IETF Logo Mail Archive

Re: WGLC: draft-ietf-dnsext-nsec3-09

Roy Arends <roy@nominet.org.uk> Wed, 21 February 2007 22:06 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HJzc1-0004ED-4D; Wed, 21 Feb 2007 17:06:57 -0500
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HJzbz-0003GV-Nk; Wed, 21 Feb 2007 17:06:57 -0500
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1HJzWY-0001N3-VO for namedroppers-data@psg.com; Wed, 21 Feb 2007 22:01:18 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL, BAYES_00, OPTING_OUT_CAPS autolearn=ham version=3.1.7
Received: from [213.248.199.24] (helo=mx4.nominet.org.uk) by psg.com with esmtp (Exim 4.63 (FreeBSD)) (envelope-from <roy@nominet.org.uk>) id 1HJzWW-0001MP-1r for namedroppers@ops.ietf.org; Wed, 21 Feb 2007 22:01:17 +0000
Received: from unknown (HELO notes1.nominet.org.uk) ([213.248.197.128]) by mx4.nominet.org.uk with ESMTP; 21 Feb 2007 22:01:14 +0000
X-IronPort-AV: i="4.14,203,1170633600"; d="scan'208"; a="6731374:sNHT33804412"
In-Reply-To: <20070221200713.GF1819@unknown.office.denic.de>
To: Peter Koch <pk@DENIC.DE>
Cc: IETF DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: WGLC: draft-ietf-dnsext-nsec3-09
MIME-Version: 1.0
X-Mailer: Lotus Notes Build V702MAC_11052006 November 05, 2006
Message-ID: <OF1C7CFF6C.37555474-ON80257289.007751CD-C1257289.0078F526@nominet.org.uk>
From: Roy Arends <roy@nominet.org.uk>
Date: Wed, 21 Feb 2007 23:01:12 +0100
X-MIMETrack: Serialize by Router on notes1/Nominet(Release 7.0.1FP1 | May 25, 2006) at 21/02/2007 10:01:13 PM, Serialize complete at 21/02/2007 10:01:13 PM
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 32b73d73e8047ed17386f9799119ce43

Peter Koch <pk@DENIC.DE> wrote on 02/21/2007 09:07:13 PM:

> Dear Roy,
> 
> thanks for your detailed reply.
> 
> > > >    special case: NSEC3 ownernames cannot be proven to exist, in 
> > general.
> > > 
> > > Isn't that "_can_ be proven _not_ to exist"?
> > 
> > NSEC3 ownernames cannot be proven to exist. Proof of existence of an 
NSEC3 
> > ownername requires another NSEC3 record, which makes this a recursive 
> > problem.
> 
> Proof of existence usually is neither necessary nor a goal because it 
happens
> implicitly by having a (signed) RRSet for a name.

Yes. Also explicitly by having a signed NSEC or NSEC3 for a name.

> Seems we have a before-after
> problem here: you're saying it can't be proven, "because of the 
following"?

I don't get it. Sorry.
 
> > Multiple NSEC3 chains are allowed. Not sure what you mean by parallel.
> 
> Both chains are full loops, independent of each other (hopefully 
consistent,
> though).

Yes.

> > > The current text also
> > > clarifies 4034 (references to 2929 etc), so is this meant to update 
> > 4034?
> > 
> > I don't know what you mean.
> 
> The text is no verbatim copy of what appeared in RFC 4034, but it is 
more
> clear. Should one assume that this clarification now also applies to the
> NSEC spec in 4034?

Yes.

> > > > 4.  The NSEC3-Parameters Resource Record
> > > 
> > > >    If an NSEC3PARAM RR is present at the apex of a zone with a 
Flags
> > > >    Field value of zero, then there MUST be an NSEC3 using the same
> > > >    parameters present at every hashed ownername in the zone.  That 
is,
> > > >    the zone MUST contain a complete set of NSEC3 RRs with the 
same,
> > > >    indicated parameters.
> > > 
> > > It took me some time to read "every hashed ownername" in a way that
> > > does not preclude Opt-Out. I think it's important to emphasize that
> > > NSEC3PARAM may only be present if there's a full loop of NSEC3 RRs.
> > 
> > We state 'complete set of NSEC3 RRs with..."
> 
> Yes, but "the same parameters" seemed to preclude flags!=0.

Ah. Will fix.
 
> > > > 5.  Calculation of the Hash
> > > > 
> > > >    The hash calculation uses three of the NSEC3 RDATA fields: Hash
> > > >    Algorithm, Salt, and Iterations.
> > > 
> > > s/NSEC3/NSEC3 and NSEC3PARAM/
> > 
> > No. Why ?
> 
> Well, isn't the info in NSEC3PARAM used by the server to locate the 
NSEC3?

This section is general, i.e. this algorithm is also used by the validator 
and the signer (both entitities that need not know about NSEC3PARAM).

Roy

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email