Clarifications and Implementation Notes for DNS Security (DNSSEC)
draft-ietf-dnsext-dnssec-bis-updates-20

[Ballot comment]

During the "no answer" mega-discussion on the DANE list, [1] I
seem to recall this comment was made more than once: "you're
seeing all this because you're maybe the first new
application that really needs DNSSEC," or words to that
effect. Should any of that discussion be reflected in this
document? (I assume its not already there for timing reasons
if nothing else.)

  [1] http://www.ietf.org/mail-archive/web/dane/current/msg04845.html

[Ballot comment]
Substantive comments; these are non-blocking, but please consider them
seriously, and feel free to chat with me about them:

Ditto Sean's comments about DNSSEC vs DNSSECbis, and about Draft Standard -> Internet Standard.

-- 2.1 --
   signal that a zone MAY be using NSEC3, rather than NSEC.

This MAY and the one in the following paragraph are misused: they should not be 2119 terms.  Describing what a zone "may be using" is simply a descriptive phrase, not anything normative.  Actually, I would say "might be using".

-- 5.2 --
Isn't the point really more general: that if the validator is unable to validate the signature, *for whatever reason*, it treats the zone as unsigned?  Wouldn't it be better to make that general point clear... and then give unknown or unsupported key or message digest algorithms as reasons it would be unable to validate?

========
Other comments; no need to respond to these. Take them or modify them
as you please:

-- 2 --
There's a SSnake in the graSSS in the SSection title.

[Ballot discuss]

  The Gen-ART Review by Richard Barnes on 25-May-2012 raised two major
  concerns.  The Gen-ART Review can be found here:
  http://www.ietf.org/mail-archive/web/gen-art/current/msg07454.html

  Building on this review, I have these suggestions:

  (1) Section 4.1:  Please clarify the threat model.  If the zone
  operator is malicious, then it can simulate the necessary zone cut
  and still prove the non-existence of records in the child zone.

  (2) Section 5.10:  Please explain why the "Accept Any Success" policy
  is more preferable the "Highest Signer" policy.  This analysis might
  not appear in Section 5.10; it could appear in an appendix.

[Ballot comment]
These are my preliminary sets of comments:

1) Any reason you can't just refer to DNSSECbis as DNSSEC?  I guess does the outside world know DNSSECbis isn't DNSSEC?

2) General: r/RFCXXXX/[RFCXXXX] throughout except for the abstract.  A couple of times I thought the RFC references needed to be included in [] so it's probably better to just do it everywhere.  You also need to add [RFC2308] as a reference.

3) s1 paragraph two: RFC 6410 got rid of Draft Standard so either r/Draft/Internet or r/from Proposed Standard to Draft Standard/along the Internet Standards track.    Or something like that.

4) s1.2: To cut down on the possible "where is X defined" you could add something like: "Readers are assumed to be familiar with DNSSECbis documents as the terminology used herein comes from those documents."

5) s2, s2.1, s2.2: Could you replace the three instances of "should {also} be" with "are"?  If the WG considers them part of the core, then aren't they?  It also avoids the whole question about whether it ought to be SHOULD (not that I'm asking to change that).

6) s2.1: Pet peeve requirements in a paragraph that starts with Note.  Couldn't you just r/Note that the/The

7) s5.5: Might be worth pointing out that this was filed as an errata.

8) s5.6, s5.7, and s5.10: I was already to give you the kudos for each section being clear about which document was being updated until I got to these sections.  Please state which RFC you're updating in these sections.  In s5.6 is it updating 3225?

9) s5.11: could you just strike "note that"

[Ballot comment]
These are my preliminary sets of comments:

1) Any reason you can't just refer to DNSSECbis as DNSSEC?  I guess does the outside world know DNSSECbis isn't DNSSEC?

2) General: r/RFCXXXX/[RFCXXXX] throughout except for the abstract.  A couple of times I thought the RFC references needed to be included in [] so it's probably better to just do it everywhere.  You also need to add [RFC2308] as a reference.

2) s1 paragraph two: RFC 6410 got rid of Draft Standard so either r/Draft/Internet or r/from Proposed Standard to Draft Standard/along the Internet Standards track.    Or something like that.

3) s1.2: To cut down on the possible "where is X defined" you could add something like: "Readers are assumed to be familiar with DNSSECbis documents as the terminology used herein comes from those documents."

3) s2, s2.1, s2.2: Could you replace the three instances of "should {also} be" with "are"?  If the WG considers them part of the core, then aren't they?  It also avoids the whole question about whether it ought to be SHOULD (not that I'm asking to change that).

4) s2.1: Pet peeve requirements in a paragraph that starts with Note.  Couldn't you just r/Note that the/The

5) s5.5: Might be worth pointing out that this was filed as an errata.

6) s5.6, s5.7, and s5.10: I was already to give you the kudos for each section being clear about which document was being updated until I got to these sections.  Please state which RFC you're updating in these sections.  In s5.6 is it updating 3225?

7) s5.11: could you just strike "note that"

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Subject: Last Call:  (Clarifications and Implementation Notes for DNSSECbis) to Proposed Standard


The IESG has received a request from the DNS Extensions WG (dnsext) to
consider the following document:
- 'Clarifications and Implementation Notes for DNSSECbis'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2012-05-31. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document is a collection of technical clarifications to the
  DNSSECbis document set.  It is meant to serve as a resource to
  implementors as well as a repository of DNSSECbis errata.

  This document updates the core DNSSECbis documents (RFC4033, RFC4034,
  and RFC4035) as well as the NSEC3 specification (RFC5155).  It also
  defines NSEC3 and SHA-2 as core parts of the DNSSECbis specification.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-dnsext-dnssec-bis-updates/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-dnsext-dnssec-bis-updates/ballot/


No IPR declarations have been submitted directly on this I-D.

PROTO write up for draft-ietf-dnsext-dnssec-bis-updates-18
2012-05-01
Template version 2012-02-24

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

    The request is for Proposed Standard.  The documents it is
    updating are all at the Proposed Standard level, and this document
    reflects experience with and clarifications of those.  The type is
    indicated in the header.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

    DNSSECbis was published in RFC 4033, RFC 4034, and RFC 4035.
    Since the publication, some people filed errata against those
    documents, some additional developments added to DNSSECbis, and
    some implementation experience illustrated ambiguities or issues
    with the original texts.  This draft collects those issues in a
    single place, updating the DNSSECbis specification and clarifying
    it where need be.

Working Group Summary

    This draft is the product of the DNS Extensions Working Group.
    Many of the clarifications came easily.  The more
    contentious parts of the document have been discussed at length.
    For the most controversial of the clarifications, extensive
    discussion is included in appendices so that implementers and
    deployers may make informed decisions.

Document Quality

    Most, if not all, of the document is reflected in the bulk of
    DNSSECbis validators and signers deployed on the Internet.  The
    document is the result of several years of experience and
    discussion, collected with an eye to improving implementations.
    One of the most contentious parts resulted in multiple rounds of
    discussion and a special design team meeting.  The document as it
    stands has been refined over a long period of time, and is of high
    quality.

Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?

    Andrew Sullivan is the Document Shepherd, and Ralph Droms is the
    Responsible Area Director.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

    The shepherd performed multiple complete reviews, and is satisfied
    the document is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed? 

    No.  The WG has a requirement of at least five reviews prior to
    publication, and this document easily met that.  In addition, some
    of the reviews were from long-standing critics of earlier versions.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

    No.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

    Section 5.6 represents a clear change to the protocol.  This
    change is amply documented in practice, but it is nevertheless a
    change to the protocol.  The Shepherd would have preferred
    something that did not actually change the protocol, but the
    document editors and a small number of reviewers said they
    preferred this formulation.  The change happened during WGLC.  Few
    people responded to a special request to comment on this issue, so
    it is not clear how strong the agreement is with this change in
    the protocol.  It is indisputable, however, that some deployed
    instances work according to the new text, and interoperability is
    likely maximized by making the change in section 5.6.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

    Yes.
   
(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

    No.  There is an IPR filing against RFC 5155, which this draft
    updates, but it does not seem to impinge on this draft.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

    The document has been through many iterations, a large amount of
    review, and several rounds of discussion about particular issues.

    There is one section, 5.9, that continues to be a sore point with
    one WG participant (the participant is also a notable contributor
    to an important implementation).  Repeated requests during WGLC
    for expressions of support of that participant's position yielded
    no results.

    Section 5.9 was changed after WGLC because a participant
    (different than the one who objects to section 5.9 overall) said
    that it did not apply to stub resolvers.  On further reflection,
    the authors reverted the change, because they thought it might be
    incorrect. 

    Section 5.9 remains the area of most controversy.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

    No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

    There are none.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

    N/A

(13) Have all references within this document been identified as
either normative or informative?

    Yes

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

    No.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the
Last Call procedure.

    No.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

    It will not change the formal status of any, but it does update
    several.  They are all listed.  The way that documents are treated
    together (informally) as the DNSSEC core is also updated, and that
    is also called out in the document.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

    There are no actions for IANA.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

    None.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.:

    N/A