Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

to mark draft-ietf-dnsop-dnssec-validator-requirements as "Parked" for the time being. Please note this does not mean the work is of no value. Anyone interested is welcome to continue working on the subject, and we’re happy to un-park the draft at some later date if there’s acti

Re: [DNSOP] Review of draft-ietf-dnsop-dnssec-validator-requirements-06

On 6/30/23 22:15, Paul Wouters wrote: Section 13: [...] an attacker being able to provide a rogue trust anchor is potentially This is not a very realistic attack. The same section says: On the other hand, mishandling Trust Anchor is likely resulting in a validator unable to

[DNSOP] Review of draft-ietf-dnsop-dnssec-validator-requirements-06

Abstract (and Section 2): Please remove the acronym DRO and just use "operator". Section 3 (Introduction): The first two paragraphs of the Introduction can be removed. Section 4 (Time Recommendations) This section repeats a lot and could be cut. But a real issue I have is with

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

ons and publish a new version very soon. As > always, comments are welcome. > > > https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-ietf-dnsop-dnssec-validator-requirements.mkd > > Yours, > Daniel > > On Thu, Jun 15, 2023 at 8:00 PM

[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-06.txt

Edward Lewis Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-06.txt Pages : 18 Date: 2023-06-28 Abstract: The DNS Security Extensions (DNSSEC) defines a process for validating received data and assert them

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

Hi, I have just drafted a secure transport and a security considerations section, that I believe provide sufficient guidance to a DRO. I expect to further review these sections and publish a new version very soon. As always, comments are welcome. https://github.com/mglt/draft-mglt-dnsop-dnssec

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

Hi Christina, Thanks for the review and the suggestions. Please see my comments inline. Yours, Daniel On Wed, Jun 14, 2023 at 11:56 AM Christian Huitema wrote: > I know that the feedback was due last Sunday, but here comes mine > anyhow, after looking at the latest iteration of the draft. > >

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

Hi Florian, Thanks for the feed back. One motivation for this document was to provide guidance to deploy a DNSSEC resolver and implicitly encourage those not doing it already. I think that your comment was very helpful as it clearly indicated that we were achieving the opposite of what we were

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

Hi Andrew, Thanks for the comment, the current document is much shorter than the initial document. Regarding grammar, and linguistic issues - I am adding explanations hard to follow - have been removed and largely rewritten from scratch. I believe the current version addresses your concerns.

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Hi Peter, Thanks for the feedbacks. I agree that the idea of shortening the TTL based on all TTLs of the chains may be too intrusive and not respect the willingness of the authoritative server - which also needs to be taken into account. One other reason we removed such recommendation was also

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

On 6/15/23 15:32, Viktor Dukhovni wrote: I agree that client-side validation would be ideal. One important aspect here is to save on the latency caused by extra queries; my impression is that this extra cost is generally considered prohibitive. Not sure what you mean by "generally" (is that

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

On Wed, Jun 14, 2023 at 12:09:23PM -0400, Peter Thomassen wrote: > > But the focus changes. For example, if we consider that "spoofing by > > recursive server" is a threat, then having the recursive set bits to > > affirm that the response is verified is not much of a protection -- > > the

Re: [DNSOP] [EXT] Re: Current status of draft-ietf-dnsop-dnssec-validator-requirements

: [EXT] Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements I know that the feedback was due last Sunday, but here comes mine anyhow, after looking at the latest iteration of the draft. The draft makes a number of recommendations, which seem all reasonable, but what struck

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

Hi Christian, On 6/14/23 11:55, Christian Huitema wrote: In the old model, we are very concerned about third parties spoofing responses and polluting resolver caches. In a secure transport model, the only parties that can spoof responses are the resolvers themselves: authoritative resolvers

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

I know that the feedback was due last Sunday, but here comes mine anyhow, after looking at the latest iteration of the draft. The draft makes a number of recommendations, which seem all reasonable, but what struck me was the weak tie between these recommendations and the security

[DNSOP] Fwd: I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-05.txt

-- Forwarded message - From: Date: Sat, Jun 10, 2023 at 10:06 AM Subject: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-05.txt To: Cc: A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name

[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-05.txt

Edward Lewis Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-05.txt Pages : 14 Date: 2023-06-10 Abstract: The DNS Security Extensions (DNSSEC) defines a process for validating received data and assert them

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

On 2023-06-07 13:08 -04, Tim Wicinski wrote: > Just a reminder we're looking for any feedback on continuing work on this > document. The Chairs/OverLord Warren feel significant work on this > document is needed, but that may not be relevant. The document seems to have a rather pessimistic view

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

Just a reminder we're looking for any feedback on continuing work on this document. The Chairs/OverLord Warren feel significant work on this document is needed, but that may not be relevant. We're wrapping this feedback up this Sunday 11 June. (and Thanks Andrew for your comments) tim On

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

As this document’s shepherd, FWIW I think that if the document does proceed in the WG it needs significant love and attention. The document in its current state is not well written and it would require significant labor to resolve its numerous grammar and linguistic issues. It’s also very long

[DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

All, The chairs want to thank everyone for the feedback on this document recently. We've been in discussions with Warren and the authors about this document, and we have some questions we'd like the working group to help us resolve. While this work was relevant when it was first written and

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Hi Daniel, On 5/18/23 02:26, Daniel Migault wrote: On 5/17/23 22:01, Daniel Migault wrote: > I agree but as far as can see the cap of the TTL with a revalidation will only resync the resolver and the zone more often than could be expected otherwise but does not result in the cached

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Hi Peter, Thanks for the response. I think I need to understand better how revalidation is performed. Yours, Daniel On Wed, May 17, 2023 at 4:26 PM Peter Thomassen wrote: > Hi Daniel, > > On 5/17/23 22:01, Daniel Migault wrote: > > I agree but as far as can see the cap of the TTL with a

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Hi Peter, Thanks you very much for these comments. I will look carefully how to implement carefully these comments in our new version. Yours, Daniel On Tue, May 16, 2023 at 1:08 PM Peter Thomassen wrote: > > > On 5/12/23 23:09, Viktor Dukhovni wrote: > > Repost of my belated comments in the

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Hi Daniel, On 5/17/23 22:01, Daniel Migault wrote: I agree but as far as can see the cap of the TTL with a revalidation will not only resync the resolver and the zone more often than could be expected otherwise but does not result in the cached RRsets differing from those provided by the

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

-ietf-dnsop-dnssec-validator-requirements > > > > Current versions of the draft is available here: > > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ > > > > The Current Intended Status of this document is: Informational > >

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

On 5/12/23 23:09, Viktor Dukhovni wrote: Repost of my belated comments in the thread, apologies about not doing it right the first time... Inspired by Viktor's comments, I spent some time to give the document a thorough review. I'd like to support Viktor's comments on the dependent RRset

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

On Wed, Oct 19, 2022 at 03:21:27PM -0400, Tim Wicinski wrote: > This starts a Working Group Last Call for > draft-ietf-dnsop-dnssec-validator-requirements > > Current versions of the draft is available here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validat

[DNSOP] Comments on draft-ietf-dnsop-dnssec-validator-requirements-04

> Recommendations for DNSSEC Resolvers Operators >draft-ietf-dnsop-dnssec-validator-requirements-04 Before I dive into some paragraph-by-paragraph details, and bury the lede, my main high-level issue is with sections 9, primarily on substance, but also for IMHO n

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Since it is in WGLC – are you able to close out the issues in Github? (https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/issues) Jason From: DNSOP on behalf of Tim Wicinski Date: Tuesday, January 24, 2023 at 21:55 To: Daniel Migault Cc: Florian Obser , dnsop Subject

[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-04.txt

Edward Lewis Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-04.txt Pages : 26 Date: 2023-01-25 Abstract: The DNS Security Extensions (DNSSEC) define a process for validating received data and assert them

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

d initially, which is to >>>> leave that to DRO with DNSSEC strong expertise and recommend to >>>> only stay with software updates. If there are any strong feelings on just >>>> relying on software updates and leaving 5011 to DNSSEC experts, I am also >>

[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-03.txt

Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-03.txt Pages : 26 Date: 2023-01-24 Abstract: The DNS Security Extensions (DNSSEC) define a process for validating received data and assert them authentic and complete as opposed

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

nd to >>>> only stay with software updates. If there are any strong feelings on just >>>> relying on software updates and leaving 5011 to DNSSEC experts, I am also >>>> fine to push toward such a direction. >>>> >>>> I updated the text as

[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-02.txt

Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-02.txt Pages : 26 Date: 2023-01-24 Abstract: The DNS Security Extensions (DNSSEC) define a process for validating received data and assert them authentic and complete as opposed

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

tes and leaving 5011 to DNSSEC experts, I am also >>> fine to push toward such a direction. >>> >>> I updated the text as follows: >>> * clarifying TA updates for configuration versus running instances >>> * clarifying 5011 dot not apply for updating con

