On Tue, Jun 9, 2015 at 11:29 AM, Joe Abley <jabley(_at_)hopcount(_dot_)ca>
wrote:
On 9 Jun 2015, at 8:58, The IESG wrote:
The IESG has received a request from the Domain Name System Operations WG
(dnsop) to consider the following document:
- 'Definition and Use of DNSSEC Negative Trust Anchors'
<draft-ietf-dnsop-negative-trust-anchors-10.txt> as Informational RFC
I have read this document. The topic under discussion is a useful one, it is
described clearly and well, and I support this document proceeding. I have
some minor suggestions for improvement, but nothing substantial.
Whoohoo!
In section 1, the document uses normative-sounding language ("should not")
and seems to direct the IANA not to do something. The normative-sounding
direction is further extended to all other organisations. I understand the
intent here, but the advice seems a little jarring; any IETF document can
provide advice and recommendations without enforcement (informational
documents arguably more so). Perhaps this could be rephrased to make it clear
that the document is providing recommendations about how to implement and
manage negative trust anchors rather than laying down the law.
I had a hard time trying to figure out how to address this. I changed:
"Negative Trust Anchors are intended to be temporary, and should not
be distributed by IANA or any other organization outside of the
administrative boundary of the organization locally implementing a
Negative Trust Anchor."
to:
"Negative Trust Anchors are intended to be temporary, and should only
be implemented by the organization requiring a Negative Trust Anchor
(and not distributed by any organizations outside of the
administrative boundary)."
I think that that changes the tone and doesn't sound as prescriptive /
jarring - does this address your concern?
I also skimmed the rest and didn't really find anywhere else to fix.
In section 1.2 the document refers to a "domain administrator", when in the
context of DNSSEC I think it means a "zone administrator".
Nice. Done. Thanks.
In section 7 the document refers to "dnscheck", which I understand is no
longer being maintained and has been replaced with "zonemaster". See
<http://www.zonemaster.fr>, for example.
I replaced dnscheck with zonemaster. Initially I was just going to add
zonemaster (and leave dnscheck there), but seeing as .se is involved
in both projects I decided it was not impolite to remove their older
tool...
New version (with your suggested edits) pushed to github -
https://github.com/wkumari/draft-livingood-dnsop-negative-trust-anchors
Thank for your comments,
W
Joe
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf