Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-03.txt
Shumon Huque <shuque@gmail.com> Sat, 16 March 2024 21:51 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9A9AC14F618 for <dnsop@ietfa.amsl.com>; Sat, 16 Mar 2024 14:51:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lVt2VxL168fQ for <dnsop@ietfa.amsl.com>; Sat, 16 Mar 2024 14:51:50 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0502DC14F610 for <dnsop@ietf.org>; Sat, 16 Mar 2024 14:51:50 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id ca18e2360f4ac-7cc05ce3c70so25785539f.0 for <dnsop@ietf.org>; Sat, 16 Mar 2024 14:51:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710625909; x=1711230709; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=m98sqEIJN4qCct3Ql2JvElRVY5AuM1ylwy68OhWh8YI=; b=kxD+iLW4NpRdKJD6fQcRqvIHnw743FevYDsHhK2+ymXkSY6+Z/EqqJ0Tlq35g/U2XL NN5vukhKqeop30I7sCBZ6LdRBW+PdOtXnJwfJXN4q4AM7JgNLMxxmN2gN89aCYiM9Cw6 icBAXRmtMaDE3ADXAHu/AwQJ/AwJefdCrGAQPYeeewSP6R1TnCF4BOwM7JiLOwBvr4+D eJ6q6WYdG/uPo0ztpFQ1Ayjsyypa3ZVEpwhUU1k7y61Zlo13xvBVhjKgVgADhKuwz2qA +Y42h8rYWFW6EuZxe8WtIopn+mLOBDbNPPPJKobXzpVLIEDQy3PffcqVTtV9koJPNL9i r6uA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710625909; x=1711230709; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=m98sqEIJN4qCct3Ql2JvElRVY5AuM1ylwy68OhWh8YI=; b=C8DQPtrwibg/McjIF8H5dfqndDZPDKodim+P4fA4a6B6Pwczrn3N3cNqPYz7S3f0Y/ eHdBgaQOryqCnp1a04kuhXRJMopLgzL09wra9TTCPweidno3upusvSbYJf6jawE2/Dy9 8F1RmtGeIX4ZcjV+HfoMKFwFjvEsHgd9qSZuKXsd9yCt8YKW2XBk3Jh79kZIpqjsosM/ rBurLZPuIj1FYL2CObwpGnZkvXOCAqM97JxI+YlgLO1utIQwxnvj/xMOH6uXpRTUekDU jv/8P1R5N0H/hOZiMTCiEU39zmtc8e8pqNICErrJJg6hWoyFgIeG/fcNJVBpzx5Gf+dK wZGQ==
X-Gm-Message-State: AOJu0YzGxAC8T8Qqa+KW9LYnBk36TrNM1uP/mmlpWCjWIg4QMxX/CUQU o1KDuwqhsQiB5NFMyz65v5ajskOChX7VMlhpN6vCJRqdv8DbYcCVENElBnKe7g5NSC8+sAUaBCp S3R97FNmkLpp3MDr+a2knIKzQ7rU=
X-Google-Smtp-Source: AGHT+IEVRfvpTQLSkJnPUVjPbenuLKjUQAdNaQkz9JM6FZSXQRHenxeRLdpLxfgTNL/ZGXsuVBtTLZ9ltGlCrGr+CNA=
X-Received: by 2002:a5e:a517:0:b0:7cc:6115:224 with SMTP id 23-20020a5ea517000000b007cc61150224mr58445iog.5.1710625908748; Sat, 16 Mar 2024 14:51:48 -0700 (PDT)
MIME-Version: 1.0
References: <170959055561.39905.2007482768877029325@ietfa.amsl.com> <70db7a29-a1fc-4287-a904-ad5e4f1d60a3@desec.io>
In-Reply-To: <70db7a29-a1fc-4287-a904-ad5e4f1d60a3@desec.io>
From: Shumon Huque <shuque@gmail.com>
Date: Sat, 16 Mar 2024 14:51:37 -0700
Message-ID: <CAHPuVdUCSO+Z3E38ip3PWZNrEkVyvhk3n_CR026pkMDr-R7==A@mail.gmail.com>
To: Peter Thomassen <peter@desec.io>
Cc: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a27c060613ce2104"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7iKhji_VMYVyrVQaqxLR3OxEGDY>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2024 21:51:50 -0000
On Thu, Mar 14, 2024 at 2:45 AM Peter Thomassen <peter@desec.io> wrote: > Hi Shumon et al., > > On 3/5/24 08:15, internet-drafts@ietf.org wrote: > > Internet-Draft draft-ietf-dnsop-compact-denial-of-existence-03.txt is now > > available. It is a work item of the Domain Name System Operations > (DNSOP) WG > > of the IETF. > > I added a PR with some suggestions here: > https://github.com/shuque/id-dnssec-compact-lies/pull/3 > > The PR just has the suggestions, with no rationale. If anything's > contentious or the rationale less obvious than I thought: apologies; happy > to provide it! > Thanks, will review .. > Also, two questions: > > Section 2: > > An alternative way to distinguish NXDOMAIN from ENT is to define > the synthetic Resource Record type for ENTs [...] This typically imposes > less work on the server since NXDOMAIN responses are a lot more common than > ENTs. > > Not sure in what regard this is "less" work -- an NSEC record has to be > signed in any case? > Less work because ENTs are less common than NXDOMAIN, so the authoritative server has to add the pseudo-type to the NSEC record less often. Also, since the ENT exists in the zone, the authority server could in theory pre-compute and cache the signed NSEC associated with it. > Section 4.1 > > This section describes an optional but recommended scheme > > How do "optional" and "recommended" relate to the corresponding uppercase > keywords (which don't apply at the same time)? > I was having a discussion with some folks about this point yesterday at the hackathon. I was initially avoiding the keyword term "SHOULD" since it tends to carry a stronger connotation (e.g. only ignore doing this if you have a very good reason), and that sometimes antagonizes people. We know there are some resolver implementers that don't want to complicate their code just to make Compact Denial work better. If the working group is amenable though, we would be happy to add SHOULD or RECOMMENDED. Shumon.
- [DNSOP] I-D Action: draft-ietf-dnsop-compact-deni… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Peter Thomassen
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Dave Lawrence
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Dave Lawrence
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… John Levine
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… John R Levine
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Dave Lawrence
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Geoff Huston