Re: [DNSOP] [Ext] Call for Adoption: DNSSEC as BCP: draft-hoffman-dnssec

[Paul Hoffman]

On Mar 25, 2022, at 5:59 PM, Joey Deng  
wrote:
> A possible format issue:

Thanks! That will be fixed in the next version.

> Since the description above mainly focuses on the new cryptography adopted by 
> DNSSEC, I think it would make more sense to use title like:
> 
> Additional Cryptographic Algorithms in DNSSEC

Yes, great.

> During my reading of DNS and DNSSEC, I found another RFC (RFC 7129) very 
> helpful in understanding the motivation from NSEC to NSEC3, besides RFC 5155, 
> but it is not listed in the draft above (maybe because it is for 
> informational purposes?).
> https://datatracker.ietf.org/doc/rfc7129/

While RFC 7129 is interesting for understanding the protocol, it is background 
material and maybe not really part of the protocol itself or an extension to 
the protocol itself. I'm not sure where it would fit into this document.

--Paul Hoffman

smime.p7s
Description: S/MIME cryptographic signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Call for Adoption: DNSSEC as BCP: draft-hoffman-dnssec

[Joey Deng]

Hi,

A possible format issue:

>[RFC6840] brings a few additions into the core of DNSSEC.  It makes
>NSEC3 [RFC5155] as much a part of DNSSEC as NSEC is.  It also makes
>the SHA-2 hash function defined in [RFC4509] and [RFC5702] part of
>the core as well. # Cryptographic Algorithms and DNSSEC
> 
>Cryptography improves over time, and new algorithms get adopted by
>various Internet protocols.  Two new signing algorithms have been
>adopted by the DNSSEC community: ECDSA [RFC6605] and EdDSA [RFC8080].
>The GOST signing algorithm [RFC5933] was also adopted, but has seen
>very limited use, likely because it is a national algorithm specific
>to a very small number of countries.
> 
>Implementation developers who want to know which algorithms to
>implement in DNSSEC software should refer to [RFC8624].  Note that
>this specification is only about what algorithms should and should
>not be included in implementations: it is not advice for which
>algorithms that zone operators should and should not sign with, nor
>which algorithms recursive resolver operators should or should not
>validate.

Based on the context, the format should probably be:

>[RFC6840] brings a few additions into the core of DNSSEC.  It makes
>NSEC3 [RFC5155] as much a part of DNSSEC as NSEC is.  It also makes
>the SHA-2 hash function defined in [RFC4509] and [RFC5702] part of
>the core as well.
> 
> 2.2 Cryptographic Algorithms and DNSSEC
> 
>Cryptography improves over time, and new algorithms get adopted by
>various Internet protocols.  Two new signing algorithms have been
>adopted by the DNSSEC community: ECDSA [RFC6605] and EdDSA [RFC8080].
>The GOST signing algorithm [RFC5933] was also adopted, but has seen
>very limited use, likely because it is a national algorithm specific
>to a very small number of countries.
> 
>Implementation developers who want to know which algorithms to
>implement in DNSSEC software should refer to [RFC8624].  Note that
>this specification is only about what algorithms should and should
>not be included in implementations: it is not advice for which
>algorithms that zone operators should and should not sign with, nor
>which algorithms recursive resolver operators should or should not
>validate.

Since the description above mainly focuses on the new cryptography adopted by 
DNSSEC, I think it would make more sense to use title like:

Additional Cryptographic Algorithms in DNSSEC

—

During my reading of DNS and DNSSEC, I found another RFC (RFC 7129) very 
helpful in understanding the motivation from NSEC to NSEC3, besides RFC 5155, 
but it is not listed in the draft above (maybe because it is for informational 
purposes?).
https://datatracker.ietf.org/doc/rfc7129/ 


Thanks.

--
Joey Deng



> On Mar 24, 2022, at 4:26 PM, dnsop-requ...@ietf.org wrote:
> 
> [DNSOP] Call for Adoption: DNSSEC as BCP:
>   draft-hoffman-dnssec

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [Ext] Call for Adoption: DNSSEC as BCP: draft-hoffman-dnssec

[Paul Hoffman]

I'm the author, so I guess it goes without saying that I support its adoption. 
Given the higher level of scrutiny that BCPs garner, I will incorporate 
suggested text in versions of the draft if they are likely to reflect changes 
that would garner consensus.

--Paul Hoffman

smime.p7s
Description: S/MIME cryptographic signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] The DNSOP WG has placed draft-wisser-dnssec-automation in state "Call For Adoption By WG Issued"

[IETF Secretariat]

The DNSOP WG has placed draft-wisser-dnssec-automation in state
Call For Adoption By WG Issued (entered by Tim Wicinski)

The document is available at
https://datatracker.ietf.org/doc/draft-wisser-dnssec-automation/


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] The DNSOP WG has placed draft-thomassen-dnsop-dnssec-bootstrapping in state "Call For Adoption By WG Issued"

[IETF Secretariat]

The DNSOP WG has placed draft-thomassen-dnsop-dnssec-bootstrapping in state
Call For Adoption By WG Issued (entered by Tim Wicinski)

The document is available at
https://datatracker.ietf.org/doc/draft-thomassen-dnsop-dnssec-bootstrapping/


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Call for Adoption: draft-thomassen-dnsop-dnssec-bootstrapping

[Joe Abley]

On Mar 25, 2022, at 16:28, Benno Overeinder  wrote:

> With this email we start a period of two weeks for the call for adoption of 
> draft-thomassen-dnsop-dnssec-bootstrapping on the mailing list.
> 
> The draft is available here: 
> https://datatracker.ietf.org/doc/draft-thomassen-dnsop-dnssec-bootstrapping/
> 
> Please review this draft to see if you think it is suitable for adoption by 
> DNSOP, and comments to the list, clearly stating your view.

I think this draft is suitable for adoption. 

> Please also indicate if you are willing to contribute text, review, etc.

I am (either or both) if I can be of use. 


Joe
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Call for Adoption: draft-thomassen-dnsop-dnssec-bootstrapping

[Brian Dickson]

On Fri, Mar 25, 2022 at 8:29 AM Benno Overeinder  wrote:

> As announced during the DNSOP meeting this week at the IETF 113, we are
> starting a Call for Adoption for the
> draft-thomassen-dnsop-dnssec-bootstrapping.  With the survey we
> conducted before the last IETF 112, this draft was a clear candidate.
>
> With this email we start a period of two weeks for the call for adoption
> of draft-thomassen-dnsop-dnssec-bootstrapping on the mailing list.
>
> The draft is available here:
>
> https://datatracker.ietf.org/doc/draft-thomassen-dnsop-dnssec-bootstrapping/
>
> Please review this draft to see if you think it is suitable for adoption
> by DNSOP, and comments to the list, clearly stating your view.
>
> Please also indicate if you are willing to contribute text, review, etc.
>

I support adoption of this draft by the WG.

I am willing to contribute text, review, and may even have an
implementation available by the time it is ready for publication.

Brian Dickson


>
> This call for adoption ends: 8 April 2022
>
> Thanks,
>
> Suzanne, Tim and Benno
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-nsec3-guidance

[Paul Hoffman]

I have re-read this document after not reading it for a long time. It is in 
excellent shape and should be sent to the IETF to become a BCP.

One note: the first paragraph in Section 2.4 is misplaced. Section 2 is about 
considerations while Section 3 is about recommendations. The first paragraph of 
Section 2.4 should be moved to Section 3.1, probably as the second paragraph 
there.

I'm sending the authors some strictly-editorial proposals in the repo.

--Paul Hoffman

smime.p7s
Description: S/MIME cryptographic signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Call for Adoption: draft-thomassen-dnsop-dnssec-bootstrapping

[John Levine]

It appears that Benno Overeinder   said:
>Please review this draft to see if you think it is suitable for adoption 
>by DNSOP, and comments to the list, clearly stating your view.

I support adoption.  It fills a longstanding gap in DNSSEC deployment.

Will review, tweak text.

R's,
John

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Call for Adoption: draft-wisser-dnssec-automation

[Benno Overeinder]

As with the previous Call for Adoption today, at this week's DNSOP 
meeting at IETF 113, we announced that we are initiating a Call for 
Adoption for the draft-wisser-dnssec-automation.  With the survey we 
conducted for the last IETF 112, this draft was also a clear candidate.


With this email we start a period of two weeks for the call for adoption 
of draft-wisser-dnssec-automation on the mailing list.


The draft is available here: 
https://datatracker.ietf.org/doc/draft-wisser-dnssec-automation/.


Please review this draft to see if you think it is suitable for adoption 
by DNSOP, and comments to the list, clearly stating your view.


Please also indicate if you are willing to contribute text, review, etc.