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

follows: >> * clarifying TA updates for configuration versus running instances >> * clarifying 5011 dot not apply for updating configuration - at least as >> a primary mechanism >> * emphasize that the non default model is only recommended for DRO with >> DNSSEC expert

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

r DRO with > DNSSEC expertise > * adding that TA update for running resolver may be performed also by > software update under the condition the DRO is likely to ensure a very > recent release is run. > * add a recommendation that when 5011 is used, the signer needs to > implement

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

that when 5011 is used, the signer needs to implement 5011 timings. The changes can be seen there: https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/dbb75b72a1806520ac77cf04424b0f6de0df29b5 Yours, Daniel On Sun, Nov 27, 2022 at 7:26 AM Florian Obser wrote: > On 2022-11

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

On 15/12/2022 23.36, Daniel Migault wrote: I don't see the part about extended errors as problematic (RFC 8914).  It really seems to be getting into (open-source) implementations and it can help with debugging in some cases, though deploying it is probably not very important

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Hi Peter and Vladimir, The disconnect between the requirements and the recommendations effectively reflects the misconception we had in the beginning. We have always wanted to provide guidelines to DRO and started listing some requirements for the software. However, the operators generally are

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

On Mon, Nov 28, 2022 at 6:29 AM Vladimír Čunát wrote: > On 25/11/2022 18.26, Daniel Migault wrote: > > So let me know how we came to this lines and I suspect we do share some > similar concerns. A recurrent question and reticence we receive from MNO > and ISPs regarding DNSSEC is that they are

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

On 12/15/22 15:01, Vladimír Čunát wrote: On 15/12/2022 14.45, Peter Thomassen wrote: In what sense is this document "informational" when it is called "validator requirements", or, conversely, in what sense does it spell out "requirements" when it is only "informational" and not "standards

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

On 15/12/2022 14.45, Peter Thomassen wrote: In what sense is this document "informational" when it is called "validator requirements", or, conversely, in what sense does it spell out "requirements" when it is only "informational" and not "standards track"? The current *title* says

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

10/19/22 21:21, Tim Wicinski wrote: This starts a Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements Current versions of the draft is available here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ <https://datatracker.ietf.org/doc/draft-ie

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

On 25/11/2022 18.26, Daniel Migault wrote: So let me know how we came to this lines and I suspect we do share some similar concerns. A recurrent question and reticence we receive from MNO and ISPs regarding DNSSEC is that they are really scared about having the cache with incoherent RRsets in

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

On 2022-11-25 12:26 -05, Daniel Migault wrote: > On Wed, Nov 23, 2022 at 10:29 AM Vladimír Čunát > wrote: >> I am surprised you would not recommend RFC 5011 >> >> 5011 needs persistent state, a thing that resolvers/validators often don't >> need at all otherwise (cache is safe to delete). 5011

Re: [DNSOP] Dnsdir early review of draft-ietf-dnsop-dnssec-validator-requirements-01

Hi James, Thanks for the review. Please see inline my responses as well as the changes below: https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/074ff71844b076b6e83ba8e0134a224b5f5617f9 Yours, Daniel On Thu, Nov 24, 2022 at 2:07 AM James Gannon via Datatracker < n

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

On Wed, Nov 23, 2022 at 10:29 AM Vladimír Čunát wrote: > OK, thanks. The changes are certainly improvements, in my eyes. Below > I'll further clarify what I meant. > > 4033 indicates it does not make much sense to keep a RRSIG whose validity > period has expired ( TTL > Validity period). > >

[DNSOP] Dnsdir early review of draft-ietf-dnsop-dnssec-validator-requirements-01

Reviewer: James Gannon Review result: On the Right Track Reviewer: James Gannon Review Result: On the right track As this is an early review (And also my first ietf review so please feel free to offer feedback on its usefulness!) its a mix of general comments and some more detailed comments on

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

OK, thanks.  The changes are certainly improvements, in my eyes.  Below I'll further clarify what I meant. 4033 indicates it does not make much sense to keep a RRSIG whose validity period has expired ( TTL > Validity period). Yes, I should stress that I do agree with trimming TTL of whole

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Hi Vladimir, Thanks for the feedback and see inline my comments. You can also find teh changes made on the PR below: https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/8238c76899bc5a40b1c5234b623ea44fd3f31c77 Yours, Daniel On Wed, Nov 16, 2022 at 3:51 PM Vladimír

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

-validator-requirements/pull/9/commits/5177f1b460db5a6db89b4c73032838441de1840b Yours, Daniel On Wed, Oct 19, 2022 at 5:21 PM Brian Dickson wrote: > > > On Wed, Oct 19, 2022 at 12:22 PM Tim Wicinski wrote: > >> >> >> This starts a Working Group Last Call for >&g

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

: the following part doesn't make sense to me, as signature validity period is normally way over the TTL anyway (and it's really a bug if it got shorter): Section 8.1 of [RFC4033 <https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-validator-requirements-01.html#RFC4033>] mention the a

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

On Wed, Oct 19, 2022 at 12:22 PM Tim Wicinski wrote: > > > This starts a Working Group Last Call for > draft-ietf-dnsop-dnssec-validator-requirements > > Current versions of the draft is available here: > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnsse

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

t 19, 2022 at 12:22 PM Tim Wicinski wrote: > >> >> >> This starts a Working Group Last Call for >> draft-ietf-dnsop-dnssec-validator-requirements >> >> Current versions of the draft is available here: >> >> https://datatracker.ietf.org/doc/draft

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

r > draft-ietf-dnsop-dnssec-validator-requirements > > Current versions of the draft is available here: > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ > > The Current Intended Status of this document is: Informational > > Please review t

[DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

This starts a Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements Current versions of the draft is available here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ The Current Intended Status of this document is: Informational Please review

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-01.txt

Dan York > Filename : > draft-ietf-dnsop-dnssec-validator-requirements-01.txt > Pages : 23 > Date: 2022-05-13 > > Abstract: >The DNS Security Extensions (DNSSEC) define a process for validating >received dat

[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-01.txt

Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-01.txt Pages : 23 Date: 2022-05-13 Abstract: The DNS Security Extensions (DNSSEC) define a process for validating received data and assert them authentic and complete

[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-00.txt

Edward Lewis Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-00.txt Pages : 23 Date: 2020-05-21 Abstract: The DNS Security Extensions define a process for validating received data and assert

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

; > > As we stated in the meeting and in our chairs actions, we're going to run > > regular call for adoptions over next few months. > > We are looking for *explicit* support for adoption. > > > > > > This starts a Call for Adoption for > draft-mglt-dnsop-dn

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

; This starts a Call for Adoption for > draft-mglt-dnsop-dnssec-validator-requirements > > The draft is available here: > https://datatracker.ietf.org/doc/draft-mglt-dnsop-dnssec-validator-requirements/ > I support adoption of the draft and i'm willing to review it. > > Please review this

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

hat boostrapping for the root zone should be >> extended to other TA. >> >> Yep. >> >> > There are clearly some overlap between the two drafts and I also have >> the impression the drafts can be merged. >> > the following issue has been opened: >>

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

ctions, we're going to run >> regular call for adoptions over next few months. >> We are looking for *explicit* support for adoption. >> >> >> This starts a Call for Adoption for >> draft-mglt-dnsop-dnssec-validator-requirements >> >> The draft is available

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

Moin! On 4 May 2020, at 21:08, Tim Wicinski wrote: This starts a Call for Adoption for draft-mglt-dnsop-dnssec-validator-requirements The draft is available here: https://datatracker.ietf.org/doc/draft-mglt-dnsop-dnssec-validator-requirements/ Please review this draft to see if you think

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

+1. Agree with Stephane and support adoption of this draft. Thanks Sanjay Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements Stephane Bortzmeyer Wed, 06 May 2020 08:48 UTCShow header<https://mailarchive.ietf.org/arch/browse/dnsop/> On Mon, May 04, 2020 at

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

sociated with > bootstrapping mechanism and that boostrapping for the root zone should be > extended to other TA. > > Yep. > > > There are clearly some overlap between the two drafts and I also have > the impression the drafts can be merged. > > the following issue has been opened: > &g

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

drafts can be merged. > the following issue has been opened: > https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/issues/7 Happy to help with that if it's something that the authors/working group decide is useful. I support adoption of this draft, now that I've read it prop

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

to other TA. There are clearly some overlap between the two drafts and I also have the impression the drafts can be merged. the following issue has been opened: https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/issues/7 Yours, Daniel On Thu, May 7, 2020 at 2:17 PM Joe Abley wrote

