DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Paul Wouters <paul@xelerance.com>
Cc: dnssec@cafax.se
From: Roy Arends <roy@dnss.ec>
Date: Mon, 21 Jun 2004 20:57:41 +0200 (CEST)
In-Reply-To: <sjmeko8n77u.fsf@dogbert.ihtfp.org>
Sender: owner-dnssec@cafax.se
Subject: Re: continued: rrsig(qtype)

On Mon, 21 Jun 2004, Derek Atkins wrote:

> I don't think Paul has been reading namedroppers.  I  think
> you're better served by suggesting that Paul read the thread
> over there before re-responding to issues that have already
> been discussed there..

Ah, okay.

Paul, the chairs of the DNSEXT wg declared a radio silence on namedroppers
with regards to everything that is likely to be an alternative to the
current NSEC definition in the DNSSEC-bis documents. This radio silence
has been declared so that the primary focus of the WG can be: advancing
the internet-drafts to IESG to become RFC's. There were a few minor
editorial issues, and a few clarification issues, no protocol bugs. The
big question that the chairs would like the WG to answer is "Does
advancing DNSSECbis to IESG prevent NSEC-alt in the future?". The need for
consensus on this is clear.

This question deals with either seamless or graceful transition to a
possible future NSEC alternative. As a primer for this discussion, some
have suggested ideas, some good, some less good, which have been written
in a (to be informational) draft called
"draft-ietf-dnsext-dnssec-trans-00". This is what I referred to as
"-trans" document. This draft has short-term and long-term solutions.
One of the solutions to have a future version of DNSSEC has been drafted
in "draft-vixie-dnssec-ter-01".

While -trans deal with grouping possible future extentions, and dnssec-ter
is one of the possible vehicles, the actual alternatives have yet to be
accepted as a wg document.

Currently there is an individual draft from Ben Laurie
"draft-laurie-dnsext-nsec2-00.txt" that has an alternative for NSEC using
hashed ownernames. This is partly based on a similar concept (NO RR)that
has been drafted by Simon Josefsson in the past
("draft-ietf-dnsext-not-existing-rr-01"). An alternative that has a
side-effect of non-enumerating all contents of a zone was opt-in
("draft-ietf-dnsext-dnssec-opt-in-05"), eventhough that was not its
primary design goal. A fourth alternative to NSEC was bloom-filters
("draft-bellovin-dnsext-bloomfilt-00"), and a fifth alternative was
introduced by me the other day that deals with signing an explicit denial
for ownername+qtype (hence the term rrsig(qtype)). I know of a 6th
proposal to deal with an alternative to NSEC, which will arrive in due
time.

Since the rrsig(qtype) was new, some have asked if this can be done
already with minor tweaks to both docs and current implementations in
release candidate status. The short answer is NO, it can't be done in
current implementation and document set, so I pulled it off namedroppers
and brought it here to honour radio silence on namedroppers wrt future
extentions.

As for the why: the rrsig(qtype) solution (hack, if you will) is not even
close to stable, corner cases have not been discussed, and there is no
'formal' document on how it should look like), for all this to arrive, the
delay would be at least be a year. Since I'm a co-author of the
dnssec-drafts, I thought it might clear the air (and my desk) to forward
those to IESG first, and then formalise the brain-stormed proposals.

Long story short: This is mere brainstorming of what a future alternative
might look like. It is to be a pure technical discussion (iiuc).

That is why I was strong and short in my reaction about (perceived)
diffusion of this discussion about rrsig(qtype). I do understand and share
your concerns about delaying DNSSEC any further, and I assume your
concerns might be written out of frustration with the whole process
without prior knowledge.

I hope this helps in clarifying what this is about, and my apologies to
the list (and Paul ofcourse) for dumping this proposal on dnssec@cafax
without prior notice. I hope discussion on rrsig(qtype) continues. Thanks
derek for the notice !

Roy

trans:
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-trans-00.txt

ter:
http://ops.ietf.org/lists/namedroppers/namedroppers.2004/msg00967.html

nsec2
http://www.links.org/dnssec/draft-laurie-dnsext-nsec2-00.txt

NO RR
http://www.josefsson.org/draft-ietf-dnsext-not-existing-rr.txt

opt-in
https://www.dnssec.verisignlabs.com/website/dnssec.htm

bloom-filters
http://www.research.att.com/~smb/papers/draft-bellovin-dnsext-bloomfilt-00.txt

rrsig(qtype)
http://www.cafax.se/dnssec/maillist/2004-06/msg00001.html

Follow-Ups:
- Re: continued: rrsig(qtype)
  - From: Paul Wouters <paul@xelerance.com>

References:
- Re: continued: rrsig(qtype)
  - From: Paul Wouters <paul@xelerance.com>
- Re: continued: rrsig(qtype)
  - From: Roy Arends <roy@dnss.ec>

Prev by Date: Re: continued: rrsig(qtype)
Next by Date: dropping packets. Re: continued: rrsig(qtype)
Prev by thread: Re: continued: rrsig(qtype)
Next by thread: Re: continued: rrsig(qtype)
Index(es):
- Date
- Thread

Home | Date list | Subject list