.
Regards,
Daniel
--
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
?
Best Regards,
Daniel
--
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--
From: internet-dra...@ietf.org
Date: Mon, Oct 21, 2013 at 9:12 AM
Subject: New Version Notification for
draft-mglt-homenet-dnssec-validator-dhc-options-02.txt
To: Daniel Migault mglt.i...@gmail.com
A new version of I-D, draft-mglt-homenet-dnssec-validator-dhc-options-02.txt
has been
Hi Paul,
Thanks for your comments. I also share your opinions. I add my comment in
the body part.
On Mon, Oct 21, 2013 at 8:16 PM, Paul Wouters p...@cypherpunks.ca wrote:
On Mon, 21 Oct 2013, Daniel Migault wrote:
Please find a draft that defines DHCP options to provision DNSSEC
ICANN website and
grab the trust anchor bundle (i.e. what unbound-anchor does) and use the
certificate of ICANN.
See also draft-jabley-dnsop-validator-bootstrap-00.
Joe
--
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58
___
DNSOP
6 at
first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or
good,
occasionally poor at first.
--
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman
@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
-mglt-dnsop-dnssec-validator-requirements-00.txt
has been successfully submitted by Daniel Migault and posted to the
IETF repository.
Name: draft-mglt-dnsop-dnssec-validator-requirements
Revision: 00
Title: DNSSEC Validators Requirements
Document date: 2014-02-13
Group: Individual Submission
Pages
be better
carried out and work with the appropriate ADs on this.
This still sounds horrible.
tim
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--
Daniel Migault
Orange Labs -- Security
+33 6
distinguish a name resolution that needs to be associated with a search
list and 3) how a resolver should perform a resolution involving search
list.
Feel free to comment/review.
BR,
Daniel
[1] http://tools.ietf.org/html/draft-mglt-dnsop-search-list-processing-00
--
Daniel Migault
Orange Labs
...@mail.gmail.com
, Daniel Migault writes:
Hi folks,
Please find draft-mglt-dnsop-search-list-processing-00.txt [1] This
draft
comes in the context of generic TLD with possible naming collision. In
order to keep naming resolution stable and reliable, it describes 1) how
resolver should
support for adoption.
Olafur
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58
___
DNSOP mailing
Systems Consortium, Inc.
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58
___
DNSOP mailing list
DNSOP@ietf.org
: internet-dra...@ietf.org
Date: Tue, Feb 17, 2015 at 8:36 PM
Subject: New Version Notification for
draft-mglt-dnsop-dnssec-validator-requirements-02.txt
To: Daniel Migault mglt.i...@gmail.com
A new version of I-D, draft-mglt-dnsop-dnssec-validator-requirements-02.txt
has been successfully submitted
In homenet we discussed how the CPE can outsource the reverse zone to a third
party. This means that we considered the reverse zone generation could be
delegated to each customer by the ISP.
BR,
Daniel
-Original Message-
From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Ted
-
>
> - Original Message -
> > From: "Ondřej Surý" <ondrej.s...@nic.cz>
> > To: "Simon Josefsson" <si...@josefsson.org>
> > Cc: "Daniel Migault" <daniel.miga...@ericsson.com>, "curdle"
> CZ.NIC, z.s.p.o.-- Laboratoře CZ.NIC
> Milesovska 5, 130 00 Praha 3, Czech Republic
> mailto:ondrej.s...@nic.czhttps://nic.cz/
> --------
>
> - Original Message -
> > From: "Daniel Migau
my understanding is that ed448 does not specify default values for the
context and i have not seen in the current draft a specification of the
context. Shouldn't we explicitly mention that the context is empty?
Yours,
daniel
On Nov 16, 2016 2:44 AM, "Dick Franks" wrote:
> My
This is also my understanding. but I might be wrong as well.
Yours,
Daniel
On Thu, Nov 3, 2016 at 6:11 PM, Salz, Rich wrote:
> I think the issue about signature contexts first, and mainly, came up
> with TLS which generates a variety of private key material based on shared
>
Hi,
This message starts a Working Group Last Call (WGLC) for
draft-ietf-curdle-dnskey-eddsa-01.
The version to be reviewed is
https://tools.ietf.org/html/draft-ietf-curdle-dnskey-eddsa-01
Please send your comments, questions, and edit proposals to the WG mail
list until November 16th, 2016. If
/blob/master/draft-mglt-dnsop-dnssec-validator-requirements-05.xml
[Ericsson]<http://www.ericsson.com/>
DANIEL MIGAULT
Researcher
Research
Ericsson
8500 Boulevard Decarie
H4P 2N2 Montreal, Canada
Phone +1 514 345 7900 46628
Mobile +1 514 452 2160
daniel.miga...@ericsson.com
www.ericsson.com
DNSSEC deployment on resolvers.
