[DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-12.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Security Considerations for RFC5011 Publishers Authors : Wes Hardaker

[DNSOP] Responding to Viktor's comments on RFC5011-security-considerations

TL;DR: I've pushed a new (final before IETF LC?) copy of the document. Viktor, Thanks for the excellent and thorough review. I'm very glad you were willing to take a look at it, since it's a better document because of it. I failed to add you to the acknowledgment list for -12, but the change

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

> On 23 Mar 2018, at 12:55 am, Mark Andrews wrote: > > This title of this document DOES NOT match reality. > > "A Sentinel for Detecting Trusted Keys in DNSSEC” should be > replaced by “A Root Key Trust Anchor Sentinel for DNSSEC”. > > kskroll-sentinel-- really needs something other > than “k

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

Mark, > On 23 Mar 2018, at 00:55, Mark Andrews wrote: > > This title of this document DOES NOT match reality. > > "A Sentinel for Detecting Trusted Keys in DNSSEC” should be > replaced by “A Root Key Trust Anchor Sentinel for DNSSEC”. Sigh, really? > > kskroll-sentinel-- really needs so

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

Hi Joao, I think Mark has a legitimate question. Once we settle on one specific label, it will get stapled all over - not only the label in the domain name, but also configuration options, etc… etc… I proposed rzksk-sentinel for our configuration to enable/disable it, but Mark is quite right t

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

Pleas, just ignore me. It’s too early in the morning. The label is of-course is-ta. and not-ta. Ondrej -- Ondřej Surý ond...@isc.org > On 23 Mar 2018, at 09:38, Ondřej Surý wrote: > > Hi Joao, > > I think Mark has a legitimate question. Once we settle on one specific label, > it will get sta

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

Geoff you are wrong. Titles should tell you what you are about to read especially technical documents. There are WAY TOO MANY RFC TO READ EVERYONE ON THEM. If I had a TA for andrews.wattle.id.au the current title would indicate that I could test resolvers to see if there is a TA installed for it.

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

Again, blame the morning and the Google that led me to old version of the draft, in fact the current draft says: [ NOTE: This version uses the labels "kskroll-sentinel-is-ta-", "kskroll-sentinel-not-ta-"; older versions of this document used "_is-ta-", "_not-ta-". Also note that the for

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

Also Section 3.1 is not specific enough to implement. QNAME needs a qualifier (current or original). The leftmost label of the QNAME is either "kskroll-sentinel-is-ta- " or "kskroll-sentinel-not-ta-" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

On Fri, Mar 23, 2018 at 10:07 AM, Mark Andrews wrote: > Geoff you are wrong. Titles should tell you what you are about > to read especially technical documents. There are WAY TOO MANY > RFC TO READ EVERYONE ON THEM. ... you lack ambition :-P > > If I had a TA for andrews.wattle.id.au the current

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

> On 23 Mar 2018, at 10:08 pm, Warren Kumari wrote: > > On Fri, Mar 23, 2018 at 10:07 AM, Mark Andrews wrote: >> Geoff you are wrong. Titles should tell you what you are about >> to read especially technical documents. There are WAY TOO MANY >> RFC TO READ EVERYONE ON THEM. > > ... you lack am

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

Warren, > however, we have > already changed the name multiple times and implementers are > (understandably) becoming annoyed, and supporting N different labels > for the tester is also annoying [0]. Who are exactly these people? We are aware only of Knot Resolver implementation so far. And I gu

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

isn't it a #define string? or passed in via environment from configure? -G On Fri, Mar 23, 2018 at 11:47 AM, Mark Andrews wrote: > >> On 23 Mar 2018, at 10:08 pm, Warren Kumari wrote: >> >> On Fri, Mar 23, 2018 at 10:07 AM, Mark Andrews wrote: >>> Geoff you are wrong. Titles should tell you wh

[DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Heya, this is a first attempt to start reducing the load on DNS Implementors and actually remove the stuff from DNS that’s not used and not needed anymore. There’s github for the draft: https://github.com/oerdnj/draft-sury-dnsop-deprecate-obsolete-resource-records

