Request to publish draft-ietf-dnsext-nsec3-10 on STD. Track

["Olaf M. Kolkman" <olaf@NLnetLabs.nl>]

This is a publication request for draft-ietf-dnsext-nsec3-10 on the  
standards track.


    (1.a)  Who is the Document Shepherd for this document?  Has the
           Document Shepherd personally reviewed this version of the
           document and, in particular, does he or she believe this
           version is ready for forwarding to the IESG for publication?

Olaf Kolkman will shepherd this document.


Both chairs reviewed the document and believe this document is ready  
for publication.


    (1.b)  Has the document had adequate review both from key WG members
           and from key non-WG members?  Does the Document Shepherd have
           any concerns about the depth or breadth of the reviews that
           have been performed?

The document has been reviewed by key working group members. During the
development of the protocol several groups implemented it and there
were two protocol and interoperability testing workshops.

Among the respondents to the WGLC were:

    o Matt Larson
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ 
msg00114.html)

    o Wouter Wijngaards
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ 
msg00072.html)

    o Marcos Sanz
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ 
msg00116.html)

    o Suresh Krishnaswamy
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ 
msg00107.html)

    o Scott Rose
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ 
msg00082.html)

    o Peter Koch
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/ 
msg00127.html)


    (1.c)  Does the Document Shepherd have concerns that the document
           needs more review from a particular or broader perspective,
           e.g., security, operational complexity, someone familiar with
           AAA, internationalization or XML?

The document specifies a mechanism to obfuscate zone content while
supplying authenticated proof on non-existence of names and contains a
fair amount of 'security related' material.


    (1.d)  Does the Document Shepherd have any specific concerns or
           issues with this document that the Responsible Area Director
           and/or the IESG should be aware of?  For example, perhaps he
           or she is uncomfortable with certain parts of the  
document, or
           has concerns whether there really is a need for it.  In any
           event, if the WG has discussed those issues and has indicated
           that it still wishes to advance the document, detail those
           concerns here.  Has an IPR disclosure related to this  
document
           been filed?  If so, please include a reference to the
           disclosure and summarize the WG discussion and conclusion on
           this issue.

This document addresses introduces two features that are considered
to be imperative for deployment in a number of TLDs and some
corporate environments.

    o The obfuscation of the NSEC span through supplying a span of
      hashed owner names.

    o The ability to signal a semantic change from "no names are
      existing in the span" to "no secure delegations exist in the span"

The latter feature is flagged with the opt-out flag field and was
currently known as "opt-in" (cf. draft-ietf-dnsext-dnssec-opt-in). The
opt-in feature used to be contentious but it is clear that the
consensus in the working group has shifted over the years.


    (1.e)  How solid is the WG consensus behind this document?  Does it
           represent the strong concurrence of a few individuals, with
           others being silent, or does the WG as a whole understand and
           agree with it?


The working group consensus is solid.

    (1.f)  Has anyone threatened an appeal or otherwise indicated  
extreme
           discontent?  If so, please summarize the areas of conflict in
           separate email messages to the Responsible Area Director.   
(It
           should be in a separate email because this questionnaire is
           entered into the ID Tracker.)

No.

    (1.g)  Has the Document Shepherd personally verified that the
           document satisfies all ID nits?  (See
           http://www.ietf.org/ID-Checklist.html and
           http://tools.ietf.org/tools/idnits/).  Boilerplate checks are
           not enough; this check needs to be thorough.  Has the  
document
           met all formal review criteria it needs to, such as the MIB
           Doctor, media type and URI type reviews?

Yes.


    (1.h)  Has the document split its references into normative and
           informative?  Are there normative references to documents  
that
           are not ready for advancement or are otherwise in an unclear
           state?  If such normative references exist, what is the
           strategy for their completion?  Are there normative  
references
           that are downward references, as described in [RFC3967]?  If
           so, list these downward references to support the Area
           Director in the Last Call procedure for them [RFC3967].


The references are split and there are no downward refs.



    (1.i)  Has the Document Shepherd verified that the document IANA
           consideration section exists and is consistent with the body
           of the document?  If the document specifies protocol
           extensions, are reservations requested in appropriate IANA
           registries?  Are the IANA registries clearly identified?  If
           the document creates a new registry, does it define the
           proposed initial contents of the registry and an allocation
           procedure for future registrations?  Does it suggest a
           reasonable name for the new registry?  See [RFC2434].  If the
           document describes an Expert Review process has Shepherd
           conferred with the Responsible Area Director so that the IESG
           can appoint the needed Expert during the IESG Evaluation?


