Re: comments on draft-ietf-dnsext-dnssec-bis-updates-04.txt
Sam Weiler <weiler@tislabs.com> Mon, 05 March 2007 19:39 UTC
Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOJ21-0006o2-PZ; Mon, 05 Mar 2007 14:39:37 -0500
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HOJ1z-0005m5-Ge; Mon, 05 Mar 2007 14:39:37 -0500
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1HOIwy-0005P3-0e for namedroppers-data@psg.com; Mon, 05 Mar 2007 19:34:24 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_SOFTFAIL autolearn=no version=3.1.7
Received: from [157.185.61.2] (helo=M4.sparta.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from <weiler@tislabs.com>) id 1HOIwv-0005Oo-FK for namedroppers@ops.ietf.org; Mon, 05 Mar 2007 19:34:22 +0000
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id l25JYKxa007897 for <namedroppers@ops.ietf.org>; Mon, 5 Mar 2007 13:34:20 -0600
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id l25JYKST003363 for <namedroppers@ops.ietf.org>; Mon, 5 Mar 2007 13:34:20 -0600
Received: from localhost ([157.185.80.253]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Mar 2007 14:34:19 -0500
Date: Mon, 05 Mar 2007 14:34:18 -0500
From: Sam Weiler <weiler@tislabs.com>
X-X-Sender: weiler@mint.samweiler.com
To: namedroppers@ops.ietf.org
Subject: Re: comments on draft-ietf-dnsext-dnssec-bis-updates-04.txt
Message-ID: <Pine.LNX.4.64.0703051433270.10502@mint.samweiler.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 05 Mar 2007 19:34:20.0133 (UTC) FILETIME=[45395150:01C75F5D]
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (M4.sparta.com [157.185.61.2]); Mon, 05 Mar 2007 13:34:20 -0600 (CST)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3d7f2f6612d734db849efa86ea692407
> # 2.1. Clarifications on Non-Existence Proofs > # > # [RFC4035] Section 5.4 slightly underspecifies the algorithm for > # checking non-existence proofs. In particular, the algorithm there > # might incorrectly allow the NSEC from the parent side of a zone cut > # to prove the non-existence of either other RRs at that name in the > # child zone or other names in the child zone. It might also allow a > # NSEC at the same name as a DNAME to prove the non-existence of names > # beneath that DNAME. > > The above paragragh is unclear. A "NSEC" does not prove anything, proofs are > done by the validotor. An NSEC RR and its associated RRSIG present data > used in a proof. This usage is consistent with RFC4035 (e.g., "... a single NSEC RR may prove both of these points.") Is this so bad that we need a new section talking about the use of the verb "prove" in 4035? > The "either" probably ought to be stricken from "of > either other" in the middle. Done. > "It might" - does it or not? It depends on the clue of the person reading it? Is there really a problem with that wording? > This sounds like an augmentation of the specified proof, you have a lower > case MUST in there. (Also, s/singer/signer/.) On the last line, > s/descendant/subdomain/. Fixed. Thank you. > # 2.2. Empty Non-Terminal Proofs Removed at Roy's suggestion. > # 2.3. Validating Responses to an ANY Query > # > # (as clarified in this document). To be clear, a validator must not > # insist on receiving all records at the QNAME in response to QTYPE=*. > > s/insist/expect/ perhaps. Done. > # 3. Interoperability Concerns > # > # 3.2. Private Algorithms ... > It says here that the "resolver MUST retrieve ... and ... determine the > algorithim." How can it determine the algotrithm if the algorithm is > private? It is possible that multiple algorithms use the same private > number, the best that can be done is if the private algorithm just happens > to be one the resolver knows and is expecting. There is a spec for how to distinguish between private algorithms. See RFC4034 Section A.1.1. > There is one step here - instruct the resolver to "line up" individual > DS RRs and DNSKEY RRs. This may not be possible if an unknown DS hash > algorithm is in use. Of the ones that line up, you can go on with sanity > checking. The section acknowledges that the hash algorithm must be known. > Do you want the resolver to side on being optimisitc? Should the resolver > be satisfied if it can find one useable DNSKEY? Or do you want it to be > pessimistic and through an exception when it can't line up and verify all > key records? Optimistic. Strictly optimistic. This comes close to implicating the "safety property" that we discussed in early 2003. > # 3.3. Caution About Local Policy and Multiple RRSIGs > # > # When multiple RRSIGs cover a given RRset, [RFC4035] Section 5.3.3 > # suggests that "the local resolver security policy determines whether > # the resolver also has to test these RRSIG RRs and how to resolve > # conflicts if these RRSIG RRs lead to differing results." In most > # cases, a resolver would be well advised to accept any valid RRSIG as > # sufficient. If the first RRSIG tested fails validation, a resolver > # would be well advised to try others, giving a successful validation > # result if any can be validated and giving a failure only if all > # RRSIGs fail validation. > > The point missed here is that it is possible that a resolver wants to see a > record signed with two or more algorithms, reflecting multiple "sign offs" of > the record. I doubt that this is an operational scenario grounded in sanity, > but I would not recommend in this clarification what policy a resolver should > favor. Noted. I'll await more feedback before changing this section. > # If a resolver adopts a more restrictive policy, there's a danger that > # properly-signed data might unnecessarily fail validation, perhaps > # because of cache timing issues. Furthermore, certain zone management > # techniques, like the Double Signature Zone-signing Key Rollover > # method described in section 4.2.1.2 of [RFC4641] might not work > # reliably. > > What is meant by "more restrictive?" "There's a danger...might...perhaps" is > a bit vague. This section is non-committal, perhaps, but is it really so unclear as to need to be changed? Again, I'd like more feedback (perhaps with alternative text suggested.) > # 3.6. Responding to QTYPE=* with the DO Bit Clear > > Already commented on this in email (Wouter and Koch too). Absent some support for this section (which I thought my co-editor would be offering), it's been removed. > # 4. Minor Corrections and Clarifications > # > # 4.1. Finding Zone Cuts > > I don't see what 4.1 is addressing. It seems all of references are > to parts of the same document. At this moment, I'm not recalling why it was added either -- most likely, someone showed up on namedroppers asking about it and I agreed that the lack of a cross-reference in RFC4035 C.8 could plausibly be confusing. There's a reason stuff this minor is in section 4 rather than earlier in the doc... > # 4.2. Clarifications on DNSKEY Usage > # > # Questions of the form "can I use a different DNSKEY for signing the > # X" have occasionally arisen. > > "Signing the X?" What does that mean? Clarified. > # 4.3. Errors in Examples > > Earlier this doc said it didn't deal with typos - but that is what this > section is all about - a typo. > > # 4.4. Errors in Canonical Form Type Code List > > Is this too just a typo report? I think these fall into the bucket of "typos ... [that] could lead to misinterpretation...". I removed the "Mere typos..." line from the intro to address this. -- Sam -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- I-D ACTION:draft-ietf-dnsext-dnssec-bis-updates-0… Internet-Drafts
- Re: dnssec-bis-updates-04 qtype any DO bit Wouter Wijngaards
- Re: comments on draft-ietf-dnsext-dnssec-bis-upda… Edward Lewis
- Re: comments on draft-ietf-dnsext-dnssec-bis-upda… Sam Weiler
- Re: dnssec-bis-updates-04 qtype any DO bit Peter Koch
- Re: dnssec-bis-updates-04 qtype any DO bit Niall O'Reilly