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

On 4 May 2020, at 15:08, Tim Wicinski wrote: > This starts a Call for Adoption for > draft-mglt-dnsop-dnssec-validator-requirements > > The draft is available here: > https://datatracker.ietf.org/doc/draft-mglt-dnsop-dnssec-validator-requirements/ > > > Please

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

Thanks for the feed back Shumon, I agree that we should at least clarify where the responsibilities are so the mechanisms become more focused on smoothing the edges rather that compensating what the other party may not do. I also agree that fixed values might be more appropriated and the RDO

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

Call for Adoption for > draft-mglt-dnsop-dnssec-validator-requirements > > The draft is available here: > https://datatracker.ietf.org/doc/draft-mglt-dnsop-dnssec-validator-requirements/ > <https://datatracker..ietf.org/doc/draft-mglt-dnsop-dnssec-validator-requirements/>

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

On Thu, May 7, 2020 at 8:34 AM Shumon Huque wrote: > On Wed, May 6, 2020 at 4:49 AM Stephane Bortzmeyer > wrote: > >> On Mon, May 04, 2020 at 03:08:20PM -0400, >> Tim Wicinski wrote >> a message of 64 lines which said: >> >> > This starts a Call for

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

On Thu, May 7, 2020 at 8:34 AM Shumon Huque wrote: > On Wed, May 6, 2020 at 4:49 AM Stephane Bortzmeyer > wrote: > > The draft apparently do not mention advices on expiration slack (such >> as val-sig-skew-min and val-sig-skew-max in Unbound). Is there a >> consensus on (I quote Unbound

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

On Wed, May 6, 2020 at 4:49 AM Stephane Bortzmeyer wrote: > On Mon, May 04, 2020 at 03:08:20PM -0400, > Tim Wicinski wrote > a message of 64 lines which said: > > > This starts a Call for Adoption for > > draft-mglt-dnsop-dnssec-validator-requirements > > I

Re: [DNSOP] [EXT] Re: Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

SERVFAIL. > > >-Original Message- > >From: DNSOP On Behalf Of Stephane Bortzmeyer > >Sent: May 6, 2020 4:49 AM > >To: Tim Wicinski > >Cc: dnsop ; dnsop-chairs > >Subject: [EXT] Re: [DNSOP] Call for Adoption: > draft-mglt-dnsop-dnssec-validator-req

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

Call for Adoption for > > draft-mglt-dnsop-dnssec-validator-requirements > > I think it is important to have such a document, because DNSSEC > failures may seriously endanger the deployment of DNSSEC (which is > already too low). The current draft seems a good starting point and I >

Re: [DNSOP] [EXT] Re: Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

>Sent: May 6, 2020 4:49 AM >To: Tim Wicinski >Cc: dnsop ; dnsop-chairs >Subject: [EXT] Re: [DNSOP] Call for Adoption: >draft-mglt-dnsop-dnssec-validator-requirements > >On Mon, May 04, 2020 at 03:08:20PM -0400, > Tim Wicinski wrote > a message of 64 lines wh

Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"

on which will > force the necessary check at startup. On the other hand 2) works fine > unless KSK roll over happens and a write error happens. This means that > most of the time this will work fine and this is what makes it dangerous in > my opinion. > > But again, I am happy to update this wi

Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"

rry the old configuration which will force the necessary check at startup. On the other hand 2) works fine unless KSK roll over happens and a write error happens. This means that most of the time this will work fine and this is what makes it dangerous in my opinion. But again, I am happy to u

Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

On Mon, May 04, 2020 at 03:08:20PM -0400, Tim Wicinski wrote a message of 64 lines which said: > This starts a Call for Adoption for > draft-mglt-dnsop-dnssec-validator-requirements I think it is important to have such a document, because DNSSEC failures may seriously endanger the depl

Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"

I would prefer the second method. I think that is what some software already does. (BIND?) -- Bob Harold > > Please inline other comments. > > Yours, > Daniel > > [1] > https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-mglt-dnsop-dns

Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"

lease inline other comments. Yours, Daniel [1] https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-mglt-dnsop-dnssec-validator-requirements.mkd [2] https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/f8ab674b12442aff6ba3c72a3ca8f795f24b2df9

Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"

file systems. "Not updating the configuration file prevents a failed synchronization to to the absence of write permission that are hardly in the control of the software." [1] https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-mglt-dn

Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"

2020 at 3:13 PM IETF Secretariat < > ietf-secretariat-re...@ietf.org> wrote: > >> >> The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in >> state Call For Adoption By WG Issued (entered by Tim Wicinski) >> >> The document is available at

Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"

