Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-terminology-02.txt
Tony Finch <dot@dotat.at> Tue, 16 June 2015 10:50 UTC
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81E311B2FE4 for <dnsop@ietfa.amsl.com>; Tue, 16 Jun 2015 03:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HpuApV2zoWbY for <dnsop@ietfa.amsl.com>; Tue, 16 Jun 2015 03:50:23 -0700 (PDT)
Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk [131.111.8.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5180F1B2FCC for <dnsop@ietf.org>; Tue, 16 Jun 2015 03:50:23 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:49447) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1Z4oRg-0003lJ-Z0 (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 16 Jun 2015 11:50:20 +0100
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1Z4oRg-0003GV-QG (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 16 Jun 2015 11:50:20 +0100
Date: Tue, 16 Jun 2015 11:50:20 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <D1C3C284-0B5E-4CF9-8FF5-F150E814DB8A@vpnc.org>
Message-ID: <alpine.LSU.2.00.1506161105080.23307@hermes-1.csi.cam.ac.uk>
References: <20150526153132.306.56516.idtracker@ietfa.amsl.com> <75E0FCDF-615C-4F54-8503-9F821C38B0D5@hopcount.ca> <D1C3C284-0B5E-4CF9-8FF5-F150E814DB8A@vpnc.org>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/B9h667GGBJdO_pBDSWOJF_dEN4A>
Cc: dnsop@ietf.org, Joe Abley <jabley@hopcount.ca>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-terminology-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2015 10:50:25 -0000
Paul Hoffman <paul.hoffman@vpnc.org> wrote: > > > "Name Error" as a synonym for NXDOMAIN seems like it is worth > > including, somewhere. > > Are you sure that "name error" always refers to NXDOMAIN? If not, this > is not a can of worms we should open. Absolutely. RFC 1035 section 4.1.1: RCODE Response code - this 4 bit field is set as part of responses. The values have the following interpretation: 3 Name Error - Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist. > > 5. DNS Servers > > > > There are documented uses of "iterative mode resolvers" to mean > > exactly "recursive mode resolvers" as defined in this section. I had > > only ever heard the phrase as a knee-jerk objection to the observation > > that "recursive servers" don't recurse, they iterate. I mention this > > just in case "iterative mode" as described here does not have a posse. > > This has been deferred to the -bis document because of disagreement. I think the definitions in the current draft will cause confusion rather than clearing it up, and fixing them in -bis will be too late, considering how non-IETF people treat RFCs like stone tablets handed down on a mountain. > > There is no mention of "authority-only servers", which I find to be in > > common usage. > > That term appears in exactly one RFC, of which you are co-author. "authoritative-only" appears in 7 RFCs. There's a reasonable definition in RFC 4697 section 2.4 [...] "authoritative-only" name servers, which only serve authoritative data and ignore requests for recursion. Such an entity will not normally generate any queries of its own. Instead it answers non- recursive queries from iterative resolvers looking for information in zones it serves. > > "Wildcard" does not actually have a definition listed; just a note > > that earlier attempts at providing a definition have been problematic. > > While the text here seems entirely agreeable, it seems like it would > > be nice to present at least a cursory definition in this document, > > even if it needs provisos and references. I agree with Joe. Even if the RFC 1034 definition is problematic for implementers, it's perfectly good for getting the point across to hostmasters. Wildcard: Special treatment is given to RRs with owner names starting with the label "*". Such RRs are called wildcards. Wildcard RRs can be thought of as instructions for synthesizing RRs. (quoted from [RFC1034] section 4.3.3) For an extended discussion of wildcards see [RFC4592]. > > "NSEC3": whether not NSEC3 is "quite different" from NSEC depends on > > your context. Functionally, in the narrow sense of "allows verifiable > > denial of existence", they are identical. I think it would be clearer > > to focus on their functional similarities, and point out the > > additional features of NSEC3 (opt-out and making zone enumeration > > harder), observing that any particular signed zone must use exactly > > one of these, not both (so, they are alternatives, and one of them is > > required). > > Disagree. Even in the "allows verifiable denial of existence", they are > quite different in that the processing needed is very different. The > "fundamental similarities" are only in what is achieve, not in the way > of achieving it. I agree with Joe, I think the first sentence of the NSEC3 definition doesn't actually add any information to what is covered by the rest of the definition. Possibly worth adding: [RFC7129] provides additional background commentary and some context for the NSEC and NSEC3 mechanisms used by DNSSEC to provide authenticated denial-of-existence responses. (quoted from its abstract) > > "Opt-out": It would be helpful I think to include a sentence or two > > that illustrates the point of opt-out, e.g. that in a > > delegation-centric zone with relatively few secure delegations, use of > > opt-out can reduce the overhead of DNSSEC on zone size. > > I searched for supporting material in RFC 5155 that could explain why to > use opt-out in words that would make sense in this document; I failed. > If you find some, that would be great. Opt-out: The Opt-Out Flag indicates whether this NSEC3 RR may cover unsigned delegations. (Quoted from [RFC5155], section 3.1.2.1.) Opt-out tackles the high costs of securing a delegation to an insecure zone. When using Opt-Out, names that are an insecure delegation (and empty non-terminals that are only derived from insecure delegations) don't require an NSEC3 record or its corresponding RRSIG recors. Opt-Out NSEC3 records are not able to prove or deny the existence of the insecure delegations. (Adapted from [RFC7129] section 5.1) Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Fisher: Northwest 5 or 6, backing west 4 or 5, backing southwest 5 or 6 later. Moderate. Rain later. Good, occasionally moderate later.
- [DNSOP] I-D Action: draft-ietf-dnsop-dns-terminol… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… John Dickinson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Joe Abley
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Joe Abley
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… John Dickinson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Andrew Sullivan
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-term… Paul Hoffman