Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-terminology-02.txt
Paul Hoffman <paul.hoffman@vpnc.org> Wed, 17 June 2015 23:44 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B6431A1A6C for <dnsop@ietfa.amsl.com>; Wed, 17 Jun 2015 16:44:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBS-9IdEbN3q for <dnsop@ietfa.amsl.com>; Wed, 17 Jun 2015 16:44:14 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 089031B2E67 for <dnsop@ietf.org>; Wed, 17 Jun 2015 16:44:14 -0700 (PDT)
Received: from [10.20.30.101] (142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t5HNhdmh025671 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 17 Jun 2015 16:43:40 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100] claimed to be [10.20.30.101]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <alpine.LSU.2.00.1506161105080.23307@hermes-1.csi.cam.ac.uk>
Date: Wed, 17 Jun 2015 16:43:39 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <3BB903DA-6C3A-4217-BB34-7FF6EC1365E2@vpnc.org>
References: <20150526153132.306.56516.idtracker@ietfa.amsl.com> <75E0FCDF-615C-4F54-8503-9F821C38B0D5@hopcount.ca> <D1C3C284-0B5E-4CF9-8FF5-F150E814DB8A@vpnc.org> <alpine.LSU.2.00.1506161105080.23307@hermes-1.csi.cam.ac.uk>
To: Tony Finch <dot@dotat.at>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/8LU0xwQx5mrzgVm3lNt4fS7JTME>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-terminology-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 23:44:15 -0000
On Jun 16, 2015, at 3:50 AM, Tony Finch <dot@dotat.at> wrote: > > Paul Hoffman <paul.hoffman@vpnc.org> wrote: >> >>> "Name Error" as a synonym for NXDOMAIN seems like it is worth >>> including, somewhere. >> >> Are you sure that "name error" always refers to NXDOMAIN? If not, this >> is not a can of worms we should open. > > Absolutely. RFC 1035 section 4.1.1: > > RCODE Response code - this 4 bit field is set as part of > responses. The values have the following > interpretation: > > 3 Name Error - Meaningful only for > responses from an authoritative name > server, this code signifies that the > domain name referenced in the query does > not exist. Got it. Added to the current meager text for NXDOMAIN. > >>> 5. DNS Servers >>> >>> There are documented uses of "iterative mode resolvers" to mean >>> exactly "recursive mode resolvers" as defined in this section. I had >>> only ever heard the phrase as a knee-jerk objection to the observation >>> that "recursive servers" don't recurse, they iterate. I mention this >>> just in case "iterative mode" as described here does not have a posse. >> >> This has been deferred to the -bis document because of disagreement. > > I think the definitions in the current draft will cause confusion rather > than clearing it up, and fixing them in -bis will be too late, considering > how non-IETF people treat RFCs like stone tablets handed down on a > mountain. The latter is a good point. Because we are pretty sure there will be a -bis, and that it will have new material not just corrections, we should say so right at the top of this document. > >>> There is no mention of "authority-only servers", which I find to be in >>> common usage. >> >> That term appears in exactly one RFC, of which you are co-author. > > "authoritative-only" appears in 7 RFCs. There's a reasonable definition in > RFC 4697 section 2.4 > > [...] > "authoritative-only" name servers, which only serve authoritative > data and ignore requests for recursion. Such an entity will not > normally generate any queries of its own. Instead it answers non- > recursive queries from iterative resolvers looking for information in > zones it serves. That sounds good. Added. > >>> "Wildcard" does not actually have a definition listed; just a note >>> that earlier attempts at providing a definition have been problematic. >>> While the text here seems entirely agreeable, it seems like it would >>> be nice to present at least a cursory definition in this document, >>> even if it needs provisos and references. > > I agree with Joe. Even if the RFC 1034 definition is problematic for > implementers, it's perfectly good for getting the point across to > hostmasters. > > Wildcard: Special treatment is given to RRs with > owner names starting with the label "*". Such RRs are called > wildcards. Wildcard RRs can be thought of as instructions for > synthesizing RRs. (quoted from [RFC1034] section 4.3.3) For an > extended discussion of wildcards see [RFC4592]. OK, we can add this, at the risk of confusing folks more. > >>> "NSEC3": whether not NSEC3 is "quite different" from NSEC depends on >>> your context. Functionally, in the narrow sense of "allows verifiable >>> denial of existence", they are identical. I think it would be clearer >>> to focus on their functional similarities, and point out the >>> additional features of NSEC3 (opt-out and making zone enumeration >>> harder), observing that any particular signed zone must use exactly >>> one of these, not both (so, they are alternatives, and one of them is >>> required). >> >> Disagree. Even in the "allows verifiable denial of existence", they are >> quite different in that the processing needed is very different. The >> "fundamental similarities" are only in what is achieve, not in the way >> of achieving it. > > I agree with Joe, I think the first sentence of the NSEC3 definition > doesn't actually add any information to what is covered by the rest of the > definition. Noted; removed. > > Possibly worth adding: > > [RFC7129] provides additional background commentary and some > context for the NSEC and NSEC3 mechanisms used by DNSSEC to provide > authenticated denial-of-existence responses. Good addition, yes. > > (quoted from its abstract) > >>> "Opt-out": It would be helpful I think to include a sentence or two >>> that illustrates the point of opt-out, e.g. that in a >>> delegation-centric zone with relatively few secure delegations, use of >>> opt-out can reduce the overhead of DNSSEC on zone size. >> >> I searched for supporting material in RFC 5155 that could explain why to >> use opt-out in words that would make sense in this document; I failed. >> If you find some, that would be great. > > Opt-out: The Opt-Out Flag indicates whether this NSEC3 RR may cover > unsigned delegations. (Quoted from [RFC5155], section 3.1.2.1.) > > Opt-out tackles the high costs of securing a delegation to an > insecure zone. When using Opt-Out, names that are an insecure > delegation (and empty non-terminals that are only derived from > insecure delegations) don't require an NSEC3 record or its > corresponding RRSIG recors. Opt-Out NSEC3 records are not able to > prove or deny the existence of the insecure delegations. (Adapted > from [RFC7129] section 5.1) That seems like a good addition as well. Thanks! --Paul Hoffman
- [DNSOP] I-D Action: draft-ietf-dnsop-dns-terminol… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… John Dickinson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Joe Abley
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Joe Abley
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… John Dickinson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Andrew Sullivan
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman