From pk at DENIC.DE Sun Jun 8 23:24:35 2008 From: pk at DENIC.DE (Peter Koch) Date: Sun, 8 Jun 2008 23:24:35 +0200 Subject: [dnssec-key-tf] requirement for "empty TA"? Message-ID: <20080608212435.GC27952@x27.adm.denic.de> Folks, our job is basically done and the letter to IANA eventually on its way, but since we're all here, here's an idea for an additional requirement: Inspired by the RSTEP report on PIR's ORG signing proposal, should the TAR differentiate between "no TA present" and "no TA exists"? The TAR, even the IANA one, will likely not claim to be exhaustive since it is opt-in only. However, when a TA is removed from the TAR, the consuming validator has no idea what to to with that particular TLD. It could continue to use the old TA, assuming that the distribution channel was just abandoned or it could remove the TA from its configuration. So, without assessing the PIR exit strategy, would it be a resonable additional requirement for the TAR to allow for a NUL TA that means "no TA here" or "TA deliberately revoked"? -Peter From Joao_Damas at isc.org Mon Jun 9 10:27:38 2008 From: Joao_Damas at isc.org (Joao Damas) Date: Mon, 9 Jun 2008 10:27:38 +0200 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: <20080608212435.GC27952@x27.adm.denic.de> References: <20080608212435.GC27952@x27.adm.denic.de> Message-ID: <008732CC-17D6-4619-9D73-CB8E74859782@isc.org> I don't think the IANA would have a reliable way to distinguish between: a) they are not sending us the key anymore even though it is out there b) there is no key anymore so I think putting a requirement like this is not realistic. Of the day comes when the root is signed, if TLDs stop sending their key to IANA (The root) then the zone will drop off DNSSEC. Let's treat the TAR the same. Joao On 8 Jun 2008, at 23:24, Peter Koch wrote: > Folks, > > our job is basically done and the letter to IANA eventually on its > way, > but since we're all here, here's an idea for an additional > requirement: > > Inspired by the RSTEP report on PIR's ORG signing proposal, should > the TAR differentiate between "no TA present" and "no TA exists"? > The TAR, even the IANA one, will likely not claim to be exhaustive > since it is opt-in only. However, when a TA is removed from the TAR, > the consuming validator has no idea what to to with that particular > TLD. It could continue to use the old TA, assuming that the > distribution > channel was just abandoned or it could remove the TA from its > configuration. > So, without assessing the PIR exit strategy, would it be a resonable > additional requirement for the TAR to allow for a NUL TA that means > "no TA here" or "TA deliberately revoked"? > > -Peter From jim at rfc1035.com Mon Jun 9 10:40:32 2008 From: jim at rfc1035.com (Jim Reid) Date: Mon, 9 Jun 2008 09:40:32 +0100 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: <20080608212435.GC27952@x27.adm.denic.de> References: <20080608212435.GC27952@x27.adm.denic.de> Message-ID: <7B9E6643-301D-47BA-A742-757A81C294C8@rfc1035.com> On 8 Jun 2008, at 22:24, Peter Koch wrote: > Inspired by the RSTEP report on PIR's ORG signing proposal, should > the TAR differentiate between "no TA present" and "no TA exists"? Is there really a difference between a TAR saying "no TA exists" and "I have no TA for this TLD"? From the perspective of those running or using the TAR, these two statements would appear to be effectively identical: the TAR has no TA for the TLD in question. I agree with Joao that adding this new requirement is unrealistic. From pk at DENIC.DE Mon Jun 9 10:59:56 2008 From: pk at DENIC.DE (Peter Koch) Date: Mon, 9 Jun 2008 10:59:56 +0200 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: <008732CC-17D6-4619-9D73-CB8E74859782@isc.org> References: <20080608212435.GC27952@x27.adm.denic.de> <008732CC-17D6-4619-9D73-CB8E74859782@isc.org> Message-ID: <20080609085956.GH17735@x27.adm.denic.de> Mornin', > I don't think the IANA would have a reliable way to distinguish between: > > a) they are not sending us the key anymore even though it is out there > b) there is no key anymore there's a difference between the TLD registry not submitting a key, so there's no statement in the TAR and the TLD registry explicitly saying the TLD is unsigned, so there must not be a key. > Of the day comes when the root is signed, if TLDs stop sending their > key to IANA (The root) then the zone will drop off DNSSEC. Let's treat > the TAR the same. Assuming the root will be signed with NSEC instead of NSEC3/opt-out, an insecure delegation explicitly says there's no TA (which may or may not be true). This is a different issue from the TLD registry failing to update the DS(KSK), making the delegation go DNSSEC-lame. -Peter From jim at rfc1035.com Mon Jun 9 11:42:17 2008 From: jim at rfc1035.com (Jim Reid) Date: Mon, 9 Jun 2008 10:42:17 +0100 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: <20080609085956.GH17735@x27.adm.denic.de> References: <20080608212435.GC27952@x27.adm.denic.de> <008732CC-17D6-4619-9D73-CB8E74859782@isc.org> <20080609085956.GH17735@x27.adm.denic.de> Message-ID: On 9 Jun 2008, at 09:59, Peter Koch wrote: > there's a difference between the TLD registry not submitting a key, > so there's > no statement in the TAR and the TLD registry explicitly saying the > TLD is > unsigned, so there must not be a key. IMO, a TAR can't ever say a TLD is unsigned*. That would be making a subjective and possibly political judgement that is best avoided. A TAR can say "I don't know of a TA for this TLD" or even "there might be a TA for it at some other TAR". But that's it. *And yes, I know that if the TA is invalid or has expired, the TAR could be saying a TLD is unsigned because the TAR knows it doesn't have a valid key for the TLD any more. But this takes the thread meandering off in a far too theoretical direction. It's like wondering whether a tree falling in forest makes sound if no-one is there to hear it. Do we really need to bother about such hypotheticals? From Joao_Damas at isc.org Mon Jun 9 11:52:17 2008 From: Joao_Damas at isc.org (Joao Damas) Date: Mon, 9 Jun 2008 11:52:17 +0200 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: <20080609085956.GH17735@x27.adm.denic.de> References: <20080608212435.GC27952@x27.adm.denic.de> <008732CC-17D6-4619-9D73-CB8E74859782@isc.org> <20080609085956.GH17735@x27.adm.denic.de> Message-ID: On 9 Jun 2008, at 10:59, Peter Koch wrote: > Mornin', > >> I don't think the IANA would have a reliable way to distinguish >> between: >> >> a) they are not sending us the key anymore even though it is out >> there >> b) there is no key anymore > > there's a difference between the TLD registry not submitting a key, > so there's > no statement in the TAR and the TLD registry explicitly saying the > TLD is > unsigned, so there must not be a key. but there is no generic way for IANA to determine that, unless the TLD chooses to signal it explicitly. In the meantime, if the IANA TAR is your choice of how to track TAs, the absence of a key would mean, according to your policy choice, that you would only trust those keys. > > >> Of the day comes when the root is signed, if TLDs stop sending their >> key to IANA (The root) then the zone will drop off DNSSEC. Let's >> treat >> the TAR the same. > > Assuming the root will be signed with NSEC instead of NSEC3/opt-out, > an > insecure delegation explicitly says there's no TA (which may or may > not > be true). This is a different issue from the TLD registry failing to > update the DS(KSK), making the delegation go DNSSEC-lame. Yes. is the argument here that the root should use NSEC3? In any case, the TAR is not the root zone. Let's not get stuck again, please Joao From pk at DENIC.DE Mon Jun 9 11:56:33 2008 From: pk at DENIC.DE (Peter Koch) Date: Mon, 9 Jun 2008 11:56:33 +0200 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: References: <20080608212435.GC27952@x27.adm.denic.de> <008732CC-17D6-4619-9D73-CB8E74859782@isc.org> <20080609085956.GH17735@x27.adm.denic.de> Message-ID: <20080609095633.GI17735@x27.adm.denic.de> Hi, > IMO, a TAR can't ever say a TLD is unsigned*. That would be making a > subjective and possibly political judgement that is best avoided. A come on, Jim, there's nothing political here. Either the TAR knows the TA, doesn't know the TLD's status or has been informed that the TA has been revoked. A NUL key would be an opportunity to communicate the latter. But I understand there isn't much sympathy for this suggestion, so I'd say thanks for the reality check and let's leave it that way. -Peter From daniel.karrenberg at ripe.net Tue Jun 10 11:19:36 2008 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Tue, 10 Jun 2008 11:19:36 +0200 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: <20080608212435.GC27952@x27.adm.denic.de> References: <20080608212435.GC27952@x27.adm.denic.de> Message-ID: <20080610091936.GD1989@reiftel.karrenberg.net> On 08.06 23:24, Peter Koch wrote: > Folks, > > our job is basically done and the letter to IANA eventually on its way, > but since we're all here, here's an idea for an additional requirement: Has it been sent? Also, have we heared the promised implementation plan/schedule from IANA yet? Should we ask? Daniel From jim at rfc1035.com Tue Jun 10 16:58:59 2008 From: jim at rfc1035.com (Jim Reid) Date: Tue, 10 Jun 2008 15:58:59 +0100 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: <20080610091936.GD1989@reiftel.karrenberg.net> References: <20080608212435.GC27952@x27.adm.denic.de> <20080610091936.GD1989@reiftel.karrenberg.net> Message-ID: On Jun 10, 2008, at 10:19, Daniel Karrenberg wrote: > Has it been sent? Last I heard, Axel had production of the letter in hand. So I expect it will go out in the next day or so. > Also, have we heared the promised implementation plan/schedule from > IANA yet? > Should we ask? I've not heard anything and presume no-one else has either. I'll have a quiet word with Richard. From jim at rfc1035.com Tue Jun 10 17:04:06 2008 From: jim at rfc1035.com (Jim Reid) Date: Tue, 10 Jun 2008 16:04:06 +0100 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: <20080610091936.GD1989@reiftel.karrenberg.net> References: <20080608212435.GC27952@x27.adm.denic.de> <20080610091936.GD1989@reiftel.karrenberg.net> Message-ID: <16608786-109E-43DB-BF70-72E283DC31C8@rfc1035.com> On Jun 10, 2008, at 10:19, Daniel Karrenberg wrote: > Has it been sent? Last I heard, Axel had production of the letter in hand. So I expect it will go out in the next day or so. > Also, have we heared the promised implementation plan/schedule from > IANA yet? > Should we ask? I've not heard anything and presume no-one else has either. I'll have a quiet word with Richard. From daniel.karrenberg at ripe.net Tue Jun 10 17:09:08 2008 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Tue, 10 Jun 2008 17:09:08 +0200 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: References: <20080608212435.GC27952@x27.adm.denic.de> <20080610091936.GD1989@reiftel.karrenberg.net> Message-ID: <20080610150908.GF357@guest-wv-32.ripe.net> On 10.06 15:58, Jim Reid wrote: > On Jun 10, 2008, at 10:19, Daniel Karrenberg wrote: > > >Has it been sent? > > Last I heard, Axel had production of the letter in hand. So I expect > it will go out in the next day or so. > > >Also, have we heared the promised implementation plan/schedule from > >IANA yet? > >Should we ask? > > I've not heard anything and presume no-one else has either. I'll have > a quiet word with Richard. Good idea. Maybe also have a word with Leo Vegoda, he is in the IANA liaison business now ....... Let me know if I can help. DAniel From jim at rfc1035.com Tue Jun 10 18:56:48 2008 From: jim at rfc1035.com (Jim Reid) Date: Tue, 10 Jun 2008 17:56:48 +0100 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: <20080610150908.GF357@guest-wv-32.ripe.net> References: <20080608212435.GC27952@x27.adm.denic.de> <20080610091936.GD1989@reiftel.karrenberg.net> <20080610150908.GF357@guest-wv-32.ripe.net> Message-ID: On Jun 10, 2008, at 16:09, Daniel Karrenberg wrote: > Good idea. Maybe also have a word with Leo Vegoda, he is in the IANA > liaison > business now ...... I will be meeting Leo on Monday. And Axel tonight. So maybe I should hold these followup tokens? From daniel.karrenberg at ripe.net Wed Jun 11 01:47:17 2008 From: daniel.karrenberg at ripe.net (Daniel Karrenberg) Date: Wed, 11 Jun 2008 01:47:17 +0200 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: References: <20080608212435.GC27952@x27.adm.denic.de> <20080610091936.GD1989@reiftel.karrenberg.net> <20080610150908.GF357@guest-wv-32.ripe.net> Message-ID: <20080610234717.GM357@guest-wv-32.ripe.net> On 10.06 17:56, Jim Reid wrote: > On Jun 10, 2008, at 16:09, Daniel Karrenberg wrote: > > >Good idea. Maybe also have a word with Leo Vegoda, he is in the IANA > >liaison > >business now ...... > > I will be meeting Leo on Monday. And Axel tonight. So maybe I should > hold these followup tokens? Neve turn down a volnteer .... ;-) Let me know if I can help. From sanz at denic.de Wed Jun 25 16:00:21 2008 From: sanz at denic.de (Marcos Sanz/Denic) Date: Wed, 25 Jun 2008 16:00:21 +0200 Subject: [dnssec-key-tf] requirement for "empty TA"? In-Reply-To: Message-ID: Hi Jim, > On Jun 10, 2008, at 16:09, Daniel Karrenberg wrote: > > > Good idea. Maybe also have a word with Leo Vegoda, he is in the IANA > > liaison > > business now ...... > > I will be meeting Leo on Monday. And Axel tonight. So maybe I should > hold these followup tokens? I couldn't find any followup in the list to this. Any news? Best regards, Marcos From jim at rfc1035.com Mon Jun 30 18:46:56 2008 From: jim at rfc1035.com (Jim Reid) Date: Mon, 30 Jun 2008 17:46:56 +0100 Subject: [dnssec-key-tf] end game for the Task Force? Message-ID: <72C68F5E-AC21-4DEE-99E7-D91E7E1EA606@rfc1035.com> Colleagues, I think our Task Force is ready to be wound up. The letter we prepared was sent to ICANN a couple of weeks ago. I have been told that ICANN expect to announce a formal timeline for deployment of their TAR soon. However there are some layer-9 issues that need to be handled and these are out of scope for this TF or the WG. It's best if we don't interfere. So my proposal is that we let the TF go dormant for now and review things around RIPE57. If ICANN has announced its schedule by then, we're done and the TF can be closed down. If there isn't an announcement, we could either revive the TF or consider other steps. Do we agree with this approach or do any of you have other suggestions?