Re: WGLC: draft-ietf-dnsext-nsec3-09
Matt Larson <mlarson@verisign.com> Fri, 09 February 2007 20:29 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HFcN6-0005nU-MQ; Fri, 09 Feb 2007 15:29:28 -0500
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HFcN5-00024X-7H; Fri, 09 Feb 2007 15:29:28 -0500
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1HFcIW-000CqJ-QG for namedroppers-data@psg.com; Fri, 09 Feb 2007 20:24:44 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-1.4 required=5.0 tests=AWL, BAYES_00, OPTING_OUT_CAPS, SPF_SOFTFAIL autolearn=no version=3.1.7
Received: from [65.201.175.9] (helo=cliffie.verisignlabs.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from <mlarson@verisign.com>) id 1HFcIL-000CoR-Vx for namedroppers@ops.ietf.org; Fri, 09 Feb 2007 20:24:39 +0000
Received: from monsoon.verisignlabs.com (scooter.bo.verisignlabs.com [172.25.170.10]) by cliffie.verisignlabs.com (Postfix) with ESMTP id E6FE8136818; Fri, 9 Feb 2007 15:24:32 -0500 (EST)
Received: from zephyr.verisignlabs.com (zephyr.verisignlabs.com [10.131.244.205]) by monsoon.verisignlabs.com (Postfix) with ESMTP id AA41C137B6A; Fri, 9 Feb 2007 15:09:11 -0500 (EST)
Date: Fri, 09 Feb 2007 15:09:07 -0500
From: Matt Larson <mlarson@verisign.com>
To: IETF DNSEXT WG <namedroppers@ops.ietf.org>, "Olaf M. Kolkman" <olaf@NLnetLabs.nl>, Ben Laurie <ben@algroup.co.uk>, Roy Arends <roy@dnss.ec>, David Blacka <davidb@verisignlabs.com>, Geoff Sisson <Geoffrey.Sisson@nominet.org.uk>
Subject: Re: WGLC: draft-ietf-dnsext-nsec3-09
Message-ID: <20070209200907.GA4570@zephyr.verisignlabs.com>
References: <A5E62F5E-E182-41F9-8CA7-916A1765D5A8@NLnetLabs.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <A5E62F5E-E182-41F9-8CA7-916A1765D5A8@NLnetLabs.nl>
User-Agent: Mutt/1.5.11
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ff03b0075c3fc728d7d60a15b4ee1ad2
On Wed, 10 Jan 2007, Olaf Kolkman wrote: > Please review the draft and put that fact on record through a post to > the mailing-list. I have (re-)read the draft and after a thorough review, I support its going foward. I have only minor comments relating to wording clarity, which are below. Matt > 6. Opt-Out > > [...] > An Opt-Out NSEC3 record is said to cover a delegation if the hash of > the delegation's Next Closer Name to its closest provable encloser is > between the NSEC3 ownername and next hashed ownername. I had some difficulty parsing this sentence. Once I figured out its meaning, I determined the cause of my trouble was the use of the word "hash" followed by the word "to" in a sense that did not refer to the output of the hash algorithm: "to" here does not refer to what something "hashes to". I believe a minor reordering of the sentence might help comprehension: An Opt-Out NSEC3 record is said to cover a delegation if the hash of the Next Closer Name of its closest provable encloser of the delegation is between the NSEC3 ownername and next hashed ownername. But maybe I'm the only one with a problem here, which is entirely possible. > An Opt-Out NSEC3 record MAY have the same original owner name as an > insecure delegation. In this case, the delegation is proven insecure > by the lack of a DS bit in type map and the signed NSEC3 record does ^ the > assert the existence of the delegation. I know the word MAY appears in big letters here, but would it be worth a clarification sentence explaining that NSEC3 records at insecure delegations are not necessary in Opt-Out zones and that if one's purpose for using Opt-Out is to reduce zone size, this case is expected to be unusual? I'm just thinking of a signer implementor coming along in a few years who's not steeped in the material as we all are and trying to figure things out from the RFC as a starting point. > 7.2.2. Name Error Responses > > To prove the nonexistence of QNAME a closest encloser proof and an > NSEC3 RRset covering the wildcard record at the closest encloser MUST ^ (nonexistent) > be included in the response. I think adding "(nonexistent)" increases clarity. > 7.2.7. Referrals to Unsigned Subzones > > [...] > If the zone in Opt-Out, then there may not be an NSEC3 record s/in/is > 7.5. Dynamic Update > > A zone signed using NSEC3 may accept dynamic updates. [...] Should there be an informative reference to RFC 2136 here? > 8.1. Responses with Unknown Hash Types > > A validator MUST ignore NSEC3 records with unknown hash types. The > practical result of this is that responses containing such NSEC3 ^ only > records will generally be considered bogus. If a response contains a combination of NSEC3 records with known and unknown hash types, the validator ignores the ones with unknown types and can proceed using the ones with known types, right? If so, adding "only" above helps make that more clear. > 8.3. Closest Encloser Proof > > [...] > 3. Truncate SNAME by one label, go to step 2. > > Once the closest encloser has been discovered, the validator MUST > check that the NSEC3 that has the closest encloser as an ownername is ^ original > from the proper zone. I think adding "original" increases clarity. > 8.5. Validating No Data Responses, QTYPE is not DS > > The validator MUST verify that an NSEC3 RR that matches QNAME is > present and that both the QTYPE and the CNAME type are not set in its > Type Bit Maps field. > > Note that this test also covers the case where the NSEC3 record > exists because it corresponds to an empty non-terminal, in which case > the NSEC3 will usually have an empty Type Bit Maps field. Why "usually" and not "always"? Won't an empty non-terminal's NSEC3 always have an empty Type Bit Maps field? > 10.1. Domain Name Length Restrictions > > Zones signed using this specification have additional domain name > length restrictions imposed upon them. In particular, zone with ^ s > names that, when converted into hashed ownernames, exceed the 255 > octet length limit imposed by RFC 1035 [3]. i.e., s/zone/zones -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Suresh Krishnaswamy
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Roy Arends
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Roy Arends
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Roy Arends
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Roy Arends
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Matt Larson
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Roy Arends
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Suresh Krishnaswamy
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Roy Arends
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Peter Koch
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Suresh Krishnaswamy
- Re: WGLC: draft-ietf-dnsext-nsec3-09 Roy Arends