[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[Tim Wicinski]

`To follow up on this discussion, I've talked with Paul and I'm OK with
leaving the last paragraph of section 3.3 in place.  Joe Abley has been the
only other outspoken one on this.

I have the feeling/consensus/vibes that the latest version makes the text
clearer.  We will discuss this with Warren later today with the opinion
the document is ready to passed back to him.

Please speak up if you feel otherwise

tim


On Mon, Jun 17, 2024 at 5:14 PM Paul Hoffman  wrote:

> On Jun 17, 2024, at 13:39, Joe Abley  wrote:
> >
> > Hi Paul,
> >
> > On 17 Jun 2024, at 21:18, Paul Hoffman  wrote:
> >
> >> The paragraph reads:
> >>
> >> If the "root-servers.net" zone is later signed, or if the root servers
> are named in a
> >> different zone and that zone is signed, having DNSSEC validation for
> the priming queries
> >> might be valuable.
> >> The benefits and costs of resolvers validating the responses will
> depend heavily on
> >> the naming scheme used.
> >>
> >> It is still accurate as it stands, does not lead to an assumption of
> what name would be signed and, more importantly, strongly indicates that
> the name that eventually gets signed might be different than
> root-servers.net. I'm not sure why we would want to remove that.
> >
> > It might be technically true (although I could still nitpick about the
> assumption that the root server names must necessarily live in a zone other
> than the root) but I don't think it's useful.
>
> I find it useful, but I see that it is also off-topic for current priming.
> Please note that the first sentence was actually part of RFC 8109, and I
> don't remember people objecting to it then.
>
> --Paul Hoffman
>
>
___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[Paul Hoffman]

On Jun 17, 2024, at 13:39, Joe Abley  wrote:
> 
> Hi Paul,
> 
> On 17 Jun 2024, at 21:18, Paul Hoffman  wrote:
> 
>> The paragraph reads:
>> 
>> If the "root-servers.net" zone is later signed, or if the root servers are 
>> named in a
>> different zone and that zone is signed, having DNSSEC validation for the 
>> priming queries
>> might be valuable.
>> The benefits and costs of resolvers validating the responses will depend 
>> heavily on
>> the naming scheme used.
>> 
>> It is still accurate as it stands, does not lead to an assumption of what 
>> name would be signed and, more importantly, strongly indicates that the name 
>> that eventually gets signed might be different than root-servers.net. I'm 
>> not sure why we would want to remove that.
> 
> It might be technically true (although I could still nitpick about the 
> assumption that the root server names must necessarily live in a zone other 
> than the root) but I don't think it's useful.

I find it useful, but I see that it is also off-topic for current priming. 
Please note that the first sentence was actually part of RFC 8109, and I don't 
remember people objecting to it then. 

--Paul Hoffman

___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[Joe Abley]

Hi Paul,

On 17 Jun 2024, at 21:18, Paul Hoffman  wrote:

> The paragraph reads:
> 
> If the "root-servers.net" zone is later signed, or if the root servers are 
> named in a
> different zone and that zone is signed, having DNSSEC validation for the 
> priming queries
> might be valuable.
> The benefits and costs of resolvers validating the responses will depend 
> heavily on
> the naming scheme used.
> 
> It is still accurate as it stands, does not lead to an assumption of what 
> name would be signed and, more importantly, strongly indicates that the name 
> that eventually gets signed might be different than root-servers.net. I'm not 
> sure why we would want to remove that.

It might be technically true (although I could still nitpick about the 
assumption that the root server names must necessarily live in a zone other 
than the root) but I don't think it's useful.

I think the paragraph is at best pointless to leave in, and at worst has the 
potential not to age well.

I agree with Tim's suggestion that the document would be improved if that 
paragraph was removed. Or his idea or his question or whatever it is proper for 
Tim to do depending on what hat he was wearing.

I think any work about naming the root servers or whether the records attached 
to those names would be better to leave to a different, future document.


Joe
___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[Paul Hoffman]

On Jun 17, 2024, at 09:52, Tim Wicinski  wrote:
> 
> 
> 
> On Mon, Jun 17, 2024 at 12:19 PM Joe Abley  wrote:
> On 17 Jun 2024, at 17:54, Tim Wicinski  wrote:
> 
>> Oh that's a very good point, and does make that assumption.   "will be 
>> valuable if root-servers.net [root-servers.net] is DNSSEC signed" does not 
>> make that assumption. 
> 
> It perhaps narrowly avoids one of the assumptions I mentioned but it still 
> warmly embraces the other one. 
> 
> I still think this text speculates about the future and I still don't know 
> why we think that is a good idea.
> 
> 
> The more I think about this, I believe you are correct that we can not make 
> any assumptions about the future. 
> 
> It then feels like that last paragraph is removed.  Thoughts? 

The paragraph reads:

If the "root-servers.net" zone is later signed, or if the root servers are 
named in a
different zone and that zone is signed, having DNSSEC validation for the 
priming queries
might be valuable.
The benefits and costs of resolvers validating the responses will depend 
heavily on
the naming scheme used.

It is still accurate as it stands, does not lead to an assumption of what name 
would be signed and, more importantly, strongly indicates that the name that 
eventually gets signed might be different than root-servers.net. I'm not sure 
why we would want to remove that.

--Paul Hoffman
___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[Tim Wicinski]

On Mon, Jun 17, 2024 at 12:19 PM Joe Abley  wrote:

> On 17 Jun 2024, at 17:54, Tim Wicinski  wrote:
>
> Oh that's a very good point, and does make that assumption.   "will be
> valuable if root-servers.net is DNSSEC signed" does not make that
> assumption.
>
>
> It perhaps narrowly avoids one of the assumptions I mentioned but it still
> warmly embraces the other one.
>
> I still think this text speculates about the future and I still don't know
> why we think that is a good idea.
>
>
The more I think about this, I believe you are correct that we can not make
any assumptions about the future.

It then feels like that last paragraph is removed.  Thoughts?

tim


> Joe
>
___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[Joe Abley]

On 17 Jun 2024, at 17:54, Tim Wicinski  wrote:Oh that's a very good point, and does make that assumption.   "will be valuable if root-servers.net is DNSSEC signed" does not make that assumption. It perhaps narrowly avoids one of the assumptions I mentioned but it still warmly embraces the other one. I still think this text speculates about the future and I still don't know why we think that is a good idea.Joe___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[Tim Wicinski]

On Mon, Jun 17, 2024 at 11:45 AM Joe Abley  wrote:

> Hi Tim,
>
> Doesn't that text presuppose (a) that the current naming scheme is
> invariant and (b) the root-servers.net zone will one day be signed?
>
> I suggest phrasing that recognises current reality is probably better than
> text that speculates about the future, especially when it comes to things
> that the IETF may not have the final say on.
>
>
> Joe
>

Oh that's a very good point, and does make that assumption.   "will be
valuable if root-servers.net is DNSSEC signed" does not make that
assumption.

tim



> On 17 Jun 2024, at 17:40, Tim Wicinski  wrote:
>
> 
> Paul is correct on this - we would like a few more comments on the
> clarification changes to RFC8109-bis.
> Also, Willem offered some suggested text to the last paragraph of 3.3
> relating to root-servers.net :
>
>   "DNSSEC validation of the priming query is valuable when
> root-servers.net zone will be DNSSEC signed and resolvers revalidate the
> root server addresses, by following up with direct A and  queries for
> the names of the root NS RRset"
>
> I would only offer up some slight edit:
>
> DNSSEC validation of the priming query will be valuable when the
> root-servers.net zone is DNSSEC signed.
>
> "will be valuable when" sounds clearer than "is valuable when" but I will
> leave that as a suggestion.
>
> Some final considerations please
>
> tim
>
>
>
> On Thu, Jun 13, 2024 at 3:53 PM Paul Hoffman 
> wrote:
>
>> One more nudge on this, before the deadline tomorrow.
>>
>> --Paul Hoffman
>>
>>
>> On Jun 5, 2024, at 09:28, Paul Hoffman  wrote:
>> >
>> > Tim jumped the gun by about an hour: we just submitted the -05. It
>> incorporates the suggested text from below; you can see the diff at:
>> >
>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-05
>> >
>> > FWIW, this new text is somewhat based on the findings from NLnetLabs
>> and SIDN on a project supported by ICANN. You can see the report, and an
>> earlier report on a related topic, at:
>> >
>> https://www.icann.org/resources/pages/octo-commissioned-documents-2020-11-05-en
>> >
>> > Please let us know if you have any issues with the changed text in the
>> new version.
>> >
>> > --Paul Hoffman
>> >
>> >
>> > On Jun 5, 2024, at 08:25, Tim Wicinski  wrote:
>> >>
>> >> All
>> >>
>> >> The chairs are requesting some final comments on
>> draft-ietf-dnsop-rfc8109bis. As you might recall, this document has already
>> been through WGLC and had consensus to advance, but our AD reviewed it and
>> raised some additional questions. (Warren Kumari, “AD Review of
>> draft-ietf-dnsop-rfc8109bis,” email to the list on 31 January.)
>>
>> ___
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-le...@ietf.org
>
>
___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[Joe Abley]

Hi Tim,Doesn't that text presuppose (a) that the current naming scheme is invariant and (b) the root-servers.net zone will one day be signed?I suggest phrasing that recognises current reality is probably better than text that speculates about the future, especially when it comes to things that the IETF may not have the final say on. JoeOn 17 Jun 2024, at 17:40, Tim Wicinski  wrote:Paul is correct on this - we would like a few more comments on the clarification changes to RFC8109-bis. Also, Willem offered some suggested text to the last paragraph of 3.3 relating to root-servers.net :  "DNSSEC validation of the priming query is valuable when root-servers.net zone will be DNSSEC signed and resolvers revalidate the root server addresses, by following up with direct A and  queries for the names of the root NS RRset"I would only offer up some slight edit:DNSSEC validation of the priming query will be valuable when the root-servers.net zone is DNSSEC signed."will be valuable when" sounds clearer than "is valuable when" but I will leave that as a suggestion.Some final considerations pleasetimOn Thu, Jun 13, 2024 at 3:53 PM Paul Hoffman  wrote:One more nudge on this, before the deadline tomorrow.

--Paul Hoffman


On Jun 5, 2024, at 09:28, Paul Hoffman  wrote:
> 
> Tim jumped the gun by about an hour: we just submitted the -05. It incorporates the suggested text from below; you can see the diff at:
>    https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-05
> 
> FWIW, this new text is somewhat based on the findings from NLnetLabs and SIDN on a project supported by ICANN. You can see the report, and an earlier report on a related topic, at:
>   https://www.icann.org/resources/pages/octo-commissioned-documents-2020-11-05-en
> 
> Please let us know if you have any issues with the changed text in the new version.   
> 
> --Paul Hoffman
> 
> 
> On Jun 5, 2024, at 08:25, Tim Wicinski  wrote:
>> 
>> All
>> 
>> The chairs are requesting some final comments on draft-ietf-dnsop-rfc8109bis. As you might recall, this document has already been through WGLC and had consensus to advance, but our AD reviewed it and raised some additional questions. (Warren Kumari, “AD Review of draft-ietf-dnsop-rfc8109bis,” email to the list on 31 January.)


___DNSOP mailing list -- dnsop@ietf.orgTo unsubscribe send an email to dnsop-le...@ietf.org___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[Tim Wicinski]

Paul is correct on this - we would like a few more comments on the
clarification changes to RFC8109-bis.
Also, Willem offered some suggested text to the last paragraph of 3.3
relating to root-servers.net :

  "DNSSEC validation of the priming query is valuable when root-servers.net
zone will be DNSSEC signed and resolvers revalidate the root server
addresses, by following up with direct A and  queries for the names of
the root NS RRset"

I would only offer up some slight edit:

DNSSEC validation of the priming query will be valuable when the
root-servers.net zone is DNSSEC signed.

"will be valuable when" sounds clearer than "is valuable when" but I will
leave that as a suggestion.

Some final considerations please

tim



On Thu, Jun 13, 2024 at 3:53 PM Paul Hoffman  wrote:

> One more nudge on this, before the deadline tomorrow.
>
> --Paul Hoffman
>
>
> On Jun 5, 2024, at 09:28, Paul Hoffman  wrote:
> >
> > Tim jumped the gun by about an hour: we just submitted the -05. It
> incorporates the suggested text from below; you can see the diff at:
> >
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-05
> >
> > FWIW, this new text is somewhat based on the findings from NLnetLabs and
> SIDN on a project supported by ICANN. You can see the report, and an
> earlier report on a related topic, at:
> >
> https://www.icann.org/resources/pages/octo-commissioned-documents-2020-11-05-en
> >
> > Please let us know if you have any issues with the changed text in the
> new version.
> >
> > --Paul Hoffman
> >
> >
> > On Jun 5, 2024, at 08:25, Tim Wicinski  wrote:
> >>
> >> All
> >>
> >> The chairs are requesting some final comments on
> draft-ietf-dnsop-rfc8109bis. As you might recall, this document has already
> been through WGLC and had consensus to advance, but our AD reviewed it and
> raised some additional questions. (Warren Kumari, “AD Review of
> draft-ietf-dnsop-rfc8109bis,” email to the list on 31 January.)
>
>
___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[Paul Hoffman]

One more nudge on this, before the deadline tomorrow.

--Paul Hoffman


On Jun 5, 2024, at 09:28, Paul Hoffman  wrote:
> 
> Tim jumped the gun by about an hour: we just submitted the -05. It 
> incorporates the suggested text from below; you can see the diff at:
>https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-05
> 
> FWIW, this new text is somewhat based on the findings from NLnetLabs and SIDN 
> on a project supported by ICANN. You can see the report, and an earlier 
> report on a related topic, at:
>   
> https://www.icann.org/resources/pages/octo-commissioned-documents-2020-11-05-en
> 
> Please let us know if you have any issues with the changed text in the new 
> version.   
> 
> --Paul Hoffman
> 
> 
> On Jun 5, 2024, at 08:25, Tim Wicinski  wrote:
>> 
>> All
>> 
>> The chairs are requesting some final comments on 
>> draft-ietf-dnsop-rfc8109bis. As you might recall, this document has already 
>> been through WGLC and had consensus to advance, but our AD reviewed it and 
>> raised some additional questions. (Warren Kumari, “AD Review of 
>> draft-ietf-dnsop-rfc8109bis,” email to the list on 31 January.)

___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

[DNSOP] Re: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis

[A. Schulze]

Paul Hoffman:

Tim jumped the gun by about an hour: we just submitted the -05. It  
incorporates the suggested text from below; you can see the diff at:

   https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-05


this changed text is much more clear to me.

Andreas

___
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org