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

On Fri, Mar 23, 2018 at 11:47 AM, Mark Andrews wrote: > >> On 23 Mar 2018, at 10:08 pm, Warren Kumari wrote: >> >> On Fri, Mar 23, 2018 at 10:07 AM, Mark Andrews wrote: >>> Geoff you are wrong. Titles should tell you what you are about >>> to read especially technical documents. There are WAY TO

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

It’s not only that - however unbelievable it might seems, but we also have tests (and variable names) and I do believe the things should be consistent for future generations. Ondrej -- Ondřej Surý ond...@isc.org > On 23 Mar 2018, at 12:08, George Michaelson wrote: > > isn't it a #define strin

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

On Fri, Mar 23, 2018 at 10:28 AM, Mark Andrews wrote: > Also Section 3.1 is not specific enough to implement. QNAME needs a > qualifier (current or original). > > The leftmost label of the QNAME is either "kskroll-sentinel-is-ta- > " or "kskroll-sentinel-not-ta-" This was too terse for me

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

What is the expected behaviour given example.net CNAME kskroll-sentinel-is-ta-.example.com when you query for example.net when the key-tag does not match a root TA? etc. > On 23 Mar 2018, at 11:22 pm, Warren Kumari wrote: > > On Fri, Mar 23, 2018 at 10:28 AM, Mark Andrews wrote: >> Also Secti

Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Ondřej Surý wrote: > > this is a first attempt to start reducing the load on DNS > Implementors and actually remove the stuff from DNS that’s > not used and not needed anymore. You might want to consider also updating RFC 3597, either to specifically remove those record types from being “well-kno

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Other candidates: MD, NXT, MAILA - They are obsolete too according to the IANA DNS parameters. Also, if you want to deprecate MB, MG, you might want to consider deprecating MAILB too. - Matthijs On 23-03-18 13:11, Ondřej Surý wrote: Heya, this is a first attempt to start reducing the load

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

On Fri, Mar 23, 2018 at 01:48:03PM +0100, Matthijs Mekking wrote: > Other candidates: MD, NXT, MAILA - They are obsolete too according to the > IANA DNS parameters. > > Also, if you want to deprecate MB, MG, you might want to consider > deprecating MAILB too. There are a few more that are/were in

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

On Fri, Mar 23, 2018 at 8:11 AM, Ondřej Surý wrote: > Heya, > > this is a first attempt to start reducing the load on DNS Implementors and > actually remove the stuff from DNS that’s not used and not needed anymore. > > There’s github for the draft: https://github.com/oerdnj/draft-sury-dnsop- > d

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

On 23-03-18 13:13, Warren Kumari wrote: > Dear DNSOP, > > Please clearly express a preference for: > 1: Keeping the current label -- kskroll-sentinel-is-ta-20326.example.com > 2: Changing it to the new label -- root-key-sentinal-is-ta-20326.example.com I prefer the second option (with sentinel in

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

I agree with Mark, especially about the title. For the magic string, I'd like to see it closer to Mark's proposal, but its not a deal breaker. DW > On Mar 22, 2018, at 5:55 PM, Mark Andrews wrote: > > This title of this document DOES NOT match reality. > > "A Sentinel for Detecting Truste

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

> On Mar 23, 2018, at 5:13 AM, Warren Kumari wrote: > > Dear DNSOP, > > Please clearly express a preference for: > 1: Keeping the current label -- kskroll-sentinel-is-ta-20326.example.com > 2: Changing it to the new label -- root-key-sentinal-is-ta-20326.example.com > I prefer #2. DW __

Re: [DNSOP] New Version of draft-ietf-dnsop-algorithm-update-00: Algorithm Implementation Requirements and Usage Guidance for DNSSEC

On Thu, Mar 22, 2018 at 01:27:38PM -0400, Paul Wouters wrote: > I think this text also needs an update: > > RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although zones > deploying it are recommended to switch to ECDSAP256SHA256 as there is > an industry-wide trend to move

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

No, I don’t mean that. While in theory you can call an aquarium with dead fish and algae “in use” and tell your neighbors that you have fish and have a green thumb, it wouldn’t be necessarily an accurate assessment of the situation. Similarly, an occasional user that tries things doesn’t make th

