Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-16 Thread Matthew Pounsett
On 16 May 2018 at 14:51, Viktor Dukhovni wrote: > > > > I can make a list... Should it go in this draft, or should I work with > Patrick Wallstrom to flesh out that draft? Will this draft reference > the other one? > > General DNSSEC hygeine is out of scope for this

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-16 Thread Viktor Dukhovni
> On May 16, 2018, at 2:38 PM, Jacques Latour wrote: > > The intent of the document at bootstrap is for the parent to perform > sufficient tests to ensure they are conformable in bootstrapping the chain of > trust, I agree with you that these tests and other could be

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-16 Thread Jacques Latour
he DS record is included right away. Any issues with that? -Original Message- From: DNSOP <dnsop-boun...@ietf.org> On Behalf Of Viktor Dukhovni Sent: May 15, 2018 4:11 PM To: dnsop <dnsop@ietf.org> Subject: Re: [DNSOP] Acceptance processing in draft-ietf-regext-

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-15 Thread Viktor Dukhovni
> On May 15, 2018, at 3:57 PM, John Levine wrote: > > I think it's a swell idea to offer people DNSSEC testing services but > it's hopeless to conflate it with key rotation. I completely agree with you on key rotation, once the zone has already been operating signed. But the

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-15 Thread John Levine
In article <8e5d5d6c-6893-473d-a2fe-dcb0b46e7...@dukhovni.org> you write: >Some of the more subtle, but still very important failure modes >are not obvious unless *tested*. It is would be a disservice to >the ecosystem to blindly turn on only partly working DNSSEC which >is actually broken in

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-15 Thread Viktor Dukhovni
> On May 15, 2018, at 2:29 PM, John Levine wrote: > > I think you will find that attempts to legislate against being stupid > do not generally turn out well. It makes sense to check for mistakes > that might screw up the upper level name server like an invalid > algorithm

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-15 Thread John Levine
In article <1d06889c-770f-4f92-bf06-a76338aeb...@dukhovni.org> you write: >For example, nazwa.pl has recently signed a bunch of domains with lame >wildcard NS records under the zone apex. This breaks denial of existence >for all child domains, including TLSA lookups, and therefore breaks email

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-15 Thread Viktor Dukhovni
> On Apr 28, 2018, at 1:28 AM, Viktor Dukhovni wrote: > > So at this point I think we understand each other, and the issue comes down > to whether it is appropriate for the registry to automatically turn on DS > records for the first time for a domain which is

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-04-27 Thread Viktor Dukhovni
> On Apr 27, 2018, at 3:23 PM, Matthew Pounsett wrote: > >> If the registry operator is going to automatically upgrade previously >> insecure delegations to DNSSEC, then due diligence to make sure that this is >> not going to cause outages is advisable. Once a domain is

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-04-27 Thread Matthew Pounsett
On 14 April 2018 at 17:05, Viktor Dukhovni wrote: > > > > On Apr 14, 2018, at 4:26 PM, Matthew Pounsett > wrote: > > > > These are getting into name server quality checks, and not security > checks, which is the point of the acceptance testing. I

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-04-14 Thread Viktor Dukhovni
> On Apr 14, 2018, at 4:26 PM, Matthew Pounsett wrote: > > These are getting into name server quality checks, and not security checks, > which is the point of the acceptance testing. I don't agree that these > should be part of this document. If the registry operator is

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-04-14 Thread Matthew Pounsett
On 14 April 2018 at 12:54, Viktor Dukhovni wrote: > > A number of checks are listed in: > > https://tools.ietf.org/html/draft-ietf-regext-dnsoperator- > to-rrr-protocol-04#section-3.4 > > that are intended to make sure a domain is ready for DNSSEC. > > As I've been the