[DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 19 May 2021 03:36 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BF35E3A1B87; Tue, 18 May 2021 20:36:25 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-nsec-ttl@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com, tjw.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.29.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <162139538526.17414.5467676975353511221@ietfa.amsl.com>
Date: Tue, 18 May 2021 20:36:25 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/30P3qCWeBqv_5I2iG-RJHIYOwzs>
Subject: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 03:36:26 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-dnsop-nsec-ttl-04: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec-ttl/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I put a (small) handful of editorial suggestions up at https://github.com/PowerDNS/draft-dnsop-nsec-ttl/pull/11 . Section 3.1, etc. | The TTL of the NSEC RR that is returned MUST be the lesser of the | MINIMUM field of the SOA record and the TTL of the SOA itself. | This matches the definition of the TTL for negative responses in | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a | deviating value after the SOA record has been updated, to allow | for an incremental update of the NSEC chain. I don't think I understand what a "deviating value" would be (and in which direction it would deviate). Section 3.4 | A resolver that supports aggressive use of NSEC and NSEC3 MAY | limit the TTL of NSEC and NSEC3 records to the lesser of the | SOA.MINIMUM field and the TTL of the SOA in a response, if | present. It MAY also use a previously cached SOA for a zone to | find these values. The original 8198 has "SHOULD reduce", but now we only have "MAY limit". Why should the requirements level be weaker for the new, more-correct, guidance? Section 4 If signers & DNS servers for a zone cannot immediately be updated to conform to this document, zone operators are encouraged to consider setting their SOA record TTL and the SOA MINIMUM field to the same value. That way, the TTL used for aggressive NSEC and NSEC3 use matches the SOA TTL for negative responses. Are there any negative consequences of such a move that would need to be weighed against the stated benefits? Section 8 Why is RFC 8174 only an informative reference? Shouldn't it be given the same treatment as RFC 2119?
- [DNSOP] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Peter van Dijk
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Job Snijders
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Peter van Dijk