IETF Logo Mail Archive

Re: draft-arends-dnsnr-00

Samuel Weiler <weiler@tislabs.com> Tue, 27 July 2004 15:42 UTC

Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA23175 for <dnsext-archive@lists.ietf.org>; Tue, 27 Jul 2004 11:42:21 -0400 (EDT)
Received: from majordom by psg.com with local (Exim 4.41 (FreeBSD)) id 1BpU3Q-000Oez-AR for namedroppers-data@psg.com; Tue, 27 Jul 2004 15:39:48 +0000
Received: from [192.94.214.100] (helo=nutshell.tislabs.com) by psg.com with esmtp (Exim 4.41 (FreeBSD)) id 1BpU3P-000Oej-Ei for namedroppers@ops.ietf.org; Tue, 27 Jul 2004 15:39:47 +0000
Received: (from uucp@localhost) by nutshell.tislabs.com (8.12.9/8.12.9) id i6RFb0Lq009356 for <namedroppers@ops.ietf.org>; Tue, 27 Jul 2004 11:37:00 -0400 (EDT)
Received: from filbert.tislabs.com(10.66.1.10) by nutshell.tislabs.com via csmap (V6.0) id srcAAAXjaqks; Tue, 27 Jul 04 11:36:48 -0400
Received: from localhost (weiler@localhost) by tislabs.com (8.12.9/8.12.9) with ESMTP id i6RFc3s5008538; Tue, 27 Jul 2004 11:38:03 -0400 (EDT)
Date: Tue, 27 Jul 2004 11:38:02 -0400
From: Samuel Weiler <weiler@tislabs.com>
X-X-Sender: weiler@filbert
To: Roy Arends <roy@dnss.ec>
cc: namedroppers@ops.ietf.org
Subject: Re: draft-arends-dnsnr-00
In-Reply-To: <Pine.BSO.4.56.0407121709550.12231@trinitario.schlyter.se>
Message-ID: <Pine.GSO.4.55.0407271136500.5963@filbert>
References: <Pine.BSO.4.56.0407121709550.12231@trinitario.schlyter.se>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on psg.com
X-Spam-Status: No, hits=-4.3 required=5.0 tests=AWL,BAYES_00,OPT_IN autolearn=ham version=2.63
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk

Avoiding the terminology discussion entirely...

I'm confused about how DNSNR is supposed to work with hashed next
names.  Perhaps I'm missing something.  I'd like to be enlightened.

It looks like you're continuing to use DNSNR/NSEC3 owner names which
match "actual owner names", to borrow Ben's terminology.  For example
(and I'd love to see an example with hashed owner names in the doc):

example.com. 86400 IN DNSNR ? 1 34abc (hash(34abc+alpha)) types
alfa.example.com. 86400 IN DNSNR ? 1 34abc (hash(34abc+beta)) types
beta.example.com. 86400 IN DNSNR ? 1 34abc (hash(34abc+apex)) types

(Which ignores the authoritative-only bit and doesn't say how much of
the next name you're hashing, since I don't understand that part of
the discussion.)

What answer is given in response to a query for c.example.com?  The
beta DNSNR tells me nothing, since I can't tell what name was used to
create the hash, and I can't tell if c.example.com would be covered by
the DNSNR or not.

In other matters, I find the discussion of the authoritative only bit
in 2.1.1 confusing, if not misleading.  If you want to not have DNSNRs
for unsecure delegations (or optionally not have them), just say
that.  Make it clear whether the authoritative only bit is a per-zone
thing or applies per-span, like opt-in.  And the incomplete citation
in the first paragraph of 2.1.4 is likely to be inconsistent with not
requiring DNSNRs at each name (including those unsecure delegations).

Also, the presentation format of the hash value is inconsistent
between 2.1.2 (third paragraph) and 2.2.

-- Sam

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email