A DANE Record and DNSSEC Authentication Chain Extension for TLS
draft-ietf-tls-dnssec-chain-extension-07
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2018-10-31
|
07 | Sean Turner | Added to session: IETF-103: tls Wed-1120 |
2018-09-22
|
07 | (System) | Document has expired |
2018-09-22
|
07 | (System) | IESG state changed to Dead from AD is watching |
2018-08-30
|
07 | Benjamin Kaduk | Shepherding AD changed to Benjamin Kaduk |
2018-08-29
|
07 | Sean Turner | IETF WG state changed to WG Document from Submitted to IESG for Publication |
2018-08-09
|
07 | Benjamin Kaduk | IESG state changed to AD is watching from RFC Ed Queue |
2018-07-18
|
07 | (System) | IANA Action state changed to No IC from On Hold |
2018-05-30
|
07 | (System) | IANA Action state changed to On Hold from In Progress |
2018-05-29
|
07 | (System) | IANA Action state changed to In Progress from On Hold |
2018-04-30
|
07 | (System) | RFC Editor state changed to IESG from MISSREF |
2018-03-30
|
07 | (System) | IANA Action state changed to On Hold |
2018-03-26
|
07 | Gunter Van de Velde | Closed request for Last Call review by OPSDIR with state 'No Response' |
2018-03-21
|
07 | (System) | RFC Editor state changed to MISSREF |
2018-03-21
|
07 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2018-03-21
|
07 | (System) | Announcement was received by RFC Editor |
2018-03-21
|
07 | Cindy Morgan | IESG state changed to Approved-announcement sent from IESG Evaluation::AD Followup |
2018-03-21
|
07 | Cindy Morgan | IESG has approved the document |
2018-03-21
|
07 | Cindy Morgan | Closed "Approve" ballot |
2018-03-21
|
07 | Cindy Morgan | Ballot approval text was generated |
2018-03-21
|
07 | Cindy Morgan | RFC Editor Note was changed |
2018-03-21
|
07 | Cindy Morgan | RFC Editor Note for ballot was generated |
2018-03-21
|
07 | Cindy Morgan | RFC Editor Note for ballot was generated |
2018-03-21
|
07 | Alexey Melnikov | [Ballot comment] Now that TLS 1.3 is approved for publication, I think adding a Normative Reference to TLS 1.3 is no brainer. I am clearing … [Ballot comment] Now that TLS 1.3 is approved for publication, I think adding a Normative Reference to TLS 1.3 is no brainer. I am clearing my DISCUSS on the assumption that this would be fixed before publication of the RFC. 1) TLS 1.3 needs to be a normative reference, but it is not even listed in References. 2) The first mention of NSEC3 need a normative reference. |
2018-03-21
|
07 | Alexey Melnikov | [Ballot Position Update] Position for Alexey Melnikov has been changed to Yes from Discuss |
2018-03-21
|
07 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2018-03-21
|
07 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2018-03-21
|
07 | Shumon Huque | New version available: draft-ietf-tls-dnssec-chain-extension-07.txt |
2018-03-21
|
07 | (System) | New version approved |
2018-03-21
|
07 | (System) | Request for posting confirmation emailed to previous authors: Melinda Shore , Willem Toorop , Richard Barnes , Shumon Huque |
2018-03-21
|
07 | Shumon Huque | Uploaded new revision |
2018-03-21
|
06 | Eric Rescorla | [Ballot comment] Thanks for handling my DISCUSS points. |
2018-03-21
|
06 | Eric Rescorla | [Ballot Position Update] Position for Eric Rescorla has been changed to No Objection from Discuss |
2018-02-16
|
06 | Tero Kivinen | Closed request for Telechat review by SECDIR with state 'No Response' |
2018-02-08
|
06 | Cindy Morgan | IESG state changed to IESG Evaluation::Revised I-D Needed from Waiting for AD Go-Ahead |
2018-02-07
|
06 | Terry Manderson | [Ballot comment] No objection, Alexey's DISCUSS already has hit the issue I also noted. |
2018-02-07
|
06 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2018-02-07
|
06 | Ben Campbell | [Ballot comment] I am happy to see this published, but have a few minor comments: - I agree with Alexey's comments. -3.4: "If the TLSA … [Ballot comment] I am happy to see this published, but have a few minor comments: - I agree with Alexey's comments. -3.4: "If the TLSA record set was synthesized by a DNS wildcard, the chain must include the signed NSEC or NSEC3 records that prove that there was no explicit match of the TLSA record name and no closer wildcard match." Should that "must" be a "MUST"? - Nit in Authors List: Unless I've missed something, Richard's affiliation is no longer current. (I only point it out in case it's an oversight; I have no objection if it's that way on purpose.) |
2018-02-07
|
06 | Ben Campbell | [Ballot Position Update] New position, Yes, has been recorded for Ben Campbell |
2018-02-07
|
06 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2018-02-07
|
