On Mon, Jul 31, 2017 at 5:36 AM, Ted Lemon <[email protected]> wrote: > On Jul 31, 2017, at 1:02 AM, Mark Andrews <[email protected]> wrote: > > The delegatation is INSECURE and SIGNED not UNSIGNED. The wording > here is *important*. > > > Can you explain what the distinction is, and what the problem is that you > see in point five? The reason I ask is that we explicitly changed the > wording from "insecure" to "not signed" because someone else said that it > wasn't clear what "insecure" meant. It seems to me that the current > language is explicit and unambigious; I think this is better than being > "correct." So what is the bad outcome that might occur as a result of > using the term "not signed" rather than "insecure"?
Having recently had exactly this discussion with someone, this area is fraught with opportunities for misunderstandings. Let's take example.com as an example[0]. The .com zone is signed. Example Corp hired a DNS geek, who signed the example.com zone, but never quite got around to publishing a DS record in the parent. There is now a signed, insecure delegation to a signed zone; the delegation itself is signed (.com is a signed zone and so there there is an RRSIG for the NS for example.com), but there is no DS record, so it is insecure. It really is an insecure delegation, not an unsigned delegation -- calling it unsigned would be confusing to many people. The person I was discussing it with wasn't aware of the term "insecure delegation" and assumed that it meant an "unsigned delegation", which is, um, difficult to achieve in a non-NSEC3 OO zone... I spend an almost infinite amount of time[1] trying to explain this very point (to someone who understands DNSEEC) over the phone - it's tricky to communicate without a whiteboard and / or diagram. I ended up opening an issue on the terminology-bis document to get it added: https://github.com/DNSOP/draft-ietf-dnsop-terminology-bis/issues/26#issuecomment-314275871 W [0]: For the purpose of discussion, let's pretend that .COM uses NSEC, not NSEC3 with Opt-Out. [1]: Ok, perhaps it wasn't almost infinite, but it sure felt like it... > > > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