Looks useful, I will review. -- Bob Harold On Mon, May 4, 2020 at 3:13 PM IETF Secretariat < ietf-secretariat-re...@ietf.org> wrote: > > The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in > state Call For Adoption By WG Issued (entered by Tim Wicinski) &

[DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"

The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state Call For Adoption By WG Issued (entered by Tim Wicinski) The document is available at https://datatracker.ietf.org/doc/draft-mglt-dnsop-dnssec-validator-requirements

[DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

All, As we stated in the meeting and in our chairs actions, we're going to run regular call for adoptions over next few months. We are looking for *explicit* support for adoption. This starts a Call for Adoption for draft-mglt-dnsop-dnssec-validator-requirements The draft is available here

[DNSOP] Fw: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-09.txt

rs, Daniel From: internet-dra...@ietf.org Sent: Wednesday, April 29, 2020 6:22 PM To: Daniel Migault; Edward Lewis; Dan York Subject: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-09.txt A new version of I-D, draft-mglt-dnsop-dnssec-validator-requirements-09.tx

Re: [DNSOP] FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-08.txt

ernet-dra...@ietf.org > Sent: Sunday, November 17, 2019 2:48 AM > To: Edward Lewis ; Daniel Migault > ; Dan York > Subject: New Version Notification for > draft-mglt-dnsop-dnssec-validator-requirements-08.txt > > > A new version of I-D, draft-mglt-dnsop-dnssec-validator

Re: [DNSOP] FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-08.txt

; Sent: Sunday, November 17, 2019 2:48 AM > To: Edward Lewis ; Daniel Migault < > daniel.miga...@ericsson.com>; Dan York > Subject: New Version Notification for > draft-mglt-dnsop-dnssec-validator-requirements-08.txt > > > A new version of I-D, draft-mglt-dnsop-dnssec-val

[DNSOP] FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-08.txt

Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-08.txt A new version of I-D, draft-mglt-dnsop-dnssec-validator-requirements-08.txt has been successfully submitted by Daniel Migault and posted to the IETF repository. Name: draft-mglt-dnsop-dnssec-validator

Re: [DNSOP] Fwd: FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-07.txt

Hi, Thanks for the feed backs. We discussed your feed backs at the IETF meeting and ... delayed your response. I apology for it. Please see my comments inline. Yours, Daniel On Sun, Mar 24, 2019 at 10:41 AM S Moonesamy wrote: > Hi Daniel, > At 07:10 AM 23-03-2019, Daniel Migault wrote: > >We

Re: [DNSOP] FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-07.txt

eak > convenient for you ? > > Yours, > Daniel > > -- Forwarded message - > From: Daniel Migault > Date: Wed, Nov 28, 2018 at 1:18 PM > Subject: [DNSOP] FW: New Version Notification for > draft-mglt-dnsop-dnssec-validator-requirements-07.txt >

[DNSOP] Fwd: FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-07.txt

if there is a time slot available to discuss them. Would Monday during the lunch break convenient for you ? Yours, Daniel -- Forwarded message - From: Daniel Migault Date: Wed, Nov 28, 2018 at 1:18 PM Subject: [DNSOP] FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements

[DNSOP] FW: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-07.txt

To: Edward Lewis ; Daniel Migault ; Dan York Subject: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-07.txt A new version of I-D, draft-mglt-dnsop-dnssec-validator-requirements-07.txt has been successfully submitted by Daniel Migault and posted to the IETF repository

Re: [DNSOP] [Ext] comments on draft-mglt-dnsop-dnssec-validator-requirements-05

Hi, Thank you for the feed backs Scott. We will address them in the next version. The motivation for crypto deprecation is clearly to follow the crypto recommendations stated by the IETF. However, this requirement for the validator is to actually "validate" those requirements are effective. The

Re: [DNSOP] [Ext] comments on draft-mglt-dnsop-dnssec-validator-requirements-05

On 7/19/17, 08:49, "DNSOP on behalf of Rose, Scott (Fed)" wrote: >I think this draft is a good idea and should be adopted, but needs some >improvements first. > Thanks for the review, the current version has items needing wider

[DNSOP] comments on draft-mglt-dnsop-dnssec-validator-requirements-05

I think this draft is a good idea and should be adopted, but needs some improvements first. 1. In Section 4: "unsecure" should be "insecure". 2. REQ2: What should happen when there are multiple trust anchors, but only one failed to validate? E.g. a validator has both the root and .exampleTLD

  1   2   >