Definition and Use of DNSSEC Negative Trust Anchors
draft-ietf-dnsop-negative-trust-anchors-13

[Ballot comment]

In an ideal world, my YES ballot for would really be "YES,
sadly I suppose we need this kind of thing but wouldn't life be
much better if DNSSEC was much easier to deploy, ah well, too
late now I guess:-("

- section 1.1: Where is the definition? I see you telling me
what an NTA isn't, but not what it is. I think what you want to
say is that an NTA is a domain name or a pair (a domain name
and a sub-domain of that) represented in a resolver
implementation-specific manner so that DNSSEC validation is
turned off from the higher domain name down (to the subdomain
if we have a pair). Is that right?

- 1.1: RFC5914 is a little misleading as a reference as that
was done for X.509 stuff and is nothing to do with DNSSEC.
Maybe it'd be worth pointing that out just in case some reader
somewhere goes and gets confused.

- section 2: what do you mean happens "once per quarter"?

- section 2: "immediately restores" - well that depends on the
screw-up doesn't it? Or are you saying (where?) that an NTA
must only be put in place when the screw-up is specifically and
only about and because of DNSSEC and where ignoring DNSSEC will
result in things "working"? For example, DNSSEC could fail
because all my nameservers are entirely offline due to a f/w
mis-configuration that blocks loads of port 53, but putting in
place an NTA won't help then. (As it happens, I'm right now
gettting a f/w to re-unblock 53 so I can serve some DNSSEC
records so this issue is one that's close to the bone for me:-)

- Section 6: 1st 2 sentences repeat repeat dnssec-failed.org
too too many times.

- random question: why not have an "I'm just testing" RR that I
could put in alongside my ZSK DNSKEY as I start to play with
DNSSEC? Or maybe that exists already.

[Ballot comment]
= Sec 2 =

"Technical personnel trained in the operation of DNS servers MUST
  confirm that a failure is due to misconfiguration"

s/MUST/must/ - seems odd to put a normative requirement on people to do something in people land

= Sec 4 =

"The lifetime MUST NOT exceed a week. "

Would be good to provide the motivation for where this number comes from.

[Ballot comment]
-- General:

This is just an observation, since this is informational draft. I do not expect or suggest any action on it. (But if it had been standards or BCP track, I might have made it a discuss.) If I understand this correctly, it suggests that resolvers be configured to stop validating known broken names. This of course has the risk of circumventing the protection that a domain intended by using DNSSEC in the first place. The draft does discuss those risks. But I would have been happier to have seen something with a tone more along  "We know you are going to do this thing, and it's probably better than globally switching to a non-validating resolver-- so here's the risks, and here's some ways to minimize those risks" (which I think might have been good BCP material)  rather than "This is a good practice to work around broken DNSSEC configurations."

-- section 1.2, last paragraph, last sentence:
Out of curiosity, has this been an issue?

-- 2, 2nd paragraph:
Can an operator be reasonably expected to be able to confirm that a domain is being operated by its rightful owner?

-- 2, 2nd to last paragraph:

Since the requirement to limit the time an NTA is used is a MUST, it seems like the ability to configure that time should also be a MUST.

-- 2, last paragraph:

Why is the requirement not to affect another branch weaker than the requirement not to affect other names higher up the same branch?

-- 4, first paragraph, last sentence:

This seems to favor erring on the side of keeping the NTA. I think security would suggest erring on the side of removing the NTA.

Editorial and Nits:

-- If you plan to use capitalized 2119 terms, please add the appropriate boilerplate and a 2119 reference.

-- section 4, first paragraph: "It is therefore RECOMMENDED that NTA implementors SHOULD"
redundant 2119 keywords (RECOMMENDED and SHOULD )

-- 7, paragraph 4, last sentence:
I suggest adding “At the time of this writing…”, and add additional text to remind people these may change over time.

-- 7:
This section  jumps into 2nd person. I don’t want to stand on formality, but it would be good to keep a consistent tone across the draft.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-dnsop-negative-trust-anchors-10, which is currently in Last Call, and has the following comments:

We understand that, upon approval of this document, there are no IANA Actions that need completion.

While it is helpful for the IANA Considerations section of the document to remain in place upon publication, if the authors prefer to remove it, IANA doesn't object.

If this assessment is not accurate, please respond as soon as possible.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Definition and Use of DNSSEC Negative Trust Anchors) to Informational RFC


The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document:
- 'Definition and Use of DNSSEC Negative Trust Anchors'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-06-23. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  DNS Security Extensions (DNSSEC) is now entering widespread
  deployment.  However, domain signing tools and processes are not yet
  as mature and reliable as those for non-DNSSEC-related domain
  administration tools and processes.  Negative Trust Anchors
  (described in this document) can be used to mitigate DNSSEC
  validation failures.

  [RFC Editor: Please remove this before publication.  This document is
  being stored in github at https://github.com/wkumari/draft-livingood-
  dnsop-negative-trust-anchors . Authors accept pull requests, and keep
  the latest (edit buffer) versions there, so commenters can follow
  along at home.]




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-negative-trust-anchors/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-dnsop-negative-trust-anchors/ballot/


No IPR declarations have been submitted directly on this I-D.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

This RFC is being requested as "Informational", as it describes operational aspects of using Negative Trust Anchors to provide a better DNSSEC experience. This is indicated in the title page.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary:

As DNS Security Extensions (DNSSEC) is being widely deployed, tools and processes are not fully mature. Creating a temporary object called Negative Trust Anchor to temporarily disable DNSSEC validation for misconfigured domains; thereby allowing DNS resolution to continue working.

Working Group Summary:

The working group spent time reviewing the document, and several points were raised about the deployment of these trust anchors. However, all points raised involved clarification text which made the final document more robust. There were no decisions that were particularly rough.

Document Quality:

The document is of good quality. There were several editorial passes done during the timeframe, all of which cleared up the text. The document has a section on managing these Negative Trust Anchors, and laid out in a manner that operators of DNS zones will be able to use.  Additionally, there are examples from existing DNS tools in Appendix A.

Personnel:  Document Shepherd is Tim Wicinski and Responsible Area Director is Joel Jaeggli.


(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The Document Shepherd performed two different reviews - a content level review, and a language editing process.  The document is ready for IESG review and publications.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

The Document Shepherd feels the depth and breath of the reviews are more than sufficient for this document.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

No portions of this document requires review from a broader perspective.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

The Document Shepherd has no concerns or issues with the document moving forward.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

The authors confirms that their is no IPR disclosures required for this document.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

There are no IPR disclosures that reference this document.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

The WG consensus is strong and vocal, and the working group as a whole understands this document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

There has been no appeal or discontent filed.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

This document does not meet any required formal review criteria.

(13) Have all references within this document been identified as
either normative or informative?

The Document Shepherd feels that all references have been identified as either normative or informative.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

There are no normative references that are not ready.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

The Document Shepherd does not feel there are any downward normative references.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

Publication of this document will not change the status of any existing RFCs.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

There are no IANA considerations for this document.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

There are no IANA registries involved here.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.