[DNSOP] new draft: 'NSEC(3) TTLs and NSEC Aggressive Use' (New Version Notification for draft-vandijk-dnsop-nsec-ttl-00.txt)

Peter van Dijk <peter.van.dijk@powerdns.com> Mon, 23 November 2020 20:16 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E6703A0BF4 for <dnsop@ietfa.amsl.com>; Mon, 23 Nov 2020 12:16:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.646
X-Spam-Level:
X-Spam-Status: No, score=0.646 tagged_above=-999 required=5 tests=[AC_FROM_MANY_DOTS=0.643, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXT4acs-rjXN for <dnsop@ietfa.amsl.com>; Mon, 23 Nov 2020 12:16:16 -0800 (PST)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B1693A0B56 for <dnsop@ietf.org>; Mon, 23 Nov 2020 12:16:16 -0800 (PST)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPS id E851C6A312; Mon, 23 Nov 2020 21:16:12 +0100 (CET)
Received: from plato (84-81-54-175.fixed.kpn.net [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id C41D23C0040; Mon, 23 Nov 2020 21:16:12 +0100 (CET)
Message-ID: <ca6217f45a8b3be86fb62f4967a342bb50b241a0.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Mon, 23 Nov 2020 21:16:08 +0100
References: <160616178406.24526.15858981444327414727@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5WBfmJ0R5R6JuGBNXpGGgU0M2Wc>
Subject: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Aggressive Use' (New Version Notification for draft-vandijk-dnsop-nsec-ttl-00.txt)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 20:16:21 -0000

Hello,

in 
https://lists.dns-oarc.net/pipermail/dns-operations/2018-April/017420.html
(and earlier messages in March on the same thread), people realised
that aggressive NSEC caching might use a much longer TTL than the
negative TTL intended by a zone operator.

The initial idea was to correct this in an erratum to RFC 8198
(aggressive use of NSEC/NSEC3), but Ralph Dolmans pointed out to me
that this would not solve the wildcard case.

I did a lightning talk on the topic at OARC 29 (
https://indico.dns-oarc.net/event/29/sessions/98/#20181013) where the
audience feedback, as I recall it, was agreeable to my suggestion of
'issuing operational guidance'.

I have since come to the conclusion that it would be better to also fix
this in software. Hence, please find below my draft that updates one
sentence in 4034 and the ~same sentence in 5155. As far as I can see,
no correction to 8198 is necessary or useful.

Any editorial comments are welcome via GitHub (link is in the draft),
private email, or this WG list. Any functional comments on the content,
please post them to the WG. Thank you.

(Warren, if you feel the wording of my acknowledgement lays blame with
you in a way that you'd rather not see immortalised in an RFC, please
let me know!)

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV -
https://www.powerdns.com/

-------- Forwarded Message --------
From: internet-drafts@ietf.org
To: Peter van Dijk <peter.van.dijk@powerdns.com>
Subject: [EXT] New Version Notification for draft-vandijk-dnsop-nsec-
ttl-00.txt
Date: Mon, 23 Nov 2020 12:03:04 -0800

A new version of I-D, draft-vandijk-dnsop-nsec-ttl-00.txt
has been successfully submitted by Peter van Dijk and posted to the
IETF repository.

Name:		draft-vandijk-dnsop-nsec-ttl
Revision:	00
Title:		NSEC(3) TTLs and NSEC Aggressive Use
Document date:	2020-11-23
Group:		Individual Submission
Pages:		6
URL:            https://www.ietf.org/archive/id/draft-vandijk-dnsop-nsec-ttl-00.txt
Status:         https://datatracker.ietf.org/doc/draft-vandijk-dnsop-nsec-ttl/
Html:           https://www.ietf.org/archive/id/draft-vandijk-dnsop-nsec-ttl-00.html
Htmlized:       https://tools.ietf.org/html/draft-vandijk-dnsop-nsec-ttl-00


Abstract:
   Due to a combination of unfortunate wording in earlier documents,
   aggressive use of NSEC(3) records may deny names far beyond the
   intended lifetime of a denial.  This document changes the definition
   of the NSEC(3) TTL to correct that situation.

                                                                                  


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat