It's also possible that the draft just needs a clearer > problem statement, rather than a more compelling one.] Hi Joe,

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Petr Špaček writes: > I support adoption under condition that the envisioned "DNSSEC > Transparency" mechanism is documented and somewhat tested before > "powerbind" draft progresses into form of RFC. So that statement makes the point that there is no point in the document except for DNSSEC Tran

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

On 20 Apr 2020, at 14:03, Tim Wicinski wrote: > This starts a Call for Adoption for draft-pwouters-powerbind > > The draft is available here: > https://datatracker.ietf.org/doc/draft-pwouters-powerbind/ > > > Please review this draf

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

Hi dnsop, I support adoption under condition that the envisioned "DNSSEC Transparency" mechanism is documented and somewhat tested before "powerbind" draft progresses into form of RFC. At the moment there are insufficient details published for the dnsop WG to judge whether powerbind+transparen

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

On Apr 20, 2020, at 14:35, Dave Lawrence wrote: > > I support adoption, with the caveat that either the draft name should > be updated with something like s/powerbind/delegation-only-dnssec/, or > the draft should describe why it is being called "powerbind". The name was a joke. It is not used

Re: [DNSOP] Call for Adoption: draft-pwouters-powerbind

I support adoption, with the caveat that either the draft name should be updated with something like s/powerbind/delegation-only-dnssec/, or the draft should describe why it is being called "powerbind". ___ DNSOP mailing list DNSOP@ietf.org https://www.i

[DNSOP] Call for Adoption: draft-pwouters-powerbind

All, As we stated in the meeting and in our chairs actions, we're going to run regular call for adoptions over next few months. >From the presentation during the last meeting, there was interest in adtoping this document around the idea of DNSSEC transparency. This interest comes the privacy sid