[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSEXT WGLC: DNSSEC Opt-in

To: Mark Kosters <markk@verisignlabs.com>,Ólafur Gudmundsson/DNSEXT co-chair <ogud@ogud.com>
Subject: Re: DNSEXT WGLC: DNSSEC Opt-in
From: Ólafur Gudmundsson/DNSEXT co-chair <ogud@ogud.com>
Date: Tue, 04 Feb 2003 23:01:52 -0500
Cc: namedroppers@ops.ietf.org
In-reply-to: <20030204203019.GF2151@verisignlabs.com>
References: <5.1.1.6.2.20030204125500.00bad680@localhost>

At 15:30 2003-02-04, Mark Kosters wrote:

On Tue, Feb 04, 2003 at 01:17:38PM -0500, Ólafur Gudmundsson/DNSEXT co-chair wrote:
> Note: We are only asking the technical questions about Opt-in, the political
> question if we want to standardize this will be addressed if the
> technical questions are affirmative.

I'm really puzzled by this process. Can you map this out for me please?


I'm real sorry to have to do this to you, but recent history of DNSEXT
forces us chairs to be extra careful and make sure there is documentation
in the working group mailing list supporting all actions we take.

Process for Opt-in:
Step 1: force people to publicly state that they have reviewed the document
        and what changes if any are needed.
        At the same time extract what ever information possible about
        implementations and testing for the public record.

Step 2: Chairs make a statement about technical soundness of document

Step 3: Once chairs declare specification is sufficiently good, the political
        discussion on "do we want to do Opt-in" will be started.

The thing that Randy and I want to avoid is people pointing at minor document
defect and use that to object to Opt-in in general.

> Q: Is the description in the document of Opt-In complete ?

Yes. We had one quibble with opt-in using wildcards. The current draft
forbids the negative wildcard proof to be returned but the implementation
we used did return the negative wildcard proof (that is, an additional NXT
record was sent covering the non-existant wildcard). Perhaps the draft
needs to be relaxed to allow for the proof to be sent since it seems to
do no harm.

> Q: Does this document satisfy people as being implement able and testable
> specification ?

WRT opt-in, we tested with two authoritative servers (ISC and VeriSign) and
one opt-in aware recursive server (ISC). A mixture of delegations were

s/server/resolver/ ?

tested (fully secure, opt-in, and insecure) and all worked. So, it looks
to me like the specifications are clear.

This is exactly the kind of information we need.

> Q: Are there implementations of opt-in and have there been any tests ?

Yes. See above.  We had a workshop Jan 21-23 @ RIPE and I understand the
results are going to be posted soon. Some of the tests run are listed
at http://www.verisignlabs.com/workshop/index.html.

please post the contents of this web page to the mailing list or include
relevant details in the report.[1]

And, I guess it should be no surprise that I support the advancement
of opt-in.

Thanks

        Olafur
[1] The reason I sometimes insist on posting the contents of web pages
to the mailing list has to do with my history background.
Message to mailing list is a record at particular time instant that can
be attributed to certain person, Web page is a living thing that
can be updated.
The analogy is the difference between a letter and word-of-mouth.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: DNSEXT WGLC: DNSSEC Opt-in
  - From: Ólafur Gudmundsson/DNSEXT co-chair <ogud@ogud.com>
- Re: DNSEXT WGLC: DNSSEC Opt-in
  - From: Mark Kosters <markk@verisignlabs.com>

Prev by Date: RE: DNSEXT WGLC: DNSSEC Opt-in
Next by Date: Re: DNSEXT WGLC: DNSSEC Opt-in
Previous by thread: Re: DNSEXT WGLC: DNSSEC Opt-in
Next by thread: Re: DNSEXT WGLC: DNSSEC Opt-in
Index(es):
- Date
- Thread