To:
Peter Koch,
Matt Larson,
Joe Abley,
Roy Arends,
CC: ietf dnsop mailing list
Dear four gentlemen:
according to DNSOP Prague meeting minutes, you are the co-editors of
the revision -01 for the document draft-koch-dnsop-resolver-priming-00.
I also looked at the slides presented by Peter at the Prague meeting
(now at http://www3.ietf.org/proceedings/07mar/slides/dnsop-4.pdf).
I appreciate this work, and I believe that I made a related
contribution in Appendix A of the draft
draft-moreau-srvloc-dnssec-priming-00, in which I omitted to refer to
Peter's draft as I should have; my apologies for this omission.
The present message is to assist you in your editing work, as this
subject matter would be best covered by reference to your work in my
draft. I.e. I would like to drop Appendix A in my draft, which main part
is concerned with something different, i.e. using SLP for DNSSEC priming
assistance, giving that "DNSSEC priming" is specified somewhere. (Maybe
you don't need to care for what I intend to do, it's FYI.)
Let's go back to your priming draft.
First, referring to the last question in Peter's presentation Question
page: "Root server address validation needed?" I answer YES. If you find
a consensus on a NO answer, you don't need to consider my second point.
My second point is about the first issue in Peter's presentation page 6:
"Issues with DNSSEC validation
o NET-related information not (readily) available to root servers
- Rename root servers (only zones root servers are authoritative
for)
- Use a second trust anchor"
An idea (borrowed from a DNSSEC opt-in scheme which by itself IS NOT
BROUGHT as an ietf contribution) is to add a third alternative above:
- Use RRSIGs for A and AAAA RRsets using a signature key "shared"
with the root
You may be able to get the idea from my draft appendix A. So my second
point is that you may consider integrating this idea into the contents
of the draft. If you need clarifications, let me know.
Now, let me make a few observations about the IPR status of the above
idea. Generally, these observations apply irrespective if the idea
remains in my draft, or is integrated in yours, since either way it's
part of an ietf contribution.
DNSSEC priming specifications is only facilitating deployment at the
root, which is by itself challenging in many different aspects. The
theoretical benefits of using the above idea are 1) a quicker resolution
of an important issue in your draft, 2) an opportunity for software
development shortcut when implementing priming on the resolver side, and
3) lesser need to move the root server from ROOT-SERVERS.NET. These
benefits are very hypothetical since DNSSEC deployment at the root is
delayed by so many things.
In this context, I intend to file an IPR disclosure statement offering
a free, universal, non-exclusive, time-unlimited license to use the
above idea (that is conveniently defined by reference to the claims as
they stand) for DNS root zone file publishing by any DNS root zone
operator, conditional to the approval of your draft with the above idea
included. (If you don't find the idea useful to the point of including
it in your draft, you don't need and/or deserve any information about
what I might do.) This message is not a formally legal commitment, only
an indication of the most likely course of events. This indication
should be sufficient for revision -01 draft preparation purposes.
Anyway, I'll have to wait a few weeks for the patent application to be
published by the patent office (early publication has been requested)
before filing an IPR disclosure.
In summary, I suggest you adopt the idea of having the authoritative
*.ROOT-SERVERS.NET A or AAAA RRsets signed with a public signature key
value present in the DNSKEY RRsets present at both ROOT-SERVERS.NET and
the root, provided that the DNSKEY RRset present at ROOT-SERVERS.NET is
not self-signed by this common signature key value.
Thanks for this work, and best regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop
