[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] Trust Anchors

To: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Trust Anchors
From: Andrew Sullivan <ajs@shinkuro.com>
Date: Mon, 26 Oct 2009 10:51:51 -0400
In-reply-to: <B23BFD68-D7E4-47AA-932E-87FED98D4892@nominum.com>
References: <B23BFD68-D7E4-47AA-932E-87FED98D4892@nominum.com>
User-agent: Mutt/1.5.18 (2008-05-17)

On Sun, Oct 25, 2009 at 06:05:21AM -0700, Bob Halley wrote:

> didn't see such a strong consensus for the ANY approach.  At best I  
> saw support for ANY + CLOSEST (and perhaps other schemes).  

Could you say more about what "ANY + CLOSEST" would be?  That is,
since closest is obviously inside the any chain, if any works then by
definition closest works, assuming closest is in fact a valid key.  

Is the idea of "ANY + CLOSEST" that any works as long as closest
works?  If so, how is that different from closest?

By the way, when we last discussed this I formed the impression of at
least a substantial number of people in favour of the ANY strategy, so
I'm surprised you came to a different conclusion on reading the
archive.  I'll go back and have another look, though.

> I propose that the draft mandate the use of CLOSEST and suggest the  
> use of RFC 5011 to avoid staleness.  If there's no consensus for that,  
> I'd be satisfied with just removing section 4.9.

Speaking with no hat, I am opposed to both of those options.

I oppose mandating the use of CLOSEST because, on my reading, it
imports degrees of trust into a system that is simply not designed
with degrees of trust in the first place.  I am especially
uncomfortable with promoting degrees of trust on the implict basis of
some other property.  

I oppose removing the section because it is quite plain that the issue
is not clear to everyone.  Those of us involved in an ICANN RSTEP
review of PIR's .org plans, for example, were all surprised by this
interpretation of the RFCs; and while I will happily concede that I am
often confused (so my own surprise might not be a big deal), I feel
rather strongly that the other participants' surprise was an
indication of a serious ambiguity in the specification.  I'd prefer to
see the inclusion of a mandate for CLOSEST than to see the section
dropped completely.

With my co-chair hat back on, but speaking only for myself, I think it
is super important that we come to some conclusion about this quickly,
produce the relevant text, and move on.  Let us please settle on
something and forge a consensus on it, so that we can tell the rest of
the world (which is busily deploying this technology) an unambiguous
story about how it all works.

Best,

A

-- 
Andrew Sullivan
ajs@shinkuro.com
Shinkuro, Inc.

Follow-Ups:
- Re: [dnsext] Trust Anchors
  - From: Bob Halley <Bob.Halley@nominum.com>
- Re: [dnsext] Trust Anchors
  - From: Paul Hoffman <paul.hoffman@vpnc.org>

References:
- [dnsext] Trust Anchors
  - From: Bob Halley <Bob.Halley@nominum.com>

Prev by Date: Re: [dnsext] Trust Anchors
Next by Date: Re: [dnsext] Trust Anchors
Previous by thread: Re: [dnsext] Trust Anchors
Next by thread: Re: [dnsext] Trust Anchors
Index(es):
- Date
- Thread