Yours,
Daniel
-Original Message-
From: internet-dra...@ietf.org [mailto:internet-dra...@ietf.org]
Sent: Monday, March 27, 2017 9:13 AM
To: Edward Lewis <edward.le...@icann.org>; Daniel Migault
<daniel.miga...@ericsson.com>; Dan York <y.
Hi Bob,
Thanks you for the clarifications, I have updated my local copy with all
your comments.
Yours,
Daniel
[1]
https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-mglt-dnsop-dnssec-validator-requirements.xml
On Fri, Apr 7, 2017 at 7:35 PM, Daniel Migault
Thank you Evan and Petr fro your comments. I thought I would be able to
provide you some text this week... but I am running late. I will send you
some text next week.
I agree with your comments, and will make my best to address them. I also
came with other requirements.
Yours,
Daniel
On Fri,
Thanks for the review, I will update the copy on the git accordingly.
Yours,
Daniel
On Fri, Apr 7, 2017 at 9:51 AM, Bob Harold <rharo...@umich.edu> wrote:
>
> On Mon, Mar 27, 2017 at 10:16 AM, Daniel Migault <
> daniel.miga...@ericsson.com> wrote:
>
>> Hi,
>
Hi,
Thank you for the feed backs Scott. We will address them in the next
version.
The motivation for crypto deprecation is clearly to follow the crypto
recommendations stated by the IETF. However, this requirement for the
validator is to actually "validate" those requirements are effective. The
-dra...@ietf.org]
Sent: Wednesday, June 28, 2017 11:46 AM
To: Edward Lewis <edward.le...@icann.org>; Daniel Migault
<daniel.miga...@ericsson.com>; Dan York <y...@isoc.org>; y...@isoc.org
<y...@isoc.org>
Subject: New Version Notification for
draft-mglt-dnsop-dnssec-valid
To: Edward Lewis ; Daniel Migault
; Dan York
Subject: New Version Notification for
draft-mglt-dnsop-dnssec-validator-requirements-07.txt
A new version of I-D, draft-mglt-dnsop-dnssec-validator-requirements-07.txt
has been successfully submitted by Daniel Migault and posted to the IETF
repository
We received positive feed back for Monday. So we will meet in the main
lobby at 12:20 during the lunch break. See you there!
Yours
Daniel
On Sat, Mar 23, 2019, 15:10 Daniel Migault
wrote:
>
> Hi,
>
> We would particularly appreciate to share your thoughts and discuss the
&g
if there is a time
slot available to discuss them. Would Monday during the lunch break
convenient for you ?
Yours,
Daniel
-- Forwarded message -
From: Daniel Migault
Date: Wed, Nov 28, 2018 at 1:18 PM
Subject: [DNSOP] FW: New Version Notification for
draft-mglt-dnsop-dnssec-validator-requirements
Hi,
Thanks for the feed backs. We discussed your feed backs at the IETF meeting
and ... delayed your response. I apology for it.
Please see my comments inline.
Yours,
Daniel
On Sun, Mar 24, 2019 at 10:41 AM S Moonesamy wrote:
> Hi Daniel,
> At 07:10 AM 23-03-2019, Daniel Migault wrote:
Hi,
Please find our draft that provides recommendations for DNSSEC resolvers
Operators. Any comment is appreciated!
Yours,
Daniel
-Original Message-
From: internet-dra...@ietf.org
Sent: Sunday, November 17, 2019 2:48 AM
To: Edward Lewis ; Daniel Migault
; Dan York
Subject: New
Hi,
I read draft-ietf-dnsop-svcb-httpssvc-01. Please find find some comments
(with my questions) below I had while reading linearly the document. I hope
this will help.
Yours,
Daniel
section 1.1
_8765._baz.api.example.com. 7200 IN SVCB 0 svc4-baz.example.net.
In my opinion, the mechanism
ons in the past.
>
> > Do you have any plans to look at the behavior of the large public
>> > resolvers?
>>
>> That's a good idea, to answer this one, we need to configure the
>> scenarios again. Let me get back to you once I manage to get
; > Yes, for sure! Happy to do that.
>
> Half done. Either tonight or tomorrow.
> --
> Wes Hardaker
> USC/ISI
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Mi
rs,
Daniel
From: internet-dra...@ietf.org
Sent: Wednesday, April 29, 2020 6:22 PM
To: Daniel Migault; Edward Lewis; Dan York
Subject: New Version Notification for
draft-mglt-dnsop-dnssec-validator-requirements-09.txt
A new version of I-D, draft-mglt-dnsop-dnssec-validator-requirements-09.tx
Thanks, that will be appreciated. I will make sure the two documents are
synchronised.
Yours,
Daniel
On Mon, May 4, 2020 at 8:20 AM Shumon Huque wrote:
> On Wed, Apr 29, 2020 at 11:57 AM Daniel Migault
> wrote:
>
>> Hi,
>>
>> I discovered this draft during the inte
correct text is:
This introduces a potentially huge vector for configuration errors, due to
human intervention as well as potential misunderstanding of ongoing
operations.
Others grammar and language issues have also been corrected.
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
gt; >Also, the draft has many, it seems, grammar / language
> >problems. ("This introduces a potentially huge vector for
> >configuration errors, but due to human intervention as well as
> >potential misunderstanding of ongoing operations.")
> >
> >
> >___
> >DNSOP mailing list
> >DNSOP@ietf.org
> >https://www.ietf.org/mailman/listinfo/dnsop
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
a8f795f24b2df9#diff-c7cc8f0bdd4d7cce2082828d70d2bf35>
Contribute to mglt/draft-mglt-dnsop-dnssec-validator-requirements development
by creating an account on GitHub.
github.com
From: Bob Harold
Sent: Monday, May 4, 2020 4:29 PM
To: Daniel Migault
Subject: Fwd
#diff-c7cc8f0bdd4d7cce2082828d70d2bf35
On Tue, May 5, 2020 at 11:52 AM Daniel Migault wrote:
> Hi Bob,
>
> Thanks for the comments. The new version of the file is available here [1]
> and diff can be seen at [2].
>
> I propose the following text. Does it clarify t
__________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
adoption ends: 18 May 2020
>>
>> Thanks,
>> tim wicinski
>> DNSOP co-chair
>>
>> ___
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
> ___
ted on.
>
> Tim
> (speaking as a chair)
>
> On Thu, May 7, 2020 at 3:42 PM Joe Abley wrote:
>
>> Hi Daniel,
>>
>> On 7 May 2020, at 15:39, Daniel Migault wrote:
>>
>> > Thanks for putting the reference of that draft. I have always thought
>> that t
be highly appreciated.
Yours,
Daniel
[1] https://tools.ietf.org/html/draft-mglt-add-rdp-00#section-8.2
On Mon, Mar 9, 2020 at 9:27 PM Ben Schwartz wrote:
>
>
> On Thu, Feb 27, 2020 at 11:48 AM Daniel Migault
> wrote:
>
>> Hi,
>>
>> I read draft-ietf-dnsop-svcb-h
s vendor to get them to use an inception
> offset.
> So, the skew issue ideally needs to be addressed on both sides (and it
> might
> be reasonable to mention that in this draft).
>
> Shumon.
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
r documenting these kinds of things
> then I am overjoyed. Perhaps there is an opportunity to merge that existing
> work from 2011 with this effort.
>
>
> Joe
> _______
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mail
On Tue, May 5, 2020 at 2:53 PM Bob Harold wrote:
>
> On Tue, May 5, 2020 at 12:02 PM Daniel Migault
> wrote:
>
>> Hi Bob,
>>
>> I apology the previous email has just been sent unexpectedly.
>>
>> Thanks for the comments. The new version of th
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
n ends: 8 June 2020
>
> Thanks,
> tim wicinski
> DNSOP co-chair
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
rationale is here.
>
> -Ekr
>
>
>> As another side note, would be nice to have a link to the IANA sections
>> updated in the IANA Considerations Section.
>>
>>
>> Paul
>>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
see this adopted by the WG so that the GOST document can
> proceed forward. I'm also quite interested to hear input from developers
> about how they feel affected by the different options for documentation of
> algorithms for DNSSEC.
>
> --Paul Hoffman___
Hi,
Thanks for your questions, please see inline some clarifications.
Yours,
Daniel
On Fri, Dec 25, 2020 at 3:27 PM Paul Hoffman wrote:
> On Dec 24, 2020, at 10:28 AM, Daniel Migault wrote:
> >
> > Hi,
> >
> > As the DNS is a global shared resource and its reli
>
> That would leave the registry with the strict requirements and allow items
> to get code points.
>
> Too simple an answer?
>
> tim
>
>
> On Fri, Dec 25, 2020 at 10:53 PM Olafur Gudmundsson wrote:
>
>>
>>
>> On Dec 25, 2020, at 3:27 PM, Paul Hoffman
On Wed, Dec 30, 2020 at 10:22 PM Paul Wouters wrote:
> On Dec 30, 2020, at 22:11, Daniel Migault wrote:
> >
> >
> >
> > If I understand clearly the comment, it seems to say that TLS ( for
> example ) is using RFC Required and that DNSSEC should do the same. Qu
fman
>
> _______
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
__
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
the document is *not* ready for publication, please
>> speak out with your reasons.
>>
>> This starts a two week Working Group Last Call process, and ends on: 18
>> August 2021
>>
>> thanks
>> tim
>>
> ___
Hi,
As Paul H. mentioned to me the document is in the last call, I am providing
my comments to the last call mailing list. I feel that my comments mostly
concern the security consideration sections.
Yours,
Daniel
On Wed, Sep 15, 2021 at 10:41 AM Daniel Migault wrote:
> Hi,
>
> I
Hi Vladimir,
Thanks for the feedback. Please see my responses inline.
On Wed, Sep 15, 2021 at 1:45 PM Vladimír Čunát
wrote:
> On 15/09/2021 16.41, Daniel Migault wrote:
> > Outside experimentation, especially for national algorithms, this will
> > lead to nations having t
e from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Domain Name System Operations WG of the
> IETF.
>
> Title : Recommendations for DNSSEC Resolvers Operators
> Authors : Daniel Migault
>
-25 12:26 -05, Daniel Migault wrote:
> > On Wed, Nov 23, 2022 at 10:29 AM Vladimír Čunát <
> vladimir.cunat+i...@nic.cz>
> > wrote:
> >> I am surprised you would not recommend RFC 5011
> >>
> >> 5011 needs persistent state, a thing that resolvers/
e Works Inc, Ottawa and Worldwide
>
>
>
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
On Mon, Nov 28, 2022 at 6:29 AM Vladimír Čunát
wrote:
> On 25/11/2022 18.26, Daniel Migault wrote:
>
> So let me know how we came to this lines and I suspect we do share some
> similar concerns. A recurrent question and reticence we receive from MNO
> and ISPs r
from the misconception / misreading that the
> words from the draft name are also in the title. -- Of course, the name is
> irrelevant.
>
> Thank you for clarifying, Vladimír!
>
> Best,
> Peter
>
> --
> https://desec.io/
>
> _______
bit on UDP.
> Validators will need to ensure their local environment can reliably get
> any critical DNSSEC records (notably DNSKEY) over UDP, or reliably get
> responses with TC=1 if overly large responses cannot be sent over UDP due
> to answers not
needing to worry about those 5011 disadvantages. (occasional =
> 5011 defaults to requiring 30 days of overlap)
>
>
> Oh! sure for the TA. My understanding of the text is that it recommends
5011 for running instances, but that new instances are configured with
up-to-date TA that in most cases are updated by software update. So yes I
agree and will check this appears clearly.
> --Vladimir
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
requesting a review from a current
> DRO
> operator to gain some domain specific feedback that may catch some
> operational
> concerns that I may have overlooked.
>
We did have such reviews - of course more such reviews are welcome. I can
only agree with you.
>
>
>
>
also agree that this
could be implemented with a series of software releases. I have the
impression that in general MNO tend to prefer a stand alone mechanism as
they are constantly deploying releases, but I am happy to hear more on that.
--Vladimir | knot-resolver.cz
> _
Hi,
I am just wondering if you have any further comments or thoughts or we
declare your concerns being addressed. If you think we are fine, just let
me know.
Yours,
Daniel
On Tue, Jan 3, 2023 at 7:14 PM Daniel Migault wrote:
> Hi Vladimir and Florian,
>
> Thanks for the comment
Hi,
If you think I have addressed all comments I received, if you believe that
is not the case or if there are other comments, please let me know.
Otherwise I expect to publish a new version by the end of the week.
Yours,
Daniel
On Fri, Jan 13, 2023 at 5:21 PM Daniel Migault wrote:
>
ok, I just posted the 02 version.
Yours,
Daniel
On Tue, Jan 24, 2023 at 2:28 PM Tim Wicinski wrote:
> Thanks Daniel. We've been waiting for your updated draft.
>
> tim
>
>
> On Tue, Jan 24, 2023 at 10:14 AM Daniel Migault
> wrote:
>
>> Hi,
>>
>> If
System
Operations (DNSOP) WG of the IETF.
Title : Recommendations for DNSSEC Resolvers Operators
Authors : Daniel Migault
Edward Lewis
Dan York
Filename: draft-ietf-dnsop-dnssec-validator-requirements-05.txt
Pages
document with minimum requirements (correct
> > time, stuff like that) and take it from there.
> >
> >>
> >> We're wrapping this feedback up this Sunday 11 June.
