Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-03-11 Thread Warren Kumari 
On Tue, Mar 5, 2019 at 1:34 AM Warren Kumari  wrote:

>
>
> On Mon, Mar 4, 2019 at 11:05 AM Paul Wouters  wrote:
>
>> On Mon, 4 Mar 2019, Warren Kumari wrote:
>>
>> > So, my plan is to 1: ask the authors to please swap the Y to an N as
>> below and 2: progress the document with the hope that this
>> > section will survive the publication process.
>>
>> But I do not hope that.
>>
>> > The March telechats are often really full - ADs who are leaving the
>> IESG try and get old / stuck work finished and off their
>> > plate - and so this would likely only show up on the 2019-04-11
>> telechat -- so if anyone really objects to this being (attempted
>> > to be) left in, please shout.
>>
>> I think it should not be in the document. For one, it will be quickly
>> outdated information over the years as implementations release new
>> versions. Second, it will lead to people putting these sections in for
>> marketing. I think RFCs should avoid naming products whenever possible.
>>
>> I'm happy to do a new rev that includes an improved "remove me" note to
>> IANA and the pdns update.
>>
>>
> That works for me too...
>

I was hoping to see this update before the draft cutoff; as that didn't
happen, I've decided to start the ballot, and have added a note to explain
that this is intended to be removed -- please remember to add the "Please
remove" whenever you address the IESG comments (of which I'm sure there
will be some)

W



> W
>
>
>
>> Paul
>>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad idea
> in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair of
> pants.
>---maf
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-03-04 Thread Paul Wouters 
Ah yes. "imminent" was a reminder of their commitment to volunteer to give
feedback :)

If we do another rev as a result of this call, I'll remove it. Otherwise,
I'll leave a note with the RFC Editor to do so.

Paul

On Mon, Mar 4, 2019 at 7:40 PM Michael Sinatra 
wrote:

> Section 8 - Acknowledgements:
>
> "We wish to thank Michael Sinatra, Roland van Rijswijk-Deij, Olafur
> Gudmundsson, Paul Hoffman and Evan Hunt for their imminent feedback."
>
> Paraphrasing one of my colleagues, is the part about "imminent feedback"
> a prediction, or a hint that we are supposed to give more feedback? :-)
>
> My most imminent feedback--right now--is that I think the language in
> Section 3 has come together really nicely and does a good job of
> informing operators of the trade-offs of using the different algorithms,
> and it provides good recommendations.  I certainly support advancing it.
>
> michael
>
> On 2/13/19 11:29 AM, The IESG wrote:
> >
> > The IESG has received a request from the Domain Name System Operations WG
> > (dnsop) to consider the following document: - 'Algorithm Implementation
> > Requirements and Usage Guidance for DNSSEC'
> >as Proposed Standard
> >
> > The IESG plans to make a decision in the next few weeks, and solicits
> final
> > comments on this action. Please send substantive comments to the
> > i...@ietf.org mailing lists by 2019-02-27. Exceptionally, comments may
> be
> > sent to i...@ietf.org instead. In either case, please retain the
> beginning of
> > the Subject line to allow automated sorting.
> >
> > Abstract
> >
> >
> >The DNSSEC protocol makes use of various cryptographic algorithms in
> >order to provide authentication of DNS data and proof of non-
> >existence.  To ensure interoperability between DNS resolvers and DNS
> >authoritative servers, it is necessary to specify a set of algorithm
> >implementation requirements and usage guidelines to ensure that there
> >is at least one algorithm that all implementations support.  This
> >document defines the current algorithm implementation requirements
> >and usage guidance for DNSSEC.  This document obsoletes [RFC6944].
> >
> >
> >
> >
> > The file can be obtained via
> > https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/
> >
> > IESG discussion can be tracked via
> >
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ballot/
> >
> >
> > No IPR declarations have been submitted directly on this I-D.
> >
> >
> >
> >
> > ___
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >
>
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-03-04 Thread Michael Sinatra 
Section 8 - Acknowledgements:

"We wish to thank Michael Sinatra, Roland van Rijswijk-Deij, Olafur
Gudmundsson, Paul Hoffman and Evan Hunt for their imminent feedback."

Paraphrasing one of my colleagues, is the part about "imminent feedback"
a prediction, or a hint that we are supposed to give more feedback? :-)

My most imminent feedback--right now--is that I think the language in
Section 3 has come together really nicely and does a good job of
informing operators of the trade-offs of using the different algorithms,
and it provides good recommendations.  I certainly support advancing it.

michael

On 2/13/19 11:29 AM, The IESG wrote:
> 
> The IESG has received a request from the Domain Name System Operations WG
> (dnsop) to consider the following document: - 'Algorithm Implementation
> Requirements and Usage Guidance for DNSSEC'
>as Proposed Standard
> 
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> i...@ietf.org mailing lists by 2019-02-27. Exceptionally, comments may be
> sent to i...@ietf.org instead. In either case, please retain the beginning of
> the Subject line to allow automated sorting.
> 
> Abstract
> 
> 
>The DNSSEC protocol makes use of various cryptographic algorithms in
>order to provide authentication of DNS data and proof of non-
>existence.  To ensure interoperability between DNS resolvers and DNS
>authoritative servers, it is necessary to specify a set of algorithm
>implementation requirements and usage guidelines to ensure that there
>is at least one algorithm that all implementations support.  This
>document defines the current algorithm implementation requirements
>and usage guidance for DNSSEC.  This document obsoletes [RFC6944].
> 
> 
> 
> 
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/
> 
> IESG discussion can be tracked via
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ballot/
> 
> 
> No IPR declarations have been submitted directly on this I-D.
> 
> 
> 
> 
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-03-04 Thread Warren Kumari 
On Mon, Mar 4, 2019 at 11:05 AM Paul Wouters  wrote:

> On Mon, 4 Mar 2019, Warren Kumari wrote:
>
> > So, my plan is to 1: ask the authors to please swap the Y to an N as
> below and 2: progress the document with the hope that this
> > section will survive the publication process.
>
> But I do not hope that.
>
> > The March telechats are often really full - ADs who are leaving the IESG
> try and get old / stuck work finished and off their
> > plate - and so this would likely only show up on the 2019-04-11 telechat
> -- so if anyone really objects to this being (attempted
> > to be) left in, please shout.
>
> I think it should not be in the document. For one, it will be quickly
> outdated information over the years as implementations release new
> versions. Second, it will lead to people putting these sections in for
> marketing. I think RFCs should avoid naming products whenever possible.
>
> I'm happy to do a new rev that includes an improved "remove me" note to
> IANA and the pdns update.
>
>
That works for me too...
W



> Paul
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-03-04 Thread Paul Wouters 

On Mon, 4 Mar 2019, Warren Kumari wrote:


So, my plan is to 1: ask the authors to please swap the Y to an N as below and 
2: progress the document with the hope that this
section will survive the publication process. 


But I do not hope that.


The March telechats are often really full - ADs who are leaving the IESG try 
and get old / stuck work finished and off their
plate - and so this would likely only show up on the 2019-04-11 telechat -- so 
if anyone really objects to this being (attempted
to be) left in, please shout.


I think it should not be in the document. For one, it will be quickly
outdated information over the years as implementations release new
versions. Second, it will lead to people putting these sections in for
marketing. I think RFCs should avoid naming products whenever possible.

I'm happy to do a new rev that includes an improved "remove me" note to
IANA and the pdns update.

Paul

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-03-04 Thread Peter van Dijk 

Hi Warren,

On 4 Mar 2019, at 16:23, Warren Kumari wrote:

On Thu, Feb 28, 2019 at 10:13 AM Peter van Dijk 


wrote:


As this pertains to a section that will apparently be removed for
publication, only posting it here on dnsop@ for historical reasons:


So, RFC7942 (the one about "The Implementation Status" section) says 
that
this section should contain a note asking for it to be removed (and 
even
includes boilerplate to copy and paste) -- this document instead says 
"The

following table contains the status of support in the open-source DNS
signers and validators in the current released versions as of the time
writing this document." which implies it will be left in the document. 
I
personally think that this is good / helpful, but am not sure how the 
rest

of the IESG will feel about this...


I always found the removal a very unhelpful idea. A different draft 
comes to mind where the implementation section mentioned the ways in 
which almost every implementation, consistently, deviated from the 
draft, which would be very useful information to future implementors!


I indeed also noticed that this draft lacked that note, but Paul Wouters 
replied this via Twitter:


letoams: @oerdnj @Habbie ohh. well that whole section will be cut anyway 
before RFC :) If we do another rev based on IETF LC, I will update it 



As of 28-Feb-2019 14:02 I see pdns-4.2.0-beta1 available for download, 
so I

think that doing what Peter requests is fine.

So, my plan is to 1: ask the authors to please swap the Y to an N as 
below
and 2: progress the document with the hope that this section will 
survive

the publication process.

The March telechats are often really full - ADs who are leaving the 
IESG
try and get old / stuck work finished and off their plate - and so 
this
would likely only show up on the 2019-04-11 telechat -- so if anyone 
really

objects to this being (attempted to be) left in, please shout.


If it turns out the section is going to be removed before publication, 
then of course, don’t bother with the change. If the section will 
survive, and it is felt that this small change will hold up publication, 
then please also do not bother.


Otherwise, if it turns out we can easily get this change in, please do.

Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-03-04 Thread Warren Kumari 
On Thu, Feb 28, 2019 at 10:13 AM Peter van Dijk 
wrote:

> On 13 Feb 2019, at 20:29, The IESG wrote:
>
> > The IESG has received a request from the Domain Name System Operations
> > WG
> > (dnsop) to consider the following document: - 'Algorithm
> > Implementation
> > Requirements and Usage Guidance for DNSSEC'
> >as Proposed Standard
> >
> > The IESG plans to make a decision in the next few weeks, and solicits
> > final
> > comments on this action. Please send substantive comments to the
> > i...@ietf.org mailing lists by 2019-02-27. Exceptionally, comments may
> > be
> > sent to i...@ietf.org instead. In either case, please retain the
> > beginning of
> > the Subject line to allow automated sorting.
>
> As this pertains to a section that will apparently be removed for
> publication, only posting it here on dnsop@ for historical reasons:
>
>
So, RFC7942 (the one about "The Implementation Status" section) says that
this section should contain a note asking for it to be removed (and even
includes boilerplate to copy and paste) -- this document instead says "The
following table contains the status of support in the open-source DNS
signers and validators in the current released versions as of the time
writing this document." which implies it will be left in the document. I
personally think that this is good / helpful, but am not sure how the rest
of the IESG will feel about this...

As of 28-Feb-2019 14:02 I see pdns-4.2.0-beta1 available for download, so I
think that doing what Peter requests is fine.

So, my plan is to 1: ask the authors to please swap the Y to an N as below
and 2: progress the document with the hope that this section will survive
the publication process.

The March telechats are often really full - ADs who are leaving the IESG
try and get old / stuck work finished and off their plate - and so this
would likely only show up on the 2019-04-11 telechat -- so if anyone really
objects to this being (attempted to be) left in, please shout.

W



> PowerDNS has removed all GOST support as of version 4.2, which is due to
> be released any day now, so please change that cell in section 6.1 to N.
>
> Kind regards,
> --
> Peter van Dijk
> PowerDNS.COM BV - https://www.powerdns.com/
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-02-28 Thread Peter van Dijk 

On 13 Feb 2019, at 20:29, The IESG wrote:

The IESG has received a request from the Domain Name System Operations 
WG
(dnsop) to consider the following document: - 'Algorithm 
Implementation

Requirements and Usage Guidance for DNSSEC'
   as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits 
final

comments on this action. Please send substantive comments to the
i...@ietf.org mailing lists by 2019-02-27. Exceptionally, comments may 
be
sent to i...@ietf.org instead. In either case, please retain the 
beginning of

the Subject line to allow automated sorting.


As this pertains to a section that will apparently be removed for 
publication, only posting it here on dnsop@ for historical reasons:


PowerDNS has removed all GOST support as of version 4.2, which is due to 
be released any day now, so please change that cell in section 6.1 to N.


Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-02-18 Thread Mats Dufberg 
If this draft is approved, the new RFC will obsolete RFC 6944. RFC 6944, in 
turn, updates eight other RFCs. As I interpret it, the new RFC will inherit 
that role. I think that should be explicitly stated in the new RFC.


Yours,
Mats

---
Mats Dufberg
DNS Specialist, IIS
Mobile: +46 73 065 3899
https://www.iis.se/en/
 

-Original Message-
From: DNSOP  on behalf of The IESG 

Reply-To: "i...@ietf.org" 
Date: Wednesday, 13 February 2019 at 20:30
To: IETF-Announce 
Cc: Tim Wicinski , 
"draft-ietf-dnsop-algorithm-upd...@ietf.org" 
, "dnsop@ietf.org" 
, "dnsop-cha...@ietf.org" 
Subject: [DNSOP] Last Call:  
(Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to 
Proposed Standard


The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document: - 'Algorithm Implementation
Requirements and Usage Guidance for DNSSEC'
   as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
i...@ietf.org mailing lists by 2019-02-27. Exceptionally, comments may be
sent to i...@ietf.org instead. In either case, please retain the beginning 
of
the Subject line to allow automated sorting.

Abstract


   The DNSSEC protocol makes use of various cryptographic algorithms in
   order to provide authentication of DNS data and proof of non-
   existence.  To ensure interoperability between DNS resolvers and DNS
   authoritative servers, it is necessary to specify a set of algorithm
   implementation requirements and usage guidelines to ensure that there
   is at least one algorithm that all implementations support.  This
   document defines the current algorithm implementation requirements
   and usage guidance for DNSSEC.  This document obsoletes [RFC6944].




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ballot/


No IPR declarations have been submitted directly on this I-D.




___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-02-17 Thread Paul Wouters 

On Fri, 15 Feb 2019, Mats Dufberg wrote:


The table in section 3.3 ("DS and CDS Algorithms") of the draft states that SHA-1 is "MUST NOT" for 
"DNSSEC Delegation" but in the narrative text under the table it states "SHA-1 [...] is NOT RECOMMENDED 
for use in generating new DS and CDS records."

The two statements should be consistent in the final RFC.


Done, thanks for spotting that.

https://tools.ietf.org/rfcdiff?url2=draft-ietf-dnsop-algorithm-update-06.txt

SHA-1 is still in wide use for DS records, so validators MUST
-   implement validation, but it is NOT RECOMMENDED for use in generating
-   new DS and CDS records.  (See Operational Considerations for caveats
-   when upgrading from SHA-1 to SHA-256 DS Algorithm.)
+   implement validation, but it MUST NOT be used to generate new DS and
+   CDS records.  (See Operational Considerations for caveats when
+   upgrading from SHA-1 to SHA-256 DS Algorithm.)

Paul

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-02-17 Thread Mats Dufberg 
The table in section 3.3 ("DS and CDS Algorithms") of the draft states that 
SHA-1 is "MUST NOT" for "DNSSEC Delegation" but in the narrative text under the 
table it states "SHA-1 [...] is NOT RECOMMENDED for use in generating new DS 
and CDS records."

The two statements should be consistent in the final RFC.


Yours,
Mats

---
Mats Dufberg
DNS Specialist, IIS
Mobile: +46 73 065 3899
https://www.iis.se/en/
 

-Original Message-
From: DNSOP  on behalf of The IESG 

Reply-To: "i...@ietf.org" 
Date: Wednesday, 13 February 2019 at 20:30
To: IETF-Announce 
Cc: Tim Wicinski , 
"draft-ietf-dnsop-algorithm-upd...@ietf.org" 
, "dnsop@ietf.org" 
, "dnsop-cha...@ietf.org" 
Subject: [DNSOP] Last Call:  
(Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to 
Proposed Standard


The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document: - 'Algorithm Implementation
Requirements and Usage Guidance for DNSSEC'
   as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
i...@ietf.org mailing lists by 2019-02-27. Exceptionally, comments may be
sent to i...@ietf.org instead. In either case, please retain the beginning 
of
the Subject line to allow automated sorting.

Abstract


   The DNSSEC protocol makes use of various cryptographic algorithms in
   order to provide authentication of DNS data and proof of non-
   existence.  To ensure interoperability between DNS resolvers and DNS
   authoritative servers, it is necessary to specify a set of algorithm
   implementation requirements and usage guidelines to ensure that there
   is at least one algorithm that all implementations support.  This
   document defines the current algorithm implementation requirements
   and usage guidance for DNSSEC.  This document obsoletes [RFC6944].




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ballot/


No IPR declarations have been submitted directly on this I-D.




___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard

2019-02-13 Thread The IESG 


The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document: - 'Algorithm Implementation
Requirements and Usage Guidance for DNSSEC'
   as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
i...@ietf.org mailing lists by 2019-02-27. Exceptionally, comments may be
sent to i...@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


   The DNSSEC protocol makes use of various cryptographic algorithms in
   order to provide authentication of DNS data and proof of non-
   existence.  To ensure interoperability between DNS resolvers and DNS
   authoritative servers, it is necessary to specify a set of algorithm
   implementation requirements and usage guidelines to ensure that there
   is at least one algorithm that all implementations support.  This
   document defines the current algorithm implementation requirements
   and usage guidance for DNSSEC.  This document obsoletes [RFC6944].




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ballot/


No IPR declarations have been submitted directly on this I-D.




___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop