Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Aggressive Use' (New Version Notification for draft-vandijk-dnsop-nsec-ttl-00.txt)
Peter van Dijk <peter.van.dijk@powerdns.com> Wed, 06 January 2021 19:11 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F52B3A113A for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 11:11:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aj2OS7nylhXf for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 11:11:22 -0800 (PST)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E675B3A112D for <dnsop@ietf.org>; Wed, 6 Jan 2021 11:11:21 -0800 (PST)
Received: from imap.open-xchange.com (imap.open-xchange.com [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id 98CB16A22E; Wed, 6 Jan 2021 20:11:19 +0100 (CET)
Received: from plato ([84.81.54.175]) by imap.open-xchange.com with ESMTPSA id /boWH1cL9l9eNgAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Wed, 06 Jan 2021 20:11:19 +0100
Message-ID: <effc4f535863e78698ab8ef91efa235e6df65b09.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Wed, 06 Jan 2021 20:11:18 +0100
In-Reply-To: <bf5bd5a1-7987-b2ea-4d1d-472133525cc5@pletterpet.nl>
References: <160616178406.24526.15858981444327414727@ietfa.amsl.com> <ca6217f45a8b3be86fb62f4967a342bb50b241a0.camel@powerdns.com> <bf5bd5a1-7987-b2ea-4d1d-472133525cc5@pletterpet.nl>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4yKSiGKqBT9DO5835BZovM_13cw>
Subject: Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Aggressive Use' (New Version Notification for draft-vandijk-dnsop-nsec-ttl-00.txt)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 19:11:24 -0000
Hi Matthijs, On Fri, 2020-12-18 at 18:02 +0100, Matthijs Mekking wrote: > Hi Peter, > > I reviewed the draft and it mostly looks good. Thanks! > Some minor comments: > > 1. Perhaps instead of using ".com" as an example, use ".example" (per > RFC 2606)? Noted at https://github.com/PowerDNS/draft-dnsop-nsec-ttl/issues/3 > 2. Shouldn't this document also update some text parts from RFC 8198? Hmm. Obviously, some of the text in 8198 is wrong, but there is no action for 8198 implementers here. Noted at https://github.com/PowerDNS/draft-dnsop-nsec-ttl/issues/4 for more pondering. > 3. About this paragraph: > > Ralph Dolmans helpfully pointed out that fixing this in RFC8198 is > only possible for negative (NXDOMAIN/NoData NOERROR) responses, and > not for wildcard responses. > > I think it deserves a separate section or subsection within section 4, > and not be tucked away in the acknowledgements. > > Also this should be a bit more verbose, it took me three times to > understand what is exactly said here. > > Proposed text: > > > [RFC 8198] says: > > With DNSSEC and aggressive use of DNSSEC-validated cache, the TTL > of the NSEC/NSEC3 record and the SOA.MINIMUM field are the > authoritative statement of how quickly a name can start working > within a zone. > > Here, the SOA.MINIMUM field cannot be changed to "the minimum of the > SOA.MINIMUM field and the SOA TTL" because the resolver may not have > the SOA RRset in cache. However, if authoritative servers follow the > updates from this document, this should not make a difference, as the > TTL of the NSEC/NSEC3 record is already set to the minimum value. > > > Ralph can of course still be acknowledged for the helpful pointer. Yes, that makes sense, it is relevant background. I took your text plus something extra and put it at https://github.com/PowerDNS/draft-dnsop-nsec-ttl/pull/5 Thanks! Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Aggress… Peter van Dijk
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Peter van Dijk
- Re: [DNSOP] [Ext] new draft: 'NSEC(3) TTLs and NS… Paul Hoffman
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Tim Wicinski
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Vladimír Čunát
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Matthijs Mekking
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Peter van Dijk
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Peter van Dijk
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Vladimír Čunát
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Peter van Dijk
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Peter van Dijk
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Vladimír Čunát