Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-02.txt

[tjw ietf]

Peter

There is no undesirable consequences in pushing new versions before they expire 
without changes. 

Actually i have an action item to review some of the discussion on this draft 
which is now on my short list as we push several of these other documents 
forward. 

Tim

Sent from my iPhone

> On Feb 17, 2023, at 16:16, Peter Thomassen  wrote:
> 
> Hi Joe, all,
> 
>> On 2/17/23 21:48, Joe Abley wrote:
>>> On Fri, Feb 17, 2023 at 15:03, Peter Thomassen >> > wrote:
>>> I am not sure whether draft expiry impacts the WG document handling process 
>>> in any way.
>> I would not worry. You can always reset the timer by bumping the version and 
>> the date and resubmitting, if it bothers you. The particular lifetime of an 
>> I-D is somewhat arbitrary; the main thing is that it is finite.
> 
> Thank you for explaining! I wasn't sure whether expiry would imply that a 
> draft would have to be (e.g.) re-adopted etc.pp. I'm relieved to know that's 
> not the case.
> 
> I nevertheless pushed a new revision (-03) to reflect the implementation 
> updates that have happened since -02.
> 
>>> Regardless, I had thought that the WG would generally process adopted 
>>> drafts within their expiration window (which is why a process hiccup had 
>>> come to my mind). I'm not sure if there is some policy about this or not.
>> I obviously do not speak for the chairs. However, in my experience are all 
>> volunteers here, and we all do our best. Sometimes things take longer than 
>> we expect and life goes on.
> 
> Yes, and it's indeed a great gift to the community that the chairs (and other 
> leadership, for that matter), are putting in their time volunteering. (Thank 
> you!)
> 
> I had no intentions to be pushy, and was simply concerned that expiration may 
> have undesirable consequences. I'd like to apologize in case anything I wrote 
> came across in any other way. Obviously, if there's no adverse consequences, 
> then there's no rush. :-)
> 
> Best,
> Peter
> 
> -- 
> https://desec.io/

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-02.txt

[Peter Thomassen]

Hi Joe, all,

On 2/17/23 21:48, Joe Abley wrote:

On Fri, Feb 17, 2023 at 15:03, Peter Thomassen mailto:pe...@desec.io>> wrote:

I am not sure whether draft expiry impacts the WG document handling process in 
any way.


I would not worry. You can always reset the timer by bumping the version and 
the date and resubmitting, if it bothers you. The particular lifetime of an I-D 
is somewhat arbitrary; the main thing is that it is finite.


Thank you for explaining! I wasn't sure whether expiry would imply that a draft 
would have to be (e.g.) re-adopted etc.pp. I'm relieved to know that's not the 
case.

I nevertheless pushed a new revision (-03) to reflect the implementation 
updates that have happened since -02.


Regardless, I had thought that the WG would generally process adopted drafts 
within their expiration window (which is why a process hiccup had come to my 
mind). I'm not sure if there is some policy about this or not.


I obviously do not speak for the chairs. However, in my experience are all 
volunteers here, and we all do our best. Sometimes things take longer than we 
expect and life goes on.


Yes, and it's indeed a great gift to the community that the chairs (and other 
leadership, for that matter), are putting in their time volunteering. (Thank 
you!)

I had no intentions to be pushy, and was simply concerned that expiration may 
have undesirable consequences. I'd like to apologize in case anything I wrote 
came across in any other way. Obviously, if there's no adverse consequences, 
then there's no rush. :-)

Best,
Peter

--
https://desec.io/

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-02.txt

[Joe Abley]

On Fri, Feb 17, 2023 at 15:03, Peter Thomassen  wrote:

> I am not sure whether draft expiry impacts the WG document handling process 
> in any way.

I would not worry. You can always reset the timer by bumping the version and 
the date and resubmitting, if it bothers you. The particular lifetime of an I-D 
is somewhat arbitrary; the main thing is that it is finite.

> Regardless, I had thought that the WG would generally process adopted drafts 
> within their expiration window (which is why a process hiccup had come to my 
> mind). I'm not sure if there is some policy about this or not.

I obviously do not speak for the chairs. However, in my experience are all 
volunteers here, and we all do our best. Sometimes things take longer than we 
expect and life goes on.

Joe

>___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-02.txt

[Peter Thomassen]

Hi Michael, Chairs,

On 2/17/23 14:10, Michael Bauland wrote:

we've recently implemented the DNSSEC bootstrapping as defined in this draft in 
our registry system TANGO as well as in the CORE registry system.

I just realised that the draft is going to expire tomorrow. What are the next 
steps? Will the draft be advanced? Will there be an extension?


Yes, we realized that, too.


The authors have no update since August when the current revision was uploaded. 
The change log is very small [1], and the authors are not aware of any 
outstanding issues.

On the occasion of emailing the chairs in October (in an unrelated matter about 
IETF 115), I also had asked about the status of the bootstrapping draft, and 
was told that it is ready for WGLC and will be added to the queue (@chairs: I'm 
referring to my Oct 19 email).

It's always possible there is a process hiccup (which is fine!); so I sent 
another (informal) inquiry a few weeks back and was told that the draft will be 
followed-up upon.


