Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance

Tony Finch <dot@dotat.at> Tue, 25 May 2021 10:17 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EEC63A0831 for <dnsop@ietfa.amsl.com>; Tue, 25 May 2021 03:17:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.949
X-Spam-Level:
X-Spam-Status: No, score=-3.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FyKovsBpuJe3 for <dnsop@ietfa.amsl.com>; Tue, 25 May 2021 03:17:30 -0700 (PDT)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAA2F3A082D for <dnsop@ietf.org>; Tue, 25 May 2021 03:17:30 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from [90.251.241.247] (port=61474 helo=milebook.lan) by ppsw-33.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpsa (PLAIN:fanf2) (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1llU7k-000ucP-hf (Exim 4.94.2) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 25 May 2021 11:17:20 +0100
Date: Tue, 25 May 2021 11:17:20 +0100
From: Tony Finch <dot@dotat.at>
To: Wes Hardaker <wjhns1@hardakers.net>
cc: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>, DNSOP Working Group <dnsop@ietf.org>
In-Reply-To: <ybl1ra0axfa.fsf@w7.hardakers.net>
Message-ID: <a71a566c-2933-4cbe-dafa-7d634415a92@dotat.at>
References: <bfaa3ab3-3d96-dcec-a175-5803de03d852@NLnetLabs.nl> <eb62e04b-2511-ac14-b2e1-c29eab64acfc@nic.cz> <yblwns5ckje.fsf@w7.hardakers.net> <d72220fe-8a6b-d8e6-8b3-1749faddb4fb@dotat.at> <ybl1ra0axfa.fsf@w7.hardakers.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2S-922KhiWFc9JLdEZAeB6twqek>
Subject: Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 10:17:36 -0000

Wes Hardaker <wjhns1@hardakers.net> wrote:
>
> So, what guidance do we want to insert?

The text you wrote is exactly the kind of thing I was thinking of:

> Operators of secondary services should advertise the parameter caps
> their servers will support. Primaries need to ensure that secondaries
> support the NSEC3 parameters they expect to use in their zones.
> Primaries, after changing parameters, should query their secondaries
> with appropriate known non-existent queries to verify the secondary
> servers are responding as expected.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  https://dotat.at/
South Fitzroy: Northerly 4 to 6 in southeast, otherwise variable 2 to
4. Rough, becoming moderate or rough. Fair. Good.