date:20120330

[DNSOP] I-D Action: draft-ietf-dnsop-rfc4641bis-10.txt

2012-03-30 Thread internet-drafts


A New Internet-Draft is available from the on-line Internet-Drafts directories. 
This draft is a work item of the Domain Name System Operations Working Group of 
the IETF.

Title   : DNSSEC Operational Practices, Version 2
Author(s)   : Olaf M. Kolkman
  W. (Matthijs) Mekking
Filename: draft-ietf-dnsop-rfc4641bis-10.txt
Pages   : 78
Date: 2012-03-30

   This document describes a set of practices for operating the DNS with
   security extensions (DNSSEC).  The target audience is zone
   administrators deploying DNSSEC.

   The document discusses operational aspects of using keys and
   signatures in the DNS.  It discusses issues of key generation, key
   storage, signature generation, key rollover, and related policies.

   This document obsoletes RFC 4641 as it covers more operational ground
   and gives more up-to-date requirements with respect to key sizes and
   the DNSSEC operations.


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-rfc4641bis-10.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-dnsop-rfc4641bis-10.txt

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] New Version Notification for draft-gersch-dnsop-revdns-cidr-00.txt

2012-03-30 Thread Ondřej Surý

Hi Joseph,

since I am not sure if you understood my point (I am not sure if I was able
to understand it myself :), I am summarizing it to the mailing list.

I like the direction of your work, but I miss a way how to put more stuff under
the named prefix.

I would like you to update RFC2317 together with your document, so the end
customers don't have two distinct trees in their DNS infrastructure.

F.e. if I have 1.0.m.82.129.in-addr.arpa prefix in the DNS and I have delegate
it to the customer, how do I put my PTRs in?  The block owner would still have
to delegate another dummy prefix with CNAMEs and you have to handle it in
separate zone.

BTW one more observation.  Since you don't have to do any zone cuts in the 
binary
part, why not merge them into just one label?  E.g. something like 
10.m.82.129.in-addr.arpa or 10001101.m.82.129.in-addr.arpa.

O.

On 20. 2. 2012, at 23:33, Joseph Gersch wrote:

 Hello Marco,
 
  Thanks for reading and commenting on our draft.  We have a couple of weeks 
 to make corrections to draft-00 before they get frozen for the IETF meeting.  
 We appreciate your pointing out the typos (we found the ipv6 one ourselves, 
 oops.) and the suggestions for clarification.
 
   This draft on CIDR naming is mainly focused on  proposing a simple, direct 
 way to name CIDR addresses and eliminates the need for CNAME indirection.  It 
 can be used for a number of purposes.
 
 Regarding the intro on pre-populating the reverse-DNS... you are correct, 
 this is a draft on CIDR naming, not on fixing that particular IPv6 issue.  We 
 will make that clarification in our next draft.  The ipv6 issue might be 
 able to be addressed with this approach, but more thought needs to be put in 
 to it before a complete solution could be proposed.  We were mentioning this 
 issue in order to give multiple examples of the reasons why CIDR naming is a 
 useful concept.
 
Again, thanks,
  - Joe Gersch and Dan Massey
 
 
 On Feb 20, 2012, at 6:41 AM, Marc Lampo wrote:
 
 Hello,
 
 (sorry – previously sent email was not finished …)
 
 Some “typographic” remarks :
 1) 5.2 IPv4 Address Block Naming → IPv6 Address Block Naming
 2) In 5.2 there are 2 examples that have missing “::”,
 (2607:fa88:8000:/33 → 2607:fa88:8000::/33 and
 2607:fa88:8000:/35 → 2607:fa88:8000::/35)
 in 5.3 there is 1 example with missing “::”.
 (2607:fa88:8000:/36 → 2607:fa88:8000::/36)
 
 About “content” :
 1) 3. Design Requirement → 2. Coverage Authority.
 “Any … with a data record or NXDOMAIN …”
 to be completed with : NODATA
 → “Any … with a data record or NODATA or NXDOMAIN …”
 
 2) In 5.2 IPv6 Address Block Naming
 Why not add some examples to show conversion from a reverse-DNS name back to 
 CIDR ?
 (just like in 5.1)
 
 Globally :
 1) It is implied by the content of the present draft,
 but should it be stated (in Design Requirements)
 that the proposal should be valid for both IPv4 and IPv6 addresses ?
 
 2) In the Introduction, where you correctly state that ISP’s pre-populate 
 reverse DNS,
 the problem is stated that the approach of pre-populating does not scale for 
 IPv6.
 However, by itself, this draft does not solve that problem, does it ?
 (needs programmatic support)
 (this example in the Introduction made me think/assume that this draft
 also applies to “simple” reverse mapping.  In which case I wondered how
 this draft does away with CNAME (a la RFC 2317).
 But then, after rereading it occurred to me that this draft is about 
 storing
 CIDR info in revdns.
 → isn’t it confusing to give, in the intro, an example that does not apply 
 to CIDR info ?
 (it got at least me confused, not that I’d want to be taken as a reference 
 ;-)
 
 Kind regards,
 
 Marc Lampo
 Security Officer
 EURid
 
 
 From: Joseph Gersch [mailto:joe.ger...@secure64.com]
 Sent: 17 February 2012 06:17 PM
 To: dnsop@ietf.org
 Subject: [DNSOP] Fwd: New Version Notification for 
 draft-gersch-dnsop-revdns-cidr-00.txt
 
 All,
 we have submitted a new draft that will be presented at the Paris IETF 
 meeting.
 Please take the time to send any comments and suggestions regarding this 
 idea on naming CIDR address blocks in the Reverse DNS.
 
 Best regards,
  - Joe Gersch and Dan Massey
 
 
 Begin forwarded message:
 
 
 From: internet-dra...@ietf.org
 Date: February 16, 2012 5:09:18 PM MST
 To: joe.ger...@secure64.com
 Cc: joe.ger...@secure64.com, mas...@cs.colostate.edu
 Subject: New Version Notification for draft-gersch-dnsop-revdns-cidr-00.txt
 
 A new version of I-D, draft-gersch-dnsop-revdns-cidr-00.txt has been 
 successfully submitted by Joe Gersch and posted to the IETF repository.
 
 Filename: draft-gersch-dnsop-revdns-cidr
 Revision: 00
 Title:Reverse DNS Naming Convention for CIDR Address Blocks
 Creation date:2012-02-14
 WG ID:Individual Submission
 Number of pages: 19
 
 Abstract:
 The current reverse DNS naming method is used to specify a complete
 IP address.  It has not been used to handle

Re: [DNSOP] New Version Notification for draft-gersch-dnsop-revdns-cidr-00.txt

2012-03-30 Thread Ray Bellis


On 30 Mar 2012, at 12:09, Ondřej Surý wrote:

 Hi Joseph,
 
 since I am not sure if you understood my point (I am not sure if I was able
 to understand it myself :), I am summarizing it to the mailing list.
 
 I like the direction of your work, but I miss a way how to put more stuff 
 under
 the named prefix.
 
 I would like you to update RFC2317 together with your document, so the end
 customers don't have two distinct trees in their DNS infrastructure.

+1

 F.e. if I have 1.0.m.82.129.in-addr.arpa prefix in the DNS and I have delegate
 it to the customer, how do I put my PTRs in?  The block owner would still have
 to delegate another dummy prefix with CNAMEs and you have to handle it in
 separate zone.
 
 BTW one more observation.  Since you don't have to do any zone cuts in the 
 binary
 part, why not merge them into just one label?  E.g. something like 
 10.m.82.129.in-addr.arpa or 10001101.m.82.129.in-addr.arpa.

With the current scheme it's possible to delegate longer prefixes, and this is 
a necessary feature.

The stuff Dan was saying about two alternate representations concerns me, 
though.  As written, by default:

  192.168.64/18 is 1.0.m.168.192

but

  192.168.64/24 is 64.168.192

which is not a sub-domain of the enclosing /18 representation.

This way lies dragons, I think...

Ray

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] New Version Notification for draft-gersch-dnsop-revdns-cidr-00.txt

2012-03-30 Thread Frederico A C Neves

On Fri, Mar 30, 2012 at 10:19:43AM +, Ray Bellis wrote:
 
 On 30 Mar 2012, at 12:09, Ond??ej Surý wrote:
 
  Hi Joseph,
  
  since I am not sure if you understood my point (I am not sure if I was able
  to understand it myself :), I am summarizing it to the mailing list.
  
  I like the direction of your work, but I miss a way how to put more stuff 
  under
  the named prefix.
  
  I would like you to update RFC2317 together with your document, so the end
  customers don't have two distinct trees in their DNS infrastructure.
 
 +1

I'm not quite sure 2317 can be used for shorter prefixes but it's
actually only seen in the wild for /25 onwards. The proposed idea
works for any prefix outside the 8 or 4 bit boundary depending on what
family we are talking.

  F.e. if I have 1.0.m.82.129.in-addr.arpa prefix in the DNS and I have 
  delegate
  it to the customer, how do I put my PTRs in?  The block owner would still 
  have
  to delegate another dummy prefix with CNAMEs and you have to handle it in
  separate zone.
  
  BTW one more observation.  Since you don't have to do any zone cuts in the 
  binary
  part, why not merge them into just one label?  E.g. something like 
  10.m.82.129.in-addr.arpa or 10001101.m.82.129.in-addr.arpa.
 
 With the current scheme it's possible to delegate longer prefixes, and this 
 is a necessary feature.
 
 The stuff Dan was saying about two alternate representations concerns me, 
 though.  As written, by default:
 
   192.168.64/18 is 1.0.m.168.192
 
 but
 
   192.168.64/24 is 64.168.192
 
 which is not a sub-domain of the enclosing /18 representation.
 
 This way lies dragons, I think...

If your parent have't made their mind I agree with you, but this is
very unlekely.

 Ray

Fred
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] New Version Notification for draft-gersch-dnsop-revdns-cidr-00.txt

2012-03-30 Thread paul vixie

On 3/30/2012 10:19 AM, Ray Bellis wrote:
 With the current scheme it's possible to delegate longer prefixes, and this 
 is a necessary feature.

 The stuff Dan was saying about two alternate representations concerns me, 
 though.  As written, by default:

   192.168.64/18 is 1.0.m.168.192

 but

   192.168.64/24 is 64.168.192

 which is not a sub-domain of the enclosing /18 representation.

 This way lies dragons, I think...

+1.

thus my earlier observation: RFC 1101 supports classless networks even
though it didn't mean to. RFC 2317 is entirely compatible with RFC 1101
(there's only one delegation tree covering both.)

if there's a need for a new netblock-specific DNS schema like the one in
the gersch draft, then i recommend learning from what we did in RPZ,
where the prefix size is _always_ given as are all octets of the
mantissa except the :: longest-zero string which is given as .zz..
more information about RPZ can be had from:

https://deepthought.isc.org/article/AA-00525/0/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html

and specifically from:

https://deepthought.isc.org/article/AA-00512/0

which has the actual spec, in .txt and .pdf format.
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] I-D Action: draft-ietf-dnsop-rfc4641bis-10.txt

Re: [DNSOP] New Version Notification for draft-gersch-dnsop-revdns-cidr-00.txt

Re: [DNSOP] New Version Notification for draft-gersch-dnsop-revdns-cidr-00.txt

Re: [DNSOP] New Version Notification for draft-gersch-dnsop-revdns-cidr-00.txt

Re: [DNSOP] New Version Notification for draft-gersch-dnsop-revdns-cidr-00.txt

5 matches

Site Navigation

Mail list logo

Footer information