I am not sure whether draft expiry impacts the WG document handling process in 
any way. Regardless, I had thought that the WG would generally process adopted 
drafts within their expiration window (which is why a process hiccup had come 
to my mind). I'm not sure if there is some policy about this or not.

Anyway, I will use your announcement to submit a new revision with your 
implementation added to the Implementations section and prevent expiry.

The authors would appreciate if the chairs could give a quick statement 
regarding the situation of the draft (and, for my education, whether draft 
expiration would have had side-effects on the process).

Thanks,
Peter

[1]: https://mailarchive.ietf.org/arch/msg/dnsop/MSjCgeLSqgsx8pr9edEaDrqPyis/

--
https://desec.io/

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-02.txt

[Michael Bauland]

Hi,

we've recently implemented the DNSSEC bootstrapping as defined in this 
draft in our registry system TANGO as well as in the CORE registry system.


I just realised that the draft is going to expire tomorrow. What are the 
next steps? Will the draft be advanced? Will there be an extension?


Cheers,

Michael

--

 |   |
 | knipp |Knipp  Medien und Kommunikation GmbH
  ---Technologiepark
 Martin-Schmeisser-Weg 9
 44227 Dortmund
 Germany

 Dipl.-Informatiker  Fon:+49 231 9703-0
 Fax:+49 231 9703-200
 Dr. Michael Bauland SIP:michael.baul...@knipp.de
 Software DevelopmentE-mail: michael.baul...@knipp.de

 Register Court:
 Amtsgericht Dortmund, HRB 13728

 Chief Executive Officers:
 Dietmar Knipp, Elmar Knipp

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-02.txt

[Peter Thomassen]

Dear DNSOP,

Thank you for the review of -01! We have addressed the feedback and sorted out 
the remaining editorial issues. For a summary, see below.

We are not aware of any outstanding questions or issues. The protocol is now in 
production at Cloudflare and SWITCH, amongst others.

Given this state of things, we would like to propose advancing the draft to the 
next stage once the WG feels that the time has come.


Most significant changes since -01:

| Clarified that RFC 8078 Section 3 is not replaced, but its methods
| are deprecated. (Libor's suggestion -- thanks!)
|
| Included NSEC walk / AXFR as possible triggers for DS
| bootstrapping. (John's suggestion -- thanks!)

Other changes since -01:

| Added new deployments to Implementation section.
|
| Editorial changes.


Thanks,
Peter


On 8/17/22 14:47, internet-dra...@ietf.org wrote:


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations WG of the IETF.

 Title   : Automatic DNSSEC Bootstrapping using Authenticated 
Signals from the Zone's Operator
 Authors : Peter Thomassen
   Nils Wisiol
   Filename: draft-ietf-dnsop-dnssec-bootstrapping-02.txt
   Pages   : 15
   Date: 2022-08-17

Abstract:
This document introduces an in-band method for DNS operators to
publish arbitrary information about the zones they are authoritative
for, in an authenticated fashion and on a per-zone basis.  The
mechanism allows managed DNS operators to securely announce DNSSEC
key parameters for zones under their management, including for zones
that are not currently securely delegated.

Whenever DS records are absent for a zone's delegation, this signal
enables the parent's registry or registrar to cryptographically
validate the CDS/CDNSKEY records found at the child's apex.  The
parent can then provision DS records for the delegation without
resorting to out-of-band validation or weaker types of cross-checks
such as "Accept after Delay" ([RFC8078]).

This document deprecates the DS enrollment methods described in
Section 3 of [RFC8078] in favor of Section 3 of this document.

[ Ed note: This document is being collaborated on at
https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/
(https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/).
The authors gratefully accept pull requests. ]


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-bootstrapping-02.html

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dnssec-bootstrapping-02


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


--
Like our community service? 
Please consider donating at

https://desec.io/

deSEC e.V.
Kyffhäuserstr. 5
10781 Berlin
Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-02.txt

[internet-drafts]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations WG of the IETF.

Title   : Automatic DNSSEC Bootstrapping using Authenticated 
Signals from the Zone's Operator
Authors : Peter Thomassen
  Nils Wisiol
  Filename: draft-ietf-dnsop-dnssec-bootstrapping-02.txt
  Pages   : 15
  Date: 2022-08-17

Abstract:
   This document introduces an in-band method for DNS operators to
   publish arbitrary information about the zones they are authoritative
   for, in an authenticated fashion and on a per-zone basis.  The
   mechanism allows managed DNS operators to securely announce DNSSEC
   key parameters for zones under their management, including for zones
   that are not currently securely delegated.

   Whenever DS records are absent for a zone's delegation, this signal
   enables the parent's registry or registrar to cryptographically
   validate the CDS/CDNSKEY records found at the child's apex.  The
   parent can then provision DS records for the delegation without
   resorting to out-of-band validation or weaker types of cross-checks
   such as "Accept after Delay" ([RFC8078]).

   This document deprecates the DS enrollment methods described in
   Section 3 of [RFC8078] in favor of Section 3 of this document.

   [ Ed note: This document is being collaborated on at
   https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/
   (https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/).
   The authors gratefully accept pull requests. ]


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-bootstrapping-02.html

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-dnssec-bootstrapping-02


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop