[DNSOP] Re: Gunter Van de Velde's No Objection on draft-ietf-dnsop-rfc8109bis-06: (with COMMENT)
Mark Andrews <marka@isc.org> Tue, 20 August 2024 22:21 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7970AC151989; Tue, 20 Aug 2024 15:21:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="qpwM8oq9"; dkim=pass (1024-bit key) header.d=isc.org header.b="ayb16iJj"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbMfFoa9PgGM; Tue, 20 Aug 2024 15:21:39 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA14CC1CAE75; Tue, 20 Aug 2024 15:21:31 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 0E4003AB29E; Tue, 20 Aug 2024 22:21:31 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 0E4003AB29E
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1724192491; cv=none; b=mDdrz+G8COzz8fSPw+K1LKq8WEQF6YPiijxAG76aAuslBZ7k/gJ58D/OIInZowTg5Qe8b7t1fy0RsbI9TvEu55eVN5Siq3bXC12PUu9SNd7V5JmiuwNklwDNk4e+lu41/MBcSbbkNwJZCm+B4Y0vfO+MCezkuiA5rz4o77SzhVA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1724192491; c=relaxed/relaxed; bh=We8EX7C91q9XB3U0hxklSBeZUyjkzpIrFujAkFY0/HA=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=SPoeOAoyeGxs+IVHRxDkbgsWyAPDUik6+NX7KKjjKz4Yg0aK1nFzvi5jeJ5gmvWTBct0fIbj62juW4TbFUuBwK3ctW9VrhtuqKdSiFDP/gaCQUoJhUdwWg7uCx6gnEByxLEOkaYki+5cU8tG7tbR6f+HkDPv/S6q0ilcy3aeUoM=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 0E4003AB29E
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1724192491; bh=U+7fbdSa2cNimUOvd+mnU/7qt2GUIoNjDLl9hAzUf1Q=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=qpwM8oq95BTC4Gtl7biRMAblRNhQ5nsDbB4R4sliApDNbOnK/hXIZPWr8wGrRmecy fAf+Yuxv6opltEf7BEI/x8NhL4qcFcsX9IpRE3HdG6X962AsHV7ctHYh7FkSsBdm+b Me/2fyrswvHXOahsaoyyaXvfQYVzW5Jn/cjIp5hA=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 071B3B42C66; Tue, 20 Aug 2024 22:21:31 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id D8DD7B42DE0; Tue, 20 Aug 2024 22:21:30 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org D8DD7B42DE0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1724192490; bh=We8EX7C91q9XB3U0hxklSBeZUyjkzpIrFujAkFY0/HA=; h=Mime-Version:From:Date:Message-Id:To; b=ayb16iJjlKD/YFbl+AgduMmxyZeirP0K0SNSHrZQnGqsPctjDKFxIvjiFDUkX8NWs DwV6ydsBPnX747T4XCC4ckRR+CQFNwH3559T/u9fQeIbSKRdFVrrJGmwuB+E10HpaK v8XcBsTomPXfAMQ4sYecR0UNL0AwtJsPPpLL/DSE=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id 0e0pNR_Crsxd; Tue, 20 Aug 2024 22:21:30 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id 18435B42C66; Tue, 20 Aug 2024 22:21:28 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.2\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <172414994656.2051711.9477179440517399954@dt-datatracker-6df4c9dcf5-t2x2k>
Date: Wed, 21 Aug 2024 08:21:15 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <7D4720FC-E773-4266-A956-F3D7DB05605B@isc.org>
References: <172414994656.2051711.9477179440517399954@dt-datatracker-6df4c9dcf5-t2x2k>
To: Gunter Van de Velde <gunter.van_de_velde@nokia.com>
X-Mailer: Apple Mail (2.3731.700.6.1.2)
Message-ID-Hash: 5HCYZX5MF7SGTRGWSKDBXSSGAJOIVTBT
X-Message-ID-Hash: 5HCYZX5MF7SGTRGWSKDBXSSGAJOIVTBT
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, draft-ietf-dnsop-rfc8109bis@ietf.org, dnsop-chairs <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Gunter Van de Velde's No Objection on draft-ietf-dnsop-rfc8109bis-06: (with COMMENT)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0cVtHFT_zbX4x9J8MREjFIrw_OE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
> On 20 Aug 2024, at 20:32, Gunter Van de Velde via Datatracker <noreply@ietf.org> wrote: > > Gunter Van de Velde has entered the following ballot position for > draft-ietf-dnsop-rfc8109bis-06: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8109bis/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > # Gunter Van de Velde, RTG AD, comments for draft-ietf-dnsop-rfc8109bis-06 > > ## Many thanks for writing this document. I found it an nice read into the > depths recursive DNS resolvers. > > ## The comments below are of cosmetic nature and mostly suggest alternate > textblobs > > Please find https://www.ietf.org/blog/handling-iesg-ballot-positions/ > documenting the handling of ballots. > > #DISCUSS items > #============= > ##tbc > > #GENERIC COMMENTS > #================ > ## The text states "undefined" in section 3.: > > "The Recursion Desired (RD) bit MAY be set to 0 or 1, although the meaning of > it being set to 1 is undefined for priming queries." Actually it is NOT undefined. RFC 1034 says exactly what to do. Sending recursive queries to authoritative only servers results in RD=1 and RA=0 being set in the response header and you get the same response as you would if you had RD=0 in the request. That is 100% clear in RFC 1034. Root servers don’t behave differently to other servers. The only difference is that they are configured to serve “." > I am unsure what 'undefined' means in this context. does it mean that setting > this to 1 is forbidden? Maybe a line explaining the implications of the > undefined can be helpfull for iplementors to know what to do if they ever > receive such RD with a priming query. > > Maybe this statement could be something like: > > " > The Recursion Desired (RD) bit SHOULD be set to 0. The meaning when RD is set > to 1 is undefined for priming queries and outside the scope of this document. " > > ## In section 3.2 both IPv4 and IPv6 are handled equally as potential Target > Selection. Would it not be better for the Internet if there is a bias suggested > towards IPv6 when all other things being equal? > > #DETAILED COMMENTS > #================= > ##classified as [minor] and [major] > > 19 This document, when published, obsoletes RFC 8109. See Section 1.1 > 20 for the list of changes from RFC 8109. > > [minor] > Mostly i found that when documents obsolete other documents with a newer > revision that the changes are in the Appendix. It seems a more logical place > add these. Not sure it belongs in the main body of the draft. > > 114 * Changed "man-in-the-middle" to "machine-in-the-middle" to be both > 115 less sexist and more technically accurate. > > [minor] > s/less sexist/more inclusive/ > > 159 Priming is the act of finding the list of root servers from a > 160 configuration that lists some or all of the purported IP addresses of > 161 some or all of those root servers. In priming, a recursive resolver > 162 starts with no cached information about the root servers, and > 163 finishes with a full list of their names and their addresses in its > 164 cache. > > [minor] > I found this paragraph difficult to parse. What about the following alternatve > textblob: > > " > Priming refers to the process by which a recursive resolver obtains the list of > root servers from a configuration that includes the purported IP addresses of > some or all of those root servers. During priming, the recursive resolver > begins without any cached information regarding the root servers and concludes > with a complete list of their names and corresponding addresses stored in its > cache. " > > 173 software. This list is usually correct and complete when shipped, > 174 but may become out of date over time. > > [minor] > small cosmetic rewrite: > > " > While this list is generally accurate and complete at the time of distribution, > it may become outdated over time. " > > 176 The domain names for the root servers are called the "root server > 177 identifiers". This list has been stable since 1997, but the IPv4 and > 178 IPv6 addresses for the root server identifiers sometimes change. > 179 Research shows that after those addresses change, some resolvers > 180 never get the new addresses; for example, see [OLD-J]. > > [minor] > What about following cosmetic alternative textblob: > > " > The domain names assigned to the root servers are referred to as "root server > identifiers." Although this list has remained stable since 1997, the associated > IPv4 and IPv6 addresses for these root server identifiers occasionally change. > Research indicates that, following such changes, certain resolvers fail to > update to the new addresses; for further details, refer to [OLD-J]. " > > 182 Therefore, it is important that resolvers be able to cope with > 183 change, even without relying upon configuration updates to be applied > 184 by their operator. Root server identifier and address changes are > 185 the main reasons that resolvers need to use priming to get a full and > 186 accurate list of root servers, instead of just using a statically > 187 configured list. > > [minor] > cosmetic alternative textblob to consider: > > " > It is therefore essential that resolvers possess the capability to adapt to > changes, even in the absence of configuration updates applied by their > operators. Changes to root server identifiers and their corresponding addresses > are primary reasons why resolvers must employ the priming process to obtain a > complete and accurate list of root servers, rather than relying solely on a > statically configured list. " > > 224 SHOULD be randomly selected (see [RFC5452]). The Recursion Desired > 225 (RD) bit MAY be set to 0 or 1, although the meaning of it being set > 226 to 1 is undefined for priming queries. > > [major] > I am unsure what 'undefined' means in this context. does it mean that setting > this to 1 is forbidden? Maybe a line explaining the implications of the > undefined can be helpfull for iplementors to know what to do if they ever > receive such RD with a priming query. > > Maybe the statement should be something like: > > " > The Recursion Desired (RD) bit SHOULD be set to 0. The meaning when RD is set > to 1 is undefined for priming queries and outside the scope of this document. " > > 255 3.2. Target Selection > > [major] > The current text handles IPv4 and IPv6 equally and leaves it entirely up to the > implementation. Would it not be beneficial that there would be a suggested bias > in this document to use an IPv6 address instead of a legacy IPv4 address? It > smels as a missed opportunity in the path towards pervasive IPv6 > > 338 At the time this document is published, there are 13 root server > 339 operators operating a total of more than 1500 root server instances. > 340 Each has one IPv4 address and one IPv6 address. The combined size of > 341 all the A and AAAA RRsets exceeds the original 512-octet payload > 342 limit from [RFC1035]. > > [minor] > proposed alternate cosmetic textblob: > > " > As of the publication of this document, there are 13 root server operators > collectively managing more than 1,500 root server instances. Each instance is > assigned both an IPv4 address and an IPv6 address. The total size of all the A > and AAAA resource record sets (RRsets) exceeds the original 512-octet payload > limit specified in [RFC1035] " > > 371 5. Post-Priming Strategies > 372 > 373 When a resolver has a zone's NS RRset in cache, and it gets a query > 374 for a domain in that zone that cannot be answered from its cache, the > 375 resolver has to choose which NS to send queries to. (This statement > 376 is as true for the root zone as for any other zone in the DNS.) Two > 377 common strategies for choosing are "determine the fastest name server > 378 and always use it" and "create buckets of fastness and pick randomly > 379 in the buckets". This document gives no preference to any particular > 380 strategy other than to suggest that resolvers not treat the root zone > 381 as special for this decision. > > [minor] > Alternative cosmetic textblob: > > " > When a resolver has a zone's NS RRset in its cache and receives a query for a > domain within that zone that cannot be answered from the cache, the resolver > must select which nameserver to direct the queries to. This process applies > equally to the root zone as it does to any other zone within the DNS. Two > commonly employed strategies for making this selection are: "identify the > fastest nameserver and consistently use it" and "group nameservers based on > response speed and select randomly within those groups." This document does not > advocate for any specific strategy, other than suggesting that resolvers should > not treat the root zone differently when making this decision. " > > > > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-leave@ietf.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] Gunter Van de Velde's No Objection on dra… Gunter Van de Velde via Datatracker
- [DNSOP] Re: Gunter Van de Velde's No Objection on… Mark Andrews