On 12/15/17, 11:34, "DNSOP on behalf of Joe Abley" <dnsop-boun...@ietf.org on behalf of jab...@hopcount.ca> wrote:
>That seems fair. I was definitely speaking from a set of personal assumptions >without any data; it's certainly possible that non-root trust anchors are >widely deployed, however much I haven't seen it. I have one confirmed TLD use of STD 69 (I asked them) and I suspect another does as well (I haven't asked but they do regularly revoke SEP's), this coming from years of steady observation of TLD zones. Of the SLD data I have, which is far less comprehensive and thus inconclusive, I don't see many revoked keys. (With revoked keys being an ingredient of STD 69's process.) But I'll offer that paucity, by its nature, is hard to measure. Nonetheless, no matter what is done for the DNS protocol, it's best if the protocol works the same for all nodes in the tree. Whether the secure entry point is the root or "example.com." or "something.deep.example.com.", we should define the protocol to function in the same manner. (To clear this up, because "my history" vs. "my current" caused confusion before - I'm seeing this a protocol engineer dating back to the time when DNSSEC was assembled [including the earliest opt-out "wars" where the temptation was so "special case" the TLD "com."], not as much as someone working for ICANN today.) And as much as there is one unique root on the global public Internet, there are multiple inter-networks in existence. Such networks also use DNS and also make use of general purpose DNS software. So, I'd really resist setting special rules for the root zone that are tied to how "we" operate. (We can be IANA as the operator of the root zone or we as those whose job is to collectively maintain the global public Internet.) So, I'd make no assumptions about familiarity between the secure entry point and the trust anchor databases. There's not even a way, in-band (to DNS), for a trust anchor operator to know if the secure entry point is honoring STD 69.) In fact, I'd surmise that one of the ingredients in the DNS's wild success and growth is that there's no feedback loop, with the protocol featuring anonymous, context-free sessions. Each time we try to fight that bit of nature, we find "it's hard." Doesn't mean it can't be done, but you're fighting "parental-guardian" nature.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop