On Tue, Jun 9, 2015 at 11:29 AM, Joe Abley <jabley@xxxxxxxxxxx> wrote: > On 9 Jun 2015, at 8:58, The IESG wrote: > >> The IESG has received a request from the Domain Name System Operations WG >> (dnsop) to consider the following document: >> - 'Definition and Use of DNSSEC Negative Trust Anchors' >> <draft-ietf-dnsop-negative-trust-anchors-10.txt> as Informational RFC > > I have read this document. The topic under discussion is a useful one, it is described clearly and well, and I support this document proceeding. I have some minor suggestions for improvement, but nothing substantial. Whoohoo! > > In section 1, the document uses normative-sounding language ("should not") and seems to direct the IANA not to do something. The normative-sounding direction is further extended to all other organisations. I understand the intent here, but the advice seems a little jarring; any IETF document can provide advice and recommendations without enforcement (informational documents arguably more so). Perhaps this could be rephrased to make it clear that the document is providing recommendations about how to implement and manage negative trust anchors rather than laying down the law. I had a hard time trying to figure out how to address this. I changed: "Negative Trust Anchors are intended to be temporary, and should not be distributed by IANA or any other organization outside of the administrative boundary of the organization locally implementing a Negative Trust Anchor." to: "Negative Trust Anchors are intended to be temporary, and should only be implemented by the organization requiring a Negative Trust Anchor (and not distributed by any organizations outside of the administrative boundary)." I think that that changes the tone and doesn't sound as prescriptive / jarring - does this address your concern? I also skimmed the rest and didn't really find anywhere else to fix. > > In section 1.2 the document refers to a "domain administrator", when in the context of DNSSEC I think it means a "zone administrator". > Nice. Done. Thanks. > In section 7 the document refers to "dnscheck", which I understand is no longer being maintained and has been replaced with "zonemaster". See <http://www.zonemaster.fr>, for example. I replaced dnscheck with zonemaster. Initially I was just going to add zonemaster (and leave dnscheck there), but seeing as .se is involved in both projects I decided it was not impolite to remove their older tool... New version (with your suggested edits) pushed to github - https://github.com/wkumari/draft-livingood-dnsop-negative-trust-anchors Thank for your comments, W > > > Joe -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf