Re: Last Call: 'Minimally Covering NSEC Records and DNSSEC On-line Signing' to Proposed Standard
Geoffrey Sisson <geoff@nominet.org.uk> Mon, 05 December 2005 15:18 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EjI6n-0007yI-Bd for dnsext-archive@megatron.ietf.org; Mon, 05 Dec 2005 10:18:29 -0500
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01369 for <dnsext-archive@lists.ietf.org>; Mon, 5 Dec 2005 10:17:39 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.60 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1EjI27-0001a5-7D for namedroppers-data@psg.com; Mon, 05 Dec 2005 15:13:39 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on psg.com
X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00,BIZ_TLD autolearn=no version=3.1.0
Received: from [213.248.199.23] (helo=mx3.nominet.org.uk) by psg.com with esmtp (Exim 4.60 (FreeBSD)) (envelope-from <geoff@nominet.org.uk>) id 1EjI26-0001Zq-6A for namedroppers@ops.ietf.org; Mon, 05 Dec 2005 15:13:38 +0000
Received: from staff.nominet.org.uk ([213.248.199.129]) by mx3.nominet.org.uk with ESMTP; 05 Dec 2005 15:13:32 +0000
X-IronPort-AV: i="3.99,217,1131321600"; d="scan'208"; a="2044817:sNHT25839152"
Received: (from geoff@localhost) by staff.nominet.org.uk (8.12.9/8.12.9) id jB5FDVpY029710; Mon, 5 Dec 2005 15:13:31 GMT
Date: Mon, 05 Dec 2005 15:13:31 +0000
From: Geoffrey Sisson <geoff@nominet.org.uk>
Message-Id: <200512051513.jB5FDVpY029710@staff.nominet.org.uk>
To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: Last Call: 'Minimally Covering NSEC Records and DNSSEC On-line Signing' to Proposed Standard
Cc: namedroppers@ops.ietf.org, iesg@ietf.org
In-Reply-To: <a06200705bfb667a0af2d@[10.31.32.96]>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Edward Lewis <Ed.Lewis@neustar.biz> wrotes: > At 10:53 -0500 11/22/05, The IESG wrote: > >http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dns-name-p-s-01.txt > > # This document describes two methods: > # > # 1. An ``absolute method'', which returns the immediate predecessor > # or successor of a domain name such that no valid DNS name could > # exist between that DNS name and the predecessor or successor. > # > # 2. A ``modified method'', which returns a predecessor and successor > # which are more economical in size and computation. This method > # is restricted to use with zones consisting exclusively of owner > # names that contain no more than one label more than the owner > # name of the apex, where the longest possible owner name (i.e. one > # with a maximum length left-most label) would not exceed the > # maximum DNS name length. This is, however, the type of zone for > # which the technique of online signing is most likely to be used. > > I have two comments to make on this. > > One is that I think it's unwise to design a standard part of the > protocol based on the data content of the zone. I'm referring to the > sentiment in the last sentence of the quoted section. This is not a > concrete comment, just a design guideline, and it is less important > than my next comment. Note that -ietf-dnsext-dns-name-p-s has been requested for publication as Experimental, so it's not part of the protocol. The described methods are provided as an aid to implementors and are not normative. > Keeping in mind that we discourage (or should, I recall talking about > this) caches from being used to speak authoritatively about data and > the behavior of negative caches, does it really matter if the NSEC > contents are "true?" Especially when what is "true" can change with > dynamic update. > > My point here is, perhaps the modified method is all that is needed, > regardless of the kind of data in the zone. Can we get away with one > approximately good method instead of having to define two exacting > methods? Can't we simplify this? The "modified method" would be quite broken for some types of zones, e.g. ones with lots of deeply-nested empty non-terminals. For example: $ORIGIN 5.6.8.1.4.4.e164.arpa. 1.1.2.2.3.3 IN NAPTR <blah> 9.9.2.2.3.3 IN NAPTR <blah> . . . When using the modified method, a query with a QNAME of 4.4.2.2.3.3.5.6.8.1.4.4.e164.arpa. would produce this response: 2\255{62}.5.6.8.1.4.4.e164.arpa. IN NSEC 3\000.5.6.8.1.4.4.e164.arpa. ... This would potentially deny the existence of quite a few existing DNS names, substantially increasing it's utility for replay attacks. Geoff -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Last Call: 'Minimally Covering NSEC Records and D… The IESG
- Re: Last Call: 'Minimally Covering NSEC Records a… Ben Laurie
- Re: Last Call: 'Minimally Covering NSEC Records a… Olaf M. Kolkman
- Re: Last Call: 'Minimally Covering NSEC Records a… Roy Arends
- Re: Last Call: 'Minimally Covering NSEC Records a… Edward Lewis
- Re: Last Call: 'Minimally Covering NSEC Records a… Roy Arends
- Re: Last Call: 'Minimally Covering NSEC Records a… Ben Laurie
- Re: Last Call: 'Minimally Covering NSEC Records a… Edward Lewis
- Re: Last Call: 'Minimally Covering NSEC Records a… Geoffrey Sisson
- Re: Last Call: 'Minimally Covering NSEC Records a… Mark Andrews
- Re: Last Call: 'Minimally Covering NSEC Records a… Geoffrey Sisson
- Re: Last Call: 'Minimally Covering NSEC Records a… Olaf M. Kolkman
- Re: Last Call: 'Minimally Covering NSEC Records a… Paul Vixie
- Re: Last Call: 'Minimally Covering NSEC Records a… Ben Laurie
- Re: Last Call: 'Minimally Covering NSEC Records a… Edward Lewis
- Re: Last Call: 'Minimally Covering NSEC Records a… Paul Vixie
- Re: Last Call: 'Minimally Covering NSEC Records a… Roy Arends
- Re: Last Call: 'Minimally Covering NSEC Records a… Roy Arends
- Re: Last Call: 'Minimally Covering NSEC Records a… Geoffrey Sisson
- Re: Last Call: 'Minimally Covering NSEC Records a… Olaf M. Kolkman
- Re: Last Call: 'Minimally Covering NSEC Records a… Samuel Weiler
- Re: editorial comment on DNSEXT WG's Minimally Co… Samuel Weiler
- editorial comment on DNSEXT WG's Minimally Coveri… Edward Lewis