IETF Logo Mail Archive

Re: [DNSOP] Reminder: WGLC for draft-ietf-dnsop-nsec-aggressiveuse ends Tonight

Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 06 October 2016 16:41 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE80312972E for <dnsop@ietfa.amsl.com>; Thu, 6 Oct 2016 09:41:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyix8tnwuRas for <dnsop@ietfa.amsl.com>; Thu, 6 Oct 2016 09:41:09 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fece:1902]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8841A12972C for <dnsop@ietf.org>; Thu, 6 Oct 2016 09:41:08 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 5545831D66; Thu, 6 Oct 2016 18:41:06 +0200 (CEST)
Received: by godin (Postfix, from userid 1000) id 62E0BEC0B04; Thu, 6 Oct 2016 18:32:17 +0200 (CEST)
Date: Thu, 06 Oct 2016 18:32:17 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Tim Wicinski <tjw.ietf@gmail.com>
Message-ID: <20161006163217.GA17794@laperouse.bortzmeyer.org>
References: <1fc274b9-2164-1933-54e3-ce47ff48c8a3@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1fc274b9-2164-1933-54e3-ce47ff48c8a3@gmail.com>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 16.04 (xenial)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6sLmf8-qbGGiWTGUHS9UT2qYoGo>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Reminder: WGLC for draft-ietf-dnsop-nsec-aggressiveuse ends Tonight
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 16:41:13 -0000

On Thu, Oct 06, 2016 at 02:53:38AM -0400,
 Tim Wicinski <tjw.ietf@gmail.com> wrote 
 a message of 17 lines which said:

> Just a reminder that the WGLC for
> draft-ietf-dnsop-nsec-aggressiveuse will end later today (barring
> any stuck issues).  The authors appear to have addressed all open
> issues

The way I understand it, in -03, there is no more *positive* answers
(NOERROR synthetized from a wildcard in the cache), only negative ones
(NXDOMAIN). Am I correct? (If so, I agree with the change.)

If this is true, then I would suggest some work on rewriting section 7
new text for updating RFC 4035. True, the cache needs to look at
wildcards to see if it can synthetize NXDOMAINs or not but the way it
is written, it is confusing, since a wildcard would *prevent*
synthesis. May be:

   Once the records are validated, DNSSEC enabled validating
   resolvers MAY use NSEC/NSEC3 resource records
   to generate negative responses until their effective TTLs   
   or signatures for those records expire. (This requires to also
   check there is no wildcard applicable for the QNAME.)

v2.23.0 | Report a Bug | By Email