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

I also prefer #2 Personally, I would go with rzksk-sentinel because it’s shorter and more accurate, but #2 will make me happy. Ondrej -- Ondřej Surý — ISC > On 23 Mar 2018, at 15:20, Wessels, Duane wrote: > > >> On Mar 23, 2018, at 5:13 AM, Warren Kumari wrote: >> >> Dear DNSOP, >> >> Ple

Re: [DNSOP] New Version of draft-ietf-dnsop-algorithm-update-00: Algorithm Implementation Requirements and Usage Guidance for DNSSEC

I agree with Victor and I believe this is what the draft currently says and recommends. Ondřej -- Ondřej Surý — ISC > On 23 Mar 2018, at 15:58, Viktor Dukhovni wrote: > >> On Thu, Mar 22, 2018 at 01:27:38PM -0400, Paul Wouters wrote: >> >> I think this text also needs an update: >> >>RS

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

On Fri, Mar 23, 2018 at 12:05 PM, Ondřej Surý wrote: > No, I don’t mean that. While in theory you can call an aquarium with dead > fish and algae “in use” and tell your neighbors that you have fish and have > a green thumb, it wouldn’t be necessarily an accurate assessment of the > situation. Sim

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Thanks, now I understand what you are asking for;), so what about: “No existing Internet Standard uses these Resource Records and there no know practical usage in the public Internet.” Ondřej -- Ondřej Surý — ISC > On 23 Mar 2018, at 16:51, Bob Harold wrote: > > >> On Fri, Mar 23, 2018 at 12

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

I am happy with whatever the wg agrees but let’s agree, otherwise time keeps sliding and the only label that is going to be accurate for the next generations will be “ksk-roll-that-never-was” ;) Joao > On 23 Mar 2018, at 16:13, Ondřej Surý wrote: > > I also prefer #2 > > Personally, I would

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

+1 to the title “A Root Key Trust Anchor Sentinel for DNSSEC”. +1 to option #2 with the spelling correction. --Paul Hoffman ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

On Fri, Mar 23, 2018 at 1:19 PM, Paul Hoffman wrote: > +1 to the title “A Root Key Trust Anchor Sentinel for DNSSEC”. > > +1 to option #2 with the spelling correction. > > --Paul Hoffman > > +1 -- Bob Harold ___ DNSOP mailing list DNSOP@ietf.org https

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

On Fri, Mar 23, 2018 at 1:03 PM, Ondřej Surý wrote: > Thanks, now I understand what you are asking for;), so what about: > > “No existing Internet Standard uses these Resource Records and there no > know practical usage in the public Internet.” > > Ondřej > -- > Ondřej Surý — ISC > > Works for me

Re: [DNSOP] New Version of draft-ietf-dnsop-algorithm-update-00: Algorithm Implementation Requirements and Usage Guidance for DNSSEC

On Fri, Mar 23, 2018 at 03:58:02PM +, Viktor Dukhovni wrote: > On Thu, Mar 22, 2018 at 01:27:38PM -0400, Paul Wouters wrote: > > > I think this text also needs an update: > > > > RSASHA1 and RSASHA1-NSEC3-SHA1 are widely deployed, although zones > > deploying it are recommended to swi

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

On Fri, Mar 23, 2018 at 01:22:42PM -0400, Bob Harold wrote: > On Fri, Mar 23, 2018 at 1:19 PM, Paul Hoffman wrote: > > > +1 to the title “A Root Key Trust Anchor Sentinel for DNSSEC”. > > > > +1 to option #2 with the spelling correction. > > > > --Paul Hoffman > > > > > +1 Agree with both. But

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Ondřej Surý wrote: Thanks, now I understand what you are asking for;), so what about: “No existing Internet Standard uses these Resource Records and there no know practical usage in the public Internet.” i think this is overbroad. if we aren't also sure that it's not being used in some priv

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

i'm concerned about the age-old human protocol being employed here. first one guy shouts bikeshed! (usually somebody who's been bikeshedding.) nextly, some folks say "the details don't matter, only uniqueness." then there's a bunch of back and forth about whether and which details matter. th

Re: [DNSOP] [art] New Version Notification for draft-ietf-dnsop-attrleaf-03.txt

In article <6d3c77a3-2326-a4b4-1e99-50fe4647d...@dcrocker.net> you write: >It occurs to me that some folk might not have a perfect memory of a >dnsop working group agreement from Aug, 2017. So here's a tag into it: > >https://www.ietf.org/mail-archive/web/dnsop/current/msg20708.html I see a

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

I strongly disagree. The DNS protocol deserve cleanup. Deprecating RRTYPEs doesn’t mean the will stop working on the day the RFC is published, neither are people going to backport the removal of RRTYPEs to existing DNS software releases. It just means - whatever ancient stuff you are using - yo

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

Paul, On Fri, Mar 23, 2018 at 11:00:03AM -0700, Paul Vixie wrote: > i'm concerned about the age-old human protocol being employed here. > > first one guy shouts bikeshed! (usually somebody who's been bikeshedding.) > > nextly, some folks say "the details don't matter, only uniqueness." > > then

Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

A design team to pick a label? Wow, just wow! João > On 23 Mar 2018, at 18:00, Paul Vixie wrote: > > i'm concerned about the age-old human protocol being employed here. > > first one guy shouts bikeshed! (usually somebody who's been bikeshedding.) > > nextly, some folks say "the details don't

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Ondřej Surý wrote: I strongly disagree. The DNS protocol deserve cleanup. Deprecating RRTYPEs doesn’t mean the will stop working on the day the RFC is published, neither are people going to backport the removal of RRTYPEs to existing DNS software releases. It just means - whatever ancient stuf

Re: [DNSOP] [art] New Version Notification for draft-ietf-dnsop-attrleaf-03.txt

On Fri, Mar 23, 2018 at 06:02:47PM +, John Levine wrote: > > I see a message on dnsop from you proposing a bunch of things > including "rationalizing" names, and comments from Andrew and Peter > saying they like that approach. I think, to be clear, what I was saying I liked was the document s

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

What’s so wrong of using TYPExxx for these if you absolutely need them to run the ancient technology while at the same time running the latest version of BIND (or your favorite DNS server)? Your argument feels like strawman to me. And I am not the one sitting on a pile of passive DNS data, so I

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Ondřej Surý wrote: What’s so wrong of using TYPExxx for these if you absolutely need them to run the ancient technology while at the same time running the latest version of BIND (or your favorite DNS server)? because i am loathe to break existing working configurations. when isc changed the

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

The configurations change all the time, I am sorry, but your argument doesn’t have a technical merit. We really do need to start removing obsolete stuff from DNS, and I believe this is a good start. Ondřej -- Ondřej Surý — ISC > On 23 Mar 2018, at 18:39, Paul Vixie wrote: > > > > Ondřej S

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Did you hear the part about doing it the way we did when deprecation iquery? There's a discovery and decision process that involves the broader community. Technical merit was provided. Sad that I can't think of a way to do it more clearly. On March 23, 2018 7:18:25 PM UTC, "Ondřej Surý" wrote:

Re: [DNSOP] New Version of draft-ietf-dnsop-algorithm-update-00: Algorithm Implementation Requirements and Usage Guidance for DNSSEC

> On Mar 23, 2018, at 15:58, Viktor Dukhovni wrote: > > > I think it is, unfortunately, much too early for such a move. For > example, on Unix systems the requisite OpenSSL 1.1.x libraries that > provide the Edwards EC algorithms, are not yet out of beta! It > will be some years before Ed255

Re: [DNSOP] [art] New Version Notification for draft-ietf-dnsop-attrleaf-03.txt

On 3/23/2018 11:02 AM, John Levine wrote: I see a message on dnsop from you proposing a bunch of things including "rationalizing" names, and comments from Andrew and Peter saying they like that approach. I am not finding any message from me with that word in it, so I've no idea what you are r

Re: [DNSOP] Fwd: New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

On 23 March 2018 at 12:11, Ondřej Surý wrote: > > this is a first attempt to start reducing the load on DNS Implementors and > actually remove the stuff from DNS that’s not used and not needed anymore. > I have no quarrel with the overall effect of this proposal, but the justifications are nece

Re: [DNSOP] Clarifying referrals (#35)

On Mon, Jan 15, 2018 at 04:39:20PM -0500, Andrew Sullivan wrote: > A response that has only a referral contains an empty answer > section. It contains the NS RRset for the referred-to zone in the > authority section. It may contain RRs that provide addresses in > the addit