Re: Last Call: draft-weiler-dnssec-dlv-iana (DNSSEC Lookaside Validation (DLV) IANA Registry) to Informational RFC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




--On Friday, 24 August, 2007 09:27 -0400 Thomas Narten
<narten@xxxxxxxxxx> wrote:

> Geoff Huston <gih@xxxxxxxxx> writes:
> 
>> - is this just an ersatz root signing mechanism? Why is this
>> appropriate  given that the alternative is simply a signed
>> root zone?
> 
> For me, this is a key question. It seems to me that the _only_
> reason DLV (and this IANA action) is needed is to get around
> the fact that signing of DNSSEC zones is lagging. DLV and the
> registry is an attempt to get around that.
> 
> Thus, it strikes me that this is embracing and extending
> DNSSEC. That might be OK, if the relevent DNS WGs agreed that
> DNSSEC needed such "help". But, as far as I can tell, the
> relevent DNS WGs have not embraced this approach.

Thomas, 

Let me try a different perspective.  It seems to me that there
are two separate components of a document like this (and Sam's
base DLV spec).  It also seems to me that, in separating
draft-weiler-dnssec-dlv from
draft-weiler-dnssec-dlv-iana-00.txt, Sam (perhaps with a little
prompting in earlier rounds) has adequately performed the split
into two separate documents.

For the base DLV spec, I think there are reasonable questions
about whether a reasonable person would want to do something
like this and about whether, if one were going to do it (whether
it would be reasonable or not), this particular specification is
a reasonable way to do it.   Independent of the need for this
technology in the standard public DNS hierarchy, the community
has generally been sympathetic to the need for enterprise and
other private hierarchies that are isolated from the public one.
Unless I misunderstand the technology --and I may well
misunderstand it-- the existence of such hierarchies would
justify look-aside techniques even if the root and all
second-level domains were already conventionally signed.  

But all of that, and I believe the relevance of question about
whether the DNSSEC technology needs "help", are questions about
the base DLV spec, not this IANA-oriented document.

If DLV is actually a useful mechanism (sometimes and to
someone), then there is a question about the IANA registry this
document proposes and its management.   That, it seems to me,
involves questions that should be addressed to ICANN Staff and
Board at least as much as to the IETF DNS community.  There
seems to be general consensus, both inside the IETF and in the
broader community, that zone- and response-signing are important
and that DNSSEC is the way to do it.  The main obstacle seems to
be agreement on who signs the root and in what form.  It has
been the main obstacle for some time now.  

My personal opinion is that, if the intended mechanism can be
deployed fairly quickly and generally accepted, having an IANA
DLV registry would only be a source of confusion.  But, if one
accepts that position, then it is reasonable for the IETF to ask
ICANN for a firm plan and schedule s.t., if the schedule cannot
be met, it is time for the technical community to deploy an
alternative because the original spec was too depending on a
single point of failure that had failed.  If ICANN cannot, or
will not, produce such a plan, the time for reaching that
conclusion probably moves up to "now".

> I would be troubled to see this go forward (with _any_ sort of
> IETF seal of approval), without the consensus of the relevant
> IETF DNS community behind it.

This seems far more relevant to draft-weiler-dnssec-dlv-03 than
to this document.

Just my opinion.
    john



_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]