Dear colleagues,
Title : Requirements related to DNSSEC Trust Anchor Rollover
Author(s) : Eland, Mundy, Crocker, Krishnaswamy
Filename : draft-ietf-dnsext-rollover-requirements-04
Date : November 27, 2006
Document shepherd: Olaf Kolkman
This is a request to publish the document as informational.
This draft relates to draft-ietf-dnsext-trustupdate-timers-04 and we
think these two documents should be treated together.
1) Have the chairs personally reviewed this version of the ID and do
they believe this ID is sufficiently baked to forward to the IESG
for publication?
The shepherding chair (Olaf) has reviewed the document. And believes the
document is ready for IESG submission.
2) Has the document had adequate review from both key WG members and
key non-WG members? Do you have any concerns about the depth or
breadth of the reviews that have been performed?
There has been an active core of WG members involved in creating this
document. The document has been reviewed and explicitly supported by:
- Scott Rose
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
msg01280.html
- Wouter Wijngaardshttp://ops.ietf.org/lists/namedroppers/namedroppers.2006/ msg01294.html
- Char Samplehttp://ops.ietf.org/lists/namedroppers/namedroppers.2006/ msg01307.html
- Andrew Sullivanhttp://ops.ietf.org/lists/namedroppers/namedroppers.2006/ msg01306.html
- Wesley Griffinhttp://ops.ietf.org/lists/namedroppers/namedroppers.2006/ msg01372.html
- Lindy Fosterhttp://ops.ietf.org/lists/namedroppers/namedroppers.2006/ msg01309.html
Two people have raised their concerns: - Bill Manninghttp://ops.ietf.org/lists/namedroppers/namedroppers.2006/ msg01315.html
Who argues that the document does not meet his perception of
key-roll but does not provide technical arguments even when asked
for.
- Thierry Moreau
His arguments are summarized in
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
msg01327.html
and references therein. The issues raised by Mr Moreau
* Lack of a security model for automated trust anchor rollover
* And WG process of intellectual property issue
* Work is beyond the charter of the group
The chairs are of the opinion that these arguments are mostly of
procedural nature.
Note has been taken that 3 folk from the above list are from Sparta
and two of those are not regular contributers to DNSEXT. In addition
there have been responses in the same thread (applying the
requirements to draft-ietf-dnsext-trustupdate-timers) which indicate
that people who have not explicitly supported the draft have read it.
We have confidence that support is the consensus position.
3) Do you have concerns that the document needs more review from a
particular (broader) perspective (e.g., security, operational
complexity, someone familiar with AAA, etc.)?
We think a review by security folk would not hurt, but see below
4) Do you have any specific concerns/issues with this document that
you believe the ADs and/or IESG should be aware of? For example,
perhaps you are uncomfortable with certain parts of the document,
or whether there really is a need for it, etc., but at the same
time these issues have been discussed in the WG and the WG has
indicated it wishes to advance the document anyway.
See question 2).
5) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with
it?
See question 2)
6) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarize what are they upset about.
Mr Moreau has shown discontent, also see question 2). A relevant
data point may be that Mr. Moreau was not satisfied with the agenda of
the Montreal meeting where these items were discussed.
7) Have the chairs verified that the document adheres to _all_ of the
ID nits? (see http://www.ietf.org/ID-nits.html).
8) For Standards Track and BCP documents, the IESG approval
announcement includes a writeup section with the following
sections:
- Technical Summary
- Working Group Summary
- Protocol Quality
Summary.
This document provides a number or "requirements" for key-rollover in a
DNSSEC operational environment.
DNSSEC has been designed in such a way that zone operators can roll
their key-signin key, when those key-signing keys are configured as
trust anchors in remote resolvers those resolvers should automatically
adapt to these changes. This document sets out the requirements that
must be met by a DNS trust-anchor rollover solution for DNSSEC aware
resolvers.
As described in section 1 and 2, this document is intended to capture
the various requirements and use those in making a trade-off between
the various proposals that were available to the group. These
requirements acted as "goals". With the selection of
draft-ietf-dnsext-trustupdate-timers this document has no further
relevance. It is requested to be published as informational.
-----------------------------------------------------------
Olaf M. Kolkman
NLnet Labs
http://www.nlnetlabs.nl/
Attachment:
PGP.sig
Description: This is a digitally signed message part