This call for adoption ends: 8 April 2022

Thanks,

Suzanne, Tim and Benno

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Call for Adoption: DNSSEC as BCP: draft-hoffman-dnssec

[Wessels, Duane]

> On Mar 24, 2022, at 4:07 PM, Tim Wicinski  wrote:
> 
>  
> All
> 
> If you attended the most recent DNSOP session, you've heard Warren speak 
> about creating a BCP for DNSSEC, including  all of the DNSSEC related RFCs, 
> in order to make life easier for implementers and DNS operators. 
> 
> We want to ask the working group if this is something DNSOP wants to work on. 
> If so, we can work with Warren to prioritize getting through the approval 
> process as efficiently as possible.
> 
> 
> This starts a Call for Adoption for: draft-hoffman-dnssec
> 
> The draft is available here: 
> https://datatracker.ietf.org/doc/draft-hoffman-dnssec/
> 
> Please review this draft to see if you think it is suitable for adoption
> by DNSOP, and send any comments to the list, clearly stating your view.

I think it is suitable for adoption.


> Please also indicate if you are willing to contribute text, review, etc.
> 

A couple of things from my first read:

Should the abstract perhaps more directly state the goal of documenting DNSSEC 
as a best current practice?  I find the stated purpose “to introduce all of the 
RFCs in one place” somewhat unconvincing.

From section 4: "IANA already has two registries that relate to DNSSEC”.  
Shouldn’t the DS digest algorithm registry be considered a third?

DW

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Call for Adoption: draft-thomassen-dnsop-dnssec-bootstrapping

[Benno Overeinder]

As announced during the DNSOP meeting this week at the IETF 113, we are 
starting a Call for Adoption for the 
draft-thomassen-dnsop-dnssec-bootstrapping.  With the survey we 
conducted before the last IETF 112, this draft was a clear candidate.


With this email we start a period of two weeks for the call for adoption 
of draft-thomassen-dnsop-dnssec-bootstrapping on the mailing list.


The draft is available here: 
https://datatracker.ietf.org/doc/draft-thomassen-dnsop-dnssec-bootstrapping/


Please review this draft to see if you think it is suitable for adoption 
by DNSOP, and comments to the list, clearly stating your view.


Please also indicate if you are willing to contribute text, review, etc.

This call for adoption ends: 8 April 2022

Thanks,

Suzanne, Tim and Benno

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Call for Adoption: DNSSEC as BCP: draft-hoffman-dnssec

[Ben Schwartz]

I support adoption of this draft.

I appreciate that it acknowledges that deployment has been lower than some
advocates hoped, but I think the text following that is misplaced:

   However, this low level of implementation
   does not affect whether DNSSEC is a best current practice; it just
   indicates that the value of deploying DNSSEC is often considered
   lower than the cost.

I would suggest a different caveat, perhaps:

Nonetheless, the majority deployment of DNSSEC within certain major
registries [1], and near-universal deployment across Top-Level Domains [2],
demonstrate that DNSSEC is suitable for implementation by both ordinary and
highly sophisticated domain owners.

[1] https://stats.sidnlabs.nl/en/dnssec.html
[2] https://stats.research.icann.org/dns/tld_report/

On Fri, Mar 25, 2022 at 6:37 AM Paul Wouters  wrote:

> On Mar 25, 2022, at 00:08, Tim Wicinski  wrote:
> >
> > If you attended the most recent DNSOP session, you've heard Warren speak
> about creating a BCP for DNSSEC, including  all of the DNSSEC related RFCs,
> in order to make life easier for implementers and DNS operators.
>
> Please do. As an author and reviewer, I have ran into issues and then
> inconsistencies on how to normatively reference DNSSEC.
>
> Paul
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


smime.p7s
Description: S/MIME Cryptographic Signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Minutes for 113

[Tim Wicinski]

Thanks Paul for these!

I uploaded these into the datatracker, and I appended the chat logs to the
bottom, as we've come to realize there is also
good discussion going on there that is useful to capture.

Please check if there was anything attributed to you incorrectly, and let
the chairs know.

thanks
tim


On Tue, Mar 22, 2022 at 6:59 AM Paul Hoffman  wrote:

> Attached. I thought that the mix of in-person mic and MeetEcho went very
> well!
>
> --Paul
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Call for Adoption: DNSSEC as BCP: draft-hoffman-dnssec

[Paul Wouters]

On Mar 25, 2022, at 00:08, Tim Wicinski  wrote:
> 
> If you attended the most recent DNSOP session, you've heard Warren speak 
> about creating a BCP for DNSSEC, including  all of the DNSSEC related RFCs, 
> in order to make life easier for implementers and DNS operators.

Please do. As an author and reviewer, I have ran into issues and then 
inconsistencies on how to normatively reference DNSSEC.

Paul
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop