Request to publish draft-ietf-dnsext-nsec3-10 on STD. Track
"Olaf M. Kolkman" <olaf@NLnetLabs.nl> Sun, 11 March 2007 07:21 UTC
Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HQINC-0004YX-B3; Sun, 11 Mar 2007 03:21:42 -0400
Received: from psg.com ([147.28.0.62]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1HQIN8-0005PS-FI; Sun, 11 Mar 2007 03:21:42 -0400
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1HQIG8-0009j8-Lh for namedroppers-data@psg.com; Sun, 11 Mar 2007 07:14:24 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL, BAYES_00, OPTING_OUT_CAPS autolearn=ham version=3.1.7
Received: from [213.154.224.1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from <olaf@NLnetLabs.nl>) id 1HQIG4-0009im-CI for namedroppers@ops.ietf.org; Sun, 11 Mar 2007 07:14:23 +0000
Received: from [127.0.0.1] (open.nlnetlabs.nl [213.154.224.1]) by open.nlnetlabs.nl (8.13.8/8.13.8) with ESMTP id l2B7DmCP076804; Sun, 11 Mar 2007 08:13:49 +0100 (CET) (envelope-from olaf@NLnetLabs.nl)
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Apple-Mail-1--130987559"
Message-Id: <5D120429-B689-4F0D-82F7-7D89BA2C9011@NLnetLabs.nl>
Cc: dnsext-chairs@tools.ietf.org, dnsext-ads@tools.ietf.org, IETF DNSEXT WG <namedroppers@ops.ietf.org>
Content-Transfer-Encoding: 7bit
From: "Olaf M. Kolkman" <olaf@NLnetLabs.nl>
Subject: Request to publish draft-ietf-dnsext-nsec3-10 on STD. Track
Date: Sun, 11 Mar 2007 08:13:44 +0100
To: iesg-secretary@ietf.org
X-Pgp-Agent: GPGMail 1.1.2 (Tiger)
X-Mailer: Apple Mail (2.752.2)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.5 (/)
X-Scan-Signature: 142a000676f5977e1797396caab8b611
This is a publication request for draft-ietf-dnsext-nsec3-10 on the standards track. (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication? Olaf Kolkman will shepherd this document. Both chairs reviewed the document and believe this document is ready for publication. (1.b) Has the document had adequate review both from key WG members and from key non-WG members? Does the Document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The document has been reviewed by key working group members. During the development of the protocol several groups implemented it and there were two protocol and interoperability testing workshops. Among the respondents to the WGLC were: o Matt Larson (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ msg00114.html) o Wouter Wijngaards (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ msg00072.html) o Marcos Sanz (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ msg00116.html) o Suresh Krishnaswamy (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ msg00107.html) o Scott Rose (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ msg00082.html) o Peter Koch (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ msg00127.html) (1.c) Does the Document Shepherd have concerns that the document needs more review from a particular or broader perspective, e.g., security, operational complexity, someone familiar with AAA, internationalization or XML? The document specifies a mechanism to obfuscate zone content while supplying authenticated proof on non-existence of names and contains a fair amount of 'security related' material. (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Has an IPR disclosure related to this document been filed? If so, please include a reference to the disclosure and summarize the WG discussion and conclusion on this issue. This document addresses introduces two features that are considered to be imperative for deployment in a number of TLDs and some corporate environments. o The obfuscation of the NSEC span through supplying a span of hashed owner names. o The ability to signal a semantic change from "no names are existing in the span" to "no secure delegations exist in the span" The latter feature is flagged with the opt-out flag field and was currently known as "opt-in" (cf. draft-ietf-dnsext-dnssec-opt-in). The opt-in feature used to be contentious but it is clear that the consensus in the working group has shifted over the years. (1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The working group consensus is solid. (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is entered into the ID Tracker.) No. (1.g) Has the Document Shepherd personally verified that the document satisfies all ID nits? (See http://www.ietf.org/ID-Checklist.html and http://tools.ietf.org/tools/idnits/). Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type and URI type reviews? Yes. (1.h) Has the document split its references into normative and informative? Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the strategy for their completion? Are there normative references that are downward references, as described in [RFC3967]? If so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967]. The references are split and there are no downward refs. (1.i) Has the Document Shepherd verified that the document IANA consideration section exists and is consistent with the body of the document? If the document specifies protocol extensions, are reservations requested in appropriate IANA registries? Are the IANA registries clearly identified? If the document creates a new registry, does it define the proposed initial contents of the registry and an allocation procedure for future registrations? Does it suggest a reasonable name for the new registry? See [RFC2434]. If the document describes an Expert Review process has Shepherd conferred with the Responsible Area Director so that the IESG can appoint the needed Expert during the IESG Evaluation? The IANA are unambiguous. However there is an important rfc editor instruction: After the IANA allocation has been done the examples in the Appendix will need to be regenerated because the signature generation algorithm uses also includes RR types as input. The RFC editor should not edit the Appendices before the IANA type-code has been assigned and the examples have been regenerated by the editor. (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML code, BNF rules, MIB definitions, etc., validate correctly in an automated checker? There is no such language. But on this note: While implementing parts of the functionality into a perl library the examples where used as test cases (Coincidentally this shepherd maintains a Perl Library for DNS code). See note above about regenerating the examples. (1.k) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up? Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary Relevant content can frequently be found in the abstract and/or introduction of the document. If not, this may be an indication that there are deficiencies in the abstract or introduction. The Domain Name System Security Extensions (DNSSEC) introduced the NSEC resource record (RR) for authenticated denial of existence. Though the NSEC RR meets the requirements for authenticated denial of existence, it introduces a side-effect in that the contents of a zone can be enumerated. This property introduces undesired policy issues. A second problem is that the cost to cryptographically secure delegations to unsigned zones is high for large delegation-centric zones and zones where insecure delegations will be updated rapidly. (Typically these are top level domains). For these zones, the costs of maintaining the NSEC record chain may be extremely high relative to the gain of cryptographically authenticating existence of unsecured zones. This document presents the NSEC3 Resource Record which can be used as an alternative to NSEC to mitigate these issues. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones. This specification is intended to be published on the standards track. Working Group Summary Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? The OPT out feature of NSEC3 used to be a point of contention in the DNSEXT working group. The working group did not bring OPT-OUT up as an issue during the development of the draft or during last call. The chairs are convinced that the feature was not introduced under the radar and that the working group consents with the feature being introduced. The iterations count has been subject to discussion because it may be used to trigger DOS attacks on resolvers. The WG consensus is to recommend a limitation on the number of iterations that a resolver is supposed to carry out. Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted? During the development of the specification there were two workshops organized in which, among others, 3 operators (Nominet, Verisign and DENIC) and two Developers (ISC and NLnet) participated. During the workshops serious signaling issues were discovered which lead to the NSEC3PARAM RR. The specification has been implemented, albeit not in production code, in: BIND (authoritative server, validating resolver, caching name server), NSD (authoritative only), LDNS (library and troubleshooting tools), UNBOUND Java (validating resolver), Sparta's library (validating resolver), Net::DNS (Library, only parsing functions and helper methods) and about 4 different zone signers. Operators have indicated this specification to be imperative for DNSSEC deployment. Personnel Who is the Document Shepherd for this document? Who is the Responsible Area Director? Is an IANA expert needed? Shepherd: Olaf Kolkman (olaf@nlnetlabs.nl) AD: Mark Townsley No specific IANA expertise is needed. Kind regards, --Olaf ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
- Request to publish draft-ietf-dnsext-nsec3-10 on … Olaf M. Kolkman