All -
Whatever Mr. Moreau's intentions, I *got* a copy of this message as it was
cc:ed to [email protected]
This communication was, in fact, posted to the list.
- Lucy
---------- Forwarded message ----------
Date: Mon, 30 Apr 2007 10:00:43 -0400
From: Thierry Moreau <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc: [email protected]
Subject: [DNSOP] Feedback on draft-koch-dnsop-resolver-priming
To:
Peter Koch,
Matt Larson,
Joe Abley,
Roy Arends,
CC: ietf dnsop mailing list
Dear four gentlemen:
according to DNSOP Prague meeting minutes, you are the
co-editors of the revision -01 for the document
draft-koch-dnsop-resolver-priming-00. I also looked at the slides presented by
Peter at the Prague meeting (now at
http://www3.ietf.org/proceedings/07mar/slides/dnsop-4.pdf).
I appreciate this work, and I believe that I made a related
contribution in Appendix A of the draft draft-moreau-srvloc-dnssec-priming-00,
in which I omitted to refer to Peter's draft as I should have; my apologies for
this omission.
The present message is to assist you in your editing work, as this
subject matter would be best covered by reference to your work in my draft.
I.e. I would like to drop Appendix A in my draft, which main part is concerned
with something different, i.e. using SLP for DNSSEC priming assistance, giving
that "DNSSEC priming" is specified somewhere. (Maybe you don't need to care for
what I intend to do, it's FYI.)
Let's go back to your priming draft.
First, referring to the last question in Peter's presentation Question
page: "Root server address validation needed?" I answer YES. If you find a
consensus on a NO answer, you don't need to consider my second point.
My second point is about the first issue in Peter's presentation page
6:
"Issues with DNSSEC validation
o NET-related information not (readily) available to root servers
- Rename root servers (only zones root servers are authoritative
for)
- Use a second trust anchor"
An idea (borrowed from a DNSSEC opt-in scheme which by itself IS NOT
BROUGHT as an ietf contribution) is to add a third alternative above:
- Use RRSIGs for A and AAAA RRsets using a signature key "shared"
with the root
You may be able to get the idea from my draft appendix A. So my second
point is that you may consider integrating this idea into the contents of the
draft. If you need clarifications, let me know.
Now, let me make a few observations about the IPR status of the above
idea. Generally, these observations apply irrespective if the idea remains in
my draft, or is integrated in yours, since either way it's part of an ietf
contribution.
DNSSEC priming specifications is only facilitating deployment at the
root, which is by itself challenging in many different aspects. The theoretical
benefits of using the above idea are 1) a quicker resolution of an important
issue in your draft, 2) an opportunity for software development shortcut when
implementing priming on the resolver side, and 3) lesser need to move the root
server from ROOT-SERVERS.NET. These benefits are very hypothetical since DNSSEC
deployment at the root is delayed by so many things.
In this context, I intend to file an IPR disclosure statement offering
a free, universal, non-exclusive, time-unlimited license to use the above idea
(that is conveniently defined by reference to the claims as they stand) for DNS
root zone file publishing by any DNS root zone operator, conditional to the
approval of your draft with the above idea included. (If you don't find the
idea useful to the point of including it in your draft, you don't need and/or
deserve any information about what I might do.) This message is not a formally
legal commitment, only an indication of the most likely course of events. This
indication should be sufficient for revision -01 draft preparation purposes.
Anyway, I'll have to wait a few weeks for the patent application to be
published by the patent office (early publication has been requested) before
filing an IPR disclosure.
In summary, I suggest you adopt the idea of having the authoritative
*.ROOT-SERVERS.NET A or AAAA RRsets signed with a public signature key value
present in the DNSKEY RRsets present at both ROOT-SERVERS.NET and the root,
provided that the DNSKEY RRset present at ROOT-SERVERS.NET is not self-signed
by this common signature key value.
Thanks for this work, and best regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
