[DNSOP]Requesting final comments on draft-ietf-dnsop-rfc8109bis

Tim Wicinski <tjw.ietf@gmail.com> Wed, 05 June 2024 15:26 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E252CC1E722C; Wed, 5 Jun 2024 08:26:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0JNmepMarka; Wed, 5 Jun 2024 08:25:57 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7E65C1E6409; Wed, 5 Jun 2024 08:25:57 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-57a2f032007so7432482a12.0; Wed, 05 Jun 2024 08:25:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717601155; x=1718205955; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=iVyF1o5eXNRpx3+HzcaGoHm0TpTjBcaPMeLqX5Cte0U=; b=JczUxBArTrgr3yfqWVFLp1G/0gc5X/j1PfjcIfoQ1VgybASVHBGVpZK2P+BTIQleVw Hyo3IbrJgkWQLxnC7Dbiot1fay1bzLrkxr2NiiLOlkVSljuBJdfsvQPN8RzW+tPZ+wJG hJe20ypRHEgLHvwT+JuMWbzIyCiTRv/3KIvmK/OSXdATBlOf+CStl9fWuGa4G3VLNAJC RzIz3wlq7NWVgXYhHIN1ykOxWSZkTBP3KzT6ZA2FKFt2aH/blK0sioGTxyvothjT1K14 yk9VIA/lXhO7IFeW2n1KhVf+Uwoe+DerKIk+ejjAp1v3zgYzb0ajmXC+Y2tywYTESZmf sT8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717601155; x=1718205955; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=iVyF1o5eXNRpx3+HzcaGoHm0TpTjBcaPMeLqX5Cte0U=; b=jBVVuycqt515VSuJ+GEBV4ycuLrRYzUaUaOyXQslP3ZApwzKrJym8AkfKH1Scy1PK3 xOBd19zLOVG/KyyPNZIczpkEmVJHmWJl2cOJ4fzMTBqzrOmRJhEQzuEkYHWWMp8XLB46 y9dyko4QlaCP0nAPngiNE6dyqAlfr46LOnq0+eJl04w/NZc4bQ/i8YR3esW4hhN+sdm3 gUhWqNVcwUmpZrWag9BXP7ekRvHyQVM38JyarrpW3glBtu8B7tgKqfzl3wfECguGS8Hb 6/t5HITmXTFw+S7WWd2Uoj8oeHuo3xHlZMgM1qWSTeaPDCLmtQcAZrisHyKShq84oCjo yJ4Q==
X-Gm-Message-State: AOJu0YzNrO7KZR9VwUMg+FZNTOp9ztO0pYjbCNmqUQGTRu/A1mY1l/yu kT9C389MWerSox0Z3Mk2sbEVON1nCEYO7Kb7wkOlyNhHIMWeHd3V0KxPSIuEyrdBnHznna1j+Yw e6nGnQgX/XKDkfnJHih03cRUBBOfxEdss
X-Google-Smtp-Source: AGHT+IFxcMh3X+FnDs7N8s2CMo539Q98LZVmm1Ywecjb2qr+um1XJym3qP1E3jhy2JU2UB/MTS/meole3wSXD0tokro=
X-Received: by 2002:a05:6402:2153:b0:57a:2ea0:4065 with SMTP id 4fb4d7f45d1cf-57a8b67d693mr1807161a12.5.1717601155189; Wed, 05 Jun 2024 08:25:55 -0700 (PDT)
MIME-Version: 1.0
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Wed, 05 Jun 2024 11:25:44 -0400
Message-ID: <CADyWQ+HLxyAkhdYsOEQz09ByF5EtuvDMh2oAWb_tt_c7YN+59A@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b89332061a262e64"
Message-ID-Hash: 27YPERD4OPPVBVP7M2DCVBFPQRSFAGO7
X-Message-ID-Hash: 27YPERD4OPPVBVP7M2DCVBFPQRSFAGO7
X-MailFrom: tjw.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop-chairs <dnsop-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP]Requesting final comments on draft-ietf-dnsop-rfc8109bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DfKRXuesEil0TOEhynQgoL8QpIk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

All

The chairs are requesting some final comments on
draft-ietf-dnsop-rfc8109bis. As you might recall, this document has already
been through WGLC and had consensus to advance, but our AD reviewed it and
raised some additional questions. (Warren Kumari, “AD Review of
draft-ietf-dnsop-rfc8109bis,” email to the list on 31 January.)

Here are specific things we particularly want feedback on:


-Discussion on the list suggested a change regarding the use of the TC bit
in the context of a priming response, which appears in the -04 (current)
version of the document but hasn’t been reviewed by the full WG:

OLD:
Note that [RFC9471] updates [RFC1035] with respect to the use of the TC
bit.  It says "If message size constraints prevent the inclusion of all
glue records for in-domain name servers, the server must set the TC
(Truncated) flag to inform the client that the response is incomplete and
that the client should use another transport to retrieve the full
response."  Note, however, the root server addresses are not glue records,
so setting the TC bit in truncated responses from the root servers is not
required by [RFC9471].

NEW:
Note that [RFC9471] updates [RFC1035] with respect to the use of the TC
bit.  It says "If message size constraints prevent the inclusion of all
glue records for in-domain name servers, the server must set the TC
(Truncated) flag to inform the client that the response is incomplete and
that the client should use another transport to retrieve the full
response."  Because the priming response is not a referral, root server
addresses in the priming response are not