The IANA are unambiguous.

However there is an important rfc editor instruction:

After the IANA allocation has been done the examples in the Appendix
will need to be regenerated because the signature generation algorithm
uses also includes RR types as input.

The RFC editor should not edit the Appendices before the IANA type-code
has been assigned and the examples have been regenerated by the editor.



    (1.j)  Has the Document Shepherd verified that sections of the
           document that are written in a formal language, such as XML
           code, BNF rules, MIB definitions, etc., validate correctly in
           an automated checker?

There is no such language.

But on this note: While implementing parts of the functionality into a
perl library the examples where used as test cases (Coincidentally
this shepherd maintains a Perl Library for DNS code). See note above  
about
regenerating the examples.


    (1.k)  The IESG approval announcement includes a Document
           Announcement Write-Up.  Please provide such a Document
           Announcement Write-Up?  Recent examples can be found in the
           "Action" announcements for approved documents.  The approval
           announcement contains the following sections:

           Technical Summary
              Relevant content can frequently be found in the abstract
              and/or introduction of the document.  If not, this may be
              an indication that there are deficiencies in the abstract
              or introduction.

The Domain Name System Security Extensions (DNSSEC) introduced the
NSEC resource record (RR) for authenticated denial of existence.
Though the NSEC RR meets the requirements for authenticated denial of
existence, it introduces a side-effect in that the contents of a zone
can be enumerated.  This property introduces undesired policy issues.

A second problem is that the cost to cryptographically secure
delegations to unsigned zones is high for large delegation-centric
zones and zones where insecure delegations will be updated rapidly.
(Typically these are top level domains). For these zones, the costs of
maintaining the NSEC record chain may be extremely high relative to
the gain of cryptographically authenticating existence of unsecured
zones.

This document presents the NSEC3 Resource Record which can be used as
an alternative to NSEC to mitigate these issues.

This document introduces an alternative resource record, NSEC3, which
similarly provides authenticated denial of existence.  However, it
also provides measures against zone enumeration and permits gradual
expansion of delegation-centric zones.

This specification is intended to be published on the standards track.


           Working Group Summary
              Was there anything in WG process that is worth noting?   
For
              example, was there controversy about particular points or
              were there decisions where the consensus was particularly
              rough?

The OPT out feature of NSEC3 used to be a point of contention in the
DNSEXT working group. The working group did not bring OPT-OUT up as an
issue during the development of the draft or during last call. The
chairs are convinced that the feature was not introduced under the
radar and that the working group consents with the feature being
introduced.

The iterations count has been subject to discussion because it may be
used to  trigger DOS attacks on resolvers. The WG consensus is to
recommend a limitation  on the number of iterations that a resolver is
supposed to carry out.


           Document Quality
              Are there existing implementations of the protocol?   
Have a
              significant number of vendors indicated their plan to
              implement the specification?  Are there any reviewers that
              merit special mention as having done a thorough review,
              e.g., one that resulted in important changes or a
              conclusion that the document had no substantive  
issues?  If
              there was a MIB Doctor, Media Type or other expert review,
              what was its course (briefly)?  In the case of a Media  
Type
              review, on what date was the request posted?

During the development of the specification there were two workshops
organized in which, among others, 3 operators (Nominet, Verisign and
DENIC) and two Developers (ISC and NLnet) participated. During the
workshops serious signaling issues were discovered which lead to the
NSEC3PARAM RR.

The specification has been implemented, albeit not in production code,
in: BIND (authoritative server, validating resolver, caching name  
server), NSD
(authoritative only), LDNS (library and troubleshooting tools),
UNBOUND Java (validating resolver), Sparta's library (validating  
resolver),
Net::DNS (Library, only parsing functions and helper methods) and about
4 different zone signers.

Operators have indicated this specification to be imperative for
DNSSEC deployment.



           Personnel
              Who is the Document Shepherd for this document?  Who is  
the
              Responsible Area Director? Is an IANA expert needed?

Shepherd: Olaf Kolkman (olaf@nlnetlabs.nl)
AD: Mark Townsley
No specific IANA expertise is needed.


Kind regards,

--Olaf


-----------------------------------------------------------
Olaf M. Kolkman
NLnet Labs
http://www.nlnetlabs.nl/