> >>
> >> (and Thanks Andrew for your comments)
> >>
> >> tim
> >
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
-validator-requirements/blob/master/draft-ietf-dnsop-dnssec-validator-requirements.mkd
Yours,
Daniel
On Thu, Jun 15, 2023 at 8:00 PM Daniel Migault wrote:
> Hi Christina,
>
> Thanks for the review and the suggestions. Please see my comments inline.
>
> Yours,
> Daniel
>
&
-validator-requirements-06
Yours,
Daniel
On Thu, Jun 22, 2023 at 4:27 PM Daniel Migault wrote:
> Hi,
>
> I have just drafted a secure transport and a security considerations
> section, that I believe provide sufficient guidance to a DRO. I expect to
> further review these secti
operations around the TTL ( like Hammer for example ). This discussion also
pushes us to avoid implementing non standard mechanisms - or at least to be
careful.
Yours,
Daniel
On Fri, May 19, 2023 at 5:18 AM Peter Thomassen wrote:
> Hi Daniel,
>
> On 5/18/23 02:26, Daniel Miga
__
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
his feedback up this Sunday 11 June.
> >
> > (and Thanks Andrew for your comments)
> >
> > tim
>
> --
> In my defence, I have been left unsupervised.
>
> _______
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.i
one DRO to
> > take advantage of more recent cryptographic. While currently not
> >being widely used, a DRO MAY share information with authoritative
> >server in the hope that future deployment of authoritative servers
> >will be able to leverage it. [RFC6975] provides the ability for a
> >DNSSEC validator to announce an authoritative server the supported
> >signature schemes. However, a DNSSEC validator is not able to
> >determine other than by requesting and monitoring DNSKEY RRsets as
> >well as RRSIG. These RRsets are received by enabling DNSSEC
> >validation by default which is obviously the case for DNSSEC
> >validator.
>
> This looks like a poor translation from something other than English...
> Unclear where this is going.
>
> The intention was that DRO can advertise their support of recent
algorithms, so they can give authoritative servers more confidence in
deploying them.
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Hi Peter,
Thanks for the response. I think I need to understand better how
revalidation is performed.
Yours,
Daniel
On Wed, May 17, 2023 at 4:26 PM Peter Thomassen wrote:
> Hi Daniel,
>
> On 5/17/23 22:01, Daniel Migault wrote:
> > I agree but as far as can see the
EC validator may play an important role
> in sharing this information with the authoritative server or domain
> name owner.
>
> I'm not sure I agree with this. It's probably not a good idea if all
> validating resolvers start contacting a specific domain owner.
>
> good point we need maybe to be more specific, thought I expected the
contact to be between organization as opposed to be on a per request.
> Section 13:
> RUNTIME: * DRO SHOULD regularly discover MTU
>
> I'm no expert here; does this really need regular checks, or is there a
> value that's generally considered safe? If regular checking is done, how
> frequently would be reasonable?
>
> yes. We need to check the frequency, but I am unsure we will have a
specific number. Let's check.
> Section 15:
> Providing inappropriate information can lead to misconfiguring the
> DNSSEC validator, and thus disrupting the DNSSEC resolution service.
>
> Not sure what "providing inappropriate information" means here.
>
> This is a bad sentence I think we meant information that will taken into
account for the configuration.
> RRSet that were
> cached require a DNSSEC resolution over the Internet
>
> when queried.
>
> An attacker may ask the DNSSEC validator to consider a rogue KSK/ZSK,
> thus hijacking the DNS zone.
>
> How so?
>
> An attacker (cf. Section 7) can advertise a "known insecure" KSK or
> ZSK is "back to secure"
>
> How so?
>
> The intent was to list attack goals, not the attack itself, but maybe we
can be more specific.
> --
> https://desec.io/
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
rg
> https://www.ietf.org/mailman/listinfo/dnsop
>
> ___________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
l nameserver IPs as RDATA. This prevents people from
>> adding the DNS hoster without permission.
>>
>> The parent can check all incoming NS records via their EPP system for
>> a match of "_cds" and do its "trigger" work. It could even suppress
>> actually including the special NS record in the parent zone but if it gets
>> published there is no real harm. Once DNSSEC is enabled by the Registry,
>> the DNS hoster can remove its special NS record and use CDS for further
>> updates, or the CDS nul record to delete all DS records.
>>
>> Paul
>>
>> ___
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
Daniel Migault
Ericsson
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Reviewer: Daniel Migault
Review result: Has Nits
Hi,
Reviewer: Daniel Migault
Review result: Has Nits
I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit
85 matches
Mail list logo