06 | Warren Kumari | [Ballot comment] I was one of the very early DANE people / WG chair / etc. Y'all have come along, commandeered our protocol..... and made … [Ballot comment] I was one of the very early DANE people / WG chair / etc. Y'all have come along, commandeered our protocol..... and made it much better (and deployable)... . Seriously, thank you -- I was saving this document to be able to do a very thorough review, but unfortunately have run out of time, so only have one comment to offer: Section 3.1. Protocol, TLS 1.2 "Therefore, a server MUST NOT construct chains for domain names other than its own." -- what is a servers' "domain name"? E.g: My webserver has certs with many SANs, and SNI, etc Perhaps this should be more along the lines of "MUST NOT construct chains for domain names which it is not responsible? (Obviously, this will also require some wordsmithing, I don't really know what it means to be "responsible" for a domain; perhaps "domains it doesn't have certificates for"? something...) |
2018-02-07
|
06 | Warren Kumari | [Ballot Position Update] New position, Yes, has been recorded for Warren Kumari |
2018-02-07
|
06 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2018-02-07
|
06 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2018-02-07
|
06 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2018-02-07
|
06 | Alexey Melnikov | [Ballot discuss] I think this is a useful document and I will ballot Yes once my small issues are resolved: 1) In 3.4: The … [Ballot discuss] I think this is a useful document and I will ballot Yes once my small issues are resolved: 1) In 3.4: The first RRset in the chain MUST contain the TLSA record set being presented. However, if the owner name of the TLSA record set is an alias (CNAME or DNAME), then it MUST be preceded by the chain of alias records needed to resolve it. DNAME chains should omit SHOULD? What are the implications if this is not followed? unsigned CNAME records that may have been synthesized in the response from a DNS resolver. 2) TLS 1.3 needs to be a normative reference, but it is not even listed in References. |
2018-02-07
|
06 | Alexey Melnikov | [Ballot comment] The first mention of NSEC3 need a normative reference. |
2018-02-07
|
06 | Alexey Melnikov | [Ballot Position Update] New position, Discuss, has been recorded for Alexey Melnikov |
2018-02-07
|
06 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2018-02-07
|
06 | Eric Rescorla | [Ballot discuss] This draft seems generally sound, but I believe there are pieces that are still underspecified. These should be easy to fix. the Signer's … [Ballot discuss] This draft seems generally sound, but I believe there are pieces that are still underspecified. These should be easy to fix. the Signer's Name field in canonical form and the signature field excluded. IMPORTANT: I'm not sure that this is actually sufficient to allow an independent implementation without referring to the other documents. I mean, I think I pretty clearly can't validate this chain from the above. Similarly, although I think this is enough to break apart the RRSETs into RRs, it doesn't tell me how to separate the RRSETs from each other. I think you need to either make this a lot more complete or alternately stop saying it's sufficient. abort the connection, the server uses the domain name associated with the server IP address to which the connection has been established. IMPORTANT: "the domain name" is not unambiguous. Hosts can have multiple names for the same IP. DNSSEC authentication chain extension from a server, SHOULD use this information to perform DANE authentication of the server. In order to do this, it uses the mechanism specified by the DNSSEC protocol IMPORTANT: What happens if the DANE validates but the cert is revoked or alternately the cert validates but DANE does not? [RFC4035] [RFC5155]. This mechanism is sometimes implemented in a DNSSEC validation engine or library. IMPORTANT: shouldn't it be a requirement to perform this validation? |
2018-02-07
|
06 | Eric Rescorla | [Ballot comment] typically not be used for general DNSSEC validation of TLS endpoint names. Can you rephrase this. I *think* it means "it's not … [Ballot comment] typically not be used for general DNSSEC validation of TLS endpoint names. Can you rephrase this. I *think* it means "it's not used to validate the A/AAAA lookup"...? validation of endpoint names, but is more appropriate for validation of DANE TLSA records. Same comment as abive This mechanism is useful for TLS applications that need to address the problems described above, typically web browsers or VoIP and XMPP applications. It may not be relevant for many other applications. Nit; cites to SIP/XMPP appropriate here, ClientHello message that the DNS authentication chain be returned in the (extended) ServerHello message. If the server is configured for DANE authentication, then it performs the appropriate DNS queries, This is not correct for TLS 1.3. 3.1. Protocol, TLS 1.2 You should probably provide some guidance about whether the server should still provide the whole X.509 chain to the client. I believe with these semantics, the server cannot tell which DANE mode the client wants and therefore has to provide the entire chain. Servers receiving a "dnssec_chain" extension in the ClientHello, and which are capable of being authenticated via DANE, MAY return a serialized authentication chain in the extended ServerHello message, Nit: I believe you want to remove the commas here, as they indicate a nonrestrictive clause. arbitrary domain names using this mechanism. Therefore, a server MUST NOT construct chains for domain names other than its own. "its own" is a bit fraught, as servers may not actually know all their domain names, at least at the TLS layer.. Can you be more specific about what the server algorithm is. Servers receiving a "dnssec_chain" extension in the ClientHello, and which are capable of being authenticated via DANE, SHOULD return a serialized authentication chain in the extension block of the Why is this a SHOULD where the corresponding reqt for TLS 1.2 and below is a MAY? to a DNSSEC trust root. This has the added benefit of mitigating an unknown key share attack, as described in [I-D.barnes-dane-uks], since it effectively augments the raw public key with the server's "unknown key share (UKS)" handshake, to a domain name which has been validated as belonging to the owner name. The key point here is that the commitment is bound to the EE key. Also, this only really works for TLS 1.3 and modes with EMS because otherwise there are other UKS attacks I think you probably want to cite SIGMA and triple handhshake here. opaque AuthenticationChain<0..2^16-1> Is 0 actually appropriate here as a lower bound? Presumably at least one such instance must be present? RR(i) = owner | type | class | TTL | RDATA length | RDATA I assume the notation here is "i is the ith RR"? Is there a reason not to describe this in TLS language? . DNSKEY RRSIG(. DNSKEY) How does this differ from the algorithm that you would use in response to the TLSA query? the draft is adopted by the WG, the authors expect to make an early allocation request as specified in [RFC7120]. Do you want this to be marked RECOMMENDED? |
2018-02-07
|
06 | Eric Rescorla | [Ballot Position Update] New position, Discuss, has been recorded for Eric Rescorla |
2018-02-07
|
06 | Mirja Kühlewind | [Ballot comment] Two minor, mostly editorial comments: 1) Intro (sec 2): " It also provides the ability to avoid potential problems with TLS clients … [Ballot comment] Two minor, mostly editorial comments: 1) Intro (sec 2): " It also provides the ability to avoid potential problems with TLS clients being unable to look up DANE records because of an interfering or broken middlebox on the path between the client and a DNS server." Is that actually a well-known problem (can you provide a reference?) or would it be enough to say something like this: " It also provides the ability to avoid potential problems with TLS clients being unable to look up DANE records when DNS server is not reachable." 2) IANA Considerations should probably be updated. |
2018-02-07
|
06 | Mirja Kühlewind | [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind |
2018-02-07
|
06 | (System) | IESG state changed to Waiting for AD Go-Ahead from In Last Call |
2018-02-06
|
06 | Suresh Krishnan | [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan |
2018-02-06
|
06 | Adam Roach | [Ballot comment] I like this mechanism and look forward to its deployment. I have one point of clarification and a small handful of editorial comments. … [Ballot comment] I like this mechanism and look forward to its deployment. I have one point of clarification and a small handful of editorial comments. First, the point of clarification: §4: > if the server does not recognize the > provided name and wishes to proceed with the handshake rather than to > abort the connection, the server uses the domain name associated with > the server IP address to which the connection has been established. Unless I missed something important, this scenario doesn't seem to make much sense: if the client provides name A and the server replies with name B, the client either (1) isn't performing server name validation (in which case it is nonsense for the client to ask for a dnssec_chain), or (2) is going to error out the connection. Do I have that right? If there's some situation in which the server acting as described above provides some benefit, I would love to see it described in here. If it's just a matter of having completely described behavior for corner cases, it may be worthwhile indicating that the client will reject the connection if the server decides to complete the handshake like this. --------------------------------------------------------------------------- > Intended status: Standards Track R. Barnes > Expires: July 27, 2018 Mozilla s/Mozilla/Cisco/ --------------------------------------------------------------------------- §1: > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this > document are to be interpreted as described in [RFC2119]. This document has significant usage of these terms in lowercase. Please consider using the boilerplate from RFC 8174 instead. --------------------------------------------------------------------------- §3.3: > the case in DANE in which a client either ignores the name in > certificate (as specified in [RFC7671] or there is no attestation of Nit: "...in the certificate..." Nit: Add closing paren after [RFC7671] --------------------------------------------------------------------------- §4: > specific processing needed for aliases and wildcards. If DNS > responses messages contain any domain names utilizing name Nit: "response" |
2018-02-06
|
06 | Adam Roach | Ballot comment text updated for Adam Roach |
2018-02-06
|
06 | Adam Roach | [Ballot comment] I like this mechanism and look forward to its deployment. I have one question and a small handful of editorial comments. First, the … [Ballot comment] I like this mechanism and look forward to its deployment. I have one question and a small handful of editorial comments. First, the question: §4: > if the server does not recognize the > provided name and wishes to proceed with the handshake rather than to > abort the connection, the server uses the domain name associated with > the server IP address to which the connection has been established. Unless I missed something important, this scenario doesn't seem to make much sense: if the client provides name A and the server replies with name B, the client either (1) isn't performing server name validation (in which case it is nonsense for the client to ask for a dnssec_chain), or (2) is going to error out the connection. Do I have that right? If there's some situation in which the server acting as described above provides some benefit, I would love to see it described in here. If it's just a matter of having completely described behavior for corner cases, it may be worthwhile indicating that the client will reject the connection if the server decides to complete the handshake like this. --------------------------------------------------------------------------- > Intended status: Standards Track R. Barnes > Expires: July 27, 2018 Mozilla s/Mozilla/Cisco/ --------------------------------------------------------------------------- §1: > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this > document are to be interpreted as described in [RFC2119]. This document has significant usage of these terms in lowercase. Please consider using the boilerplate from RFC 8174 instead. --------------------------------------------------------------------------- §3.3: > the case in DANE in which a client either ignores the name in > certificate (as specified in [RFC7671] or there is no attestation of Nit: "...in the certificate..." Nit: Add closing paren after [RFC7671] --------------------------------------------------------------------------- §4: > specific processing needed for aliases and wildcards. If DNS > responses messages contain any domain names utilizing name Nit: "response" |
2018-02-06
|
06 | Adam Roach | [Ballot Position Update] New position, Yes, has been recorded for Adam Roach |
2018-02-06
|
06 | Matthew Miller | Request for Telechat review by GENART Completed: Ready with Nits. Reviewer: Matthew Miller. Sent review to list. |
2018-02-06
|
06 | Kathleen Moriarty | Ballot has been issued |
2018-02-06
|
06 | Kathleen Moriarty | [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty |
2018-02-06
|
06 | Kathleen Moriarty | Created "Approve" ballot |
2018-02-06
|
06 | Kathleen Moriarty | Ballot writeup was changed |
2018-02-02
|
06 | (System) | IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed |
2018-02-02
|
06 | Sabrina Tanamal | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-ietf-tls-dnssec-chain-extension-06. If any part of this review is inaccurate, please let … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-ietf-tls-dnssec-chain-extension-06. If any part of this review is inaccurate, please let us know. The IANA Services Operator understands that, upon approval of this document, there is a single action which we must complete. In the ExtensionType Values registry on the Transport Layer Security (TLS) Extensions registry page located at: https://www.iana.org/assignments/tls-extensiontype-values/ a single new value will be registered as follows: Value: [ TBD-at-Registration ] Description: dnssec_chain Reference: [ RFC-to-be ] We note that the authors have requested that the value 53 be used for this registration. The IANA Services Operator understands that this is the only action required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm the list of actions that will be performed. Thank you, Sabrina Tanamal Senior IANA Services Specialist |
2018-01-25
|
06 | Tero Kivinen | Request for Telechat review by SECDIR is assigned to Ólafur Guðmundsson |
2018-01-25
|
06 | Tero Kivinen | Request for Telechat review by SECDIR is assigned to Ólafur Guðmundsson |
2018-01-25
|
06 | Jean Mahoney | Request for Telechat review by GENART is assigned to Matthew Miller |
2018-01-25
|
06 | Jean Mahoney | Request for Telechat review by GENART is assigned to Matthew Miller |
2018-01-25
|
06 | Kathleen Moriarty | Placed on agenda for telechat - 2018-02-08 |
2018-01-25
|
06 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Ignas Bagdonas |
2018-01-25
|
06 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Ignas Bagdonas |
2018-01-24
|
06 | Cindy Morgan | IANA Review state changed to IANA - Review Needed |
2018-01-24
|
06 | Cindy Morgan | The following Last Call announcement was sent out (ends 2018-02-07): From: The IESG To: IETF-Announce CC: draft-ietf-tls-dnssec-chain-extension@ietf.org, Kathleen.Moriarty.ietf@gmail.com, Joseph Salowey , tls-chairs@ietf.org, … The following Last Call announcement was sent out (ends 2018-02-07): From: The IESG To: IETF-Announce CC: draft-ietf-tls-dnssec-chain-extension@ietf.org, Kathleen.Moriarty.ietf@gmail.com, Joseph Salowey , tls-chairs@ietf.org, shuque@gmail.com, joe@salowey.net, tls@ietf.org Reply-To: ietf@ietf.org Sender: Subject: Last Call: (A DANE Record and DNSSEC Authentication Chain Extension for TLS) to Proposed Standard The IESG has received a request from the Transport Layer Security WG (tls) to consider the following document: - 'A DANE Record and DNSSEC Authentication Chain Extension for TLS' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2018-02-07. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This draft describes a new TLS extension for transport of a DNS record set serialized with the DNSSEC signatures needed to authenticate that record set. The intent of this proposal is to allow TLS clients to perform DANE authentication of a TLS server without needing to perform additional DNS record lookups. It will typically not be used for general DNSSEC validation of TLS endpoint names. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-tls-dnssec-chain-extension/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-tls-dnssec-chain-extension/ballot/ No IPR declarations have been submitted directly on this I-D. |
2018-01-24
|
06 | Cindy Morgan | IESG state changed to In Last Call from Last Call Requested |
2018-01-24
|
06 | Kathleen Moriarty | Last call was requested |
2018-01-24
|
06 | Kathleen Moriarty | Ballot approval text was generated |
2018-01-24
|
06 | Kathleen Moriarty | Ballot writeup was generated |
2018-01-24
|
06 | Kathleen Moriarty | IESG state changed to Last Call Requested from Publication Requested |
2018-01-24
|
06 | Kathleen Moriarty | Last call announcement was generated |
2018-01-24
|
06 | Joseph Salowey | As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated … As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated 24 February 2012. (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? As standards track RFC is requested as specified in the header of the draft. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary This draft describes a new TLS extension for transport of a DNS record set serialized with the DNSSEC signatures needed to authenticate that record set. The intent of this proposal is to allow TLS clients to perform DANE authentication of a TLS server without needing to perform additional DNS record lookups. It will typically not be used for general DNSSEC validation of TLS endpoint names. Working Group Summary While the document does not share the same broad interest that TLS 1.3, it does have good support from a segment of the working group. It has been reviewed by working group participants and DNS knowledgeable folks outside the working group. We do not know of any remainging controversial issues. Document Quality The document has some initial prototype implementations that are available for testing. The getdns project is planning on implementing against this draft. The document has good consensus within the working group Personnel The document shepherd is Joseph Salowey and the responsible AD is Kathleen Moriarty. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document has been reviewed by the document shepherd and is ready for publication. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? No (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. The document has been reviewed by members of the DNS community. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. No specific issues. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why. Yes (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The document has good consensus from the segment of the working group that is interested in ti. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No (11) Identify any ID nits the Document Shepherd has found in this document. (See https://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. No Nits. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. NA (13) Have all references within this document been identified as either normative or informative? Yes (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? No. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. No (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). No new registries are created and the updates are clear. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. No New registries (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. NA |
2018-01-24
|
06 | Joseph Salowey | Responsible AD changed to Kathleen Moriarty |
2018-01-24
|
06 | Joseph Salowey | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2018-01-24
|
06 | Joseph Salowey | IESG state changed to Publication Requested |
2018-01-24
|
06 | Joseph Salowey | IESG process started in state Publication Requested |
2018-01-24
|
06 | Joseph Salowey | Tag Doc Shepherd Follow-up Underway cleared. |
2018-01-24
|
06 | Joseph Salowey | Tag Revised I-D Needed - Issue raised by WGLC cleared. |
2018-01-24
|
06 | Joseph Salowey | IETF WG state changed to WG Consensus: Waiting for Write-Up from Waiting for WG Chair Go-Ahead |
2018-01-23
|
06 | Shumon Huque | New version available: draft-ietf-tls-dnssec-chain-extension-06.txt |
2018-01-23
|
06 | (System) | New version approved |
2018-01-23
|
06 | (System) | Request for posting confirmation emailed to previous authors: Melinda Shore , Willem Toorop , Richard Barnes , Shumon Huque |
2018-01-23
|
06 | Shumon Huque | Uploaded new revision |
2018-01-22
|
05 | Joseph Salowey | Changed document writeup |
2018-01-16
|
05 | Joseph Salowey | Tag Revised I-D Needed - Issue raised by WGLC set. |
2018-01-11
|
05 | Joseph Salowey | Tag Doc Shepherd Follow-up Underway set. Tag Revised I-D Needed - Issue raised by WGLC cleared. |
2018-01-11
|
05 | Joseph Salowey | IETF WG state changed to Waiting for WG Chair Go-Ahead from WG Consensus: Waiting for Write-Up |
2017-10-29
|
05 | Melinda Shore | New version available: draft-ietf-tls-dnssec-chain-extension-05.txt |
2017-10-29
|
05 | (System) | New version approved |
2017-10-29
|
05 | (System) | Request for posting confirmation emailed to previous authors: Melinda Shore , Willem Toorop , Richard Barnes , Shumon Huque |
2017-10-29
|
05 | Melinda Shore | Uploaded new revision |
2017-07-20
|
04 | Joseph Salowey | Tag Revised I-D Needed - Issue raised by WGLC set. |
2017-07-20
|
04 | Joseph Salowey | IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call |
2017-06-28
|
04 | Sean Turner | IETF WG state changed to In WG Last Call from WG Document |
2017-06-01
|
04 | Melinda Shore | New version available: draft-ietf-tls-dnssec-chain-extension-04.txt |
2017-06-01
|
04 | (System) | New version approved |
2017-06-01
|
04 | (System) | Request for posting confirmation emailed to previous authors: Melinda Shore , Willem Toorop , Shumon Huque , tls-chairs@ietf.org, Richard Barnes |
2017-06-01
|
04 | Melinda Shore | Uploaded new revision |
2017-05-01
|
03 | Sean Turner | Notification list changed to Joseph Salowey <joe@salowey.net>, shuque@gmail.com from Joseph Salowey <joe@salowey.net> |
2017-03-27
|
03 | Melinda Shore | New version available: draft-ietf-tls-dnssec-chain-extension-03.txt |
2017-03-27
|
03 | (System) | New version approved |
2017-03-27
|
03 | (System) | Request for posting confirmation emailed to previous authors: Willem Toorop , Melinda Shore , tls-chairs@ietf.org, Richard Barnes , Shumon Huque |
2017-03-27
|
03 | Melinda Shore | Uploaded new revision |
2017-03-22
|
02 | Sean Turner | Notification list changed to Joseph Salowey <joe@salowey.net> |
2017-03-22
|
02 | Sean Turner | Document shepherd changed to Joseph A. Salowey |
2017-03-22
|
02 | Sean Turner | Changed consensus to Yes from Unknown |
2017-03-22
|
02 | Sean Turner | Intended Status changed to Proposed Standard from None |
2017-03-22
|
02 | Sean Turner | This document now replaces draft-shore-tls-dnssec-chain-extension instead of None |
2017-01-11
|
02 | Melinda Shore | New version available: draft-ietf-tls-dnssec-chain-extension-02.txt |
2017-01-11
|
02 | (System) | New version approved |
2017-01-11
|
02 | (System) | Request for posting confirmation emailed to previous authors: "Shumon Huque" , "Melinda Shore" , "Richard Barnes" , "Willem Toorop" |
2017-01-11
|
02 | Melinda Shore | Uploaded new revision |
2017-01-08
|
01 | (System) | Document has expired |
2016-07-07
|
01 | Melinda Shore | New version available: draft-ietf-tls-dnssec-chain-extension-01.txt |
2016-06-04
|
00 | Melinda Shore | New version available: draft-ietf-tls-dnssec-chain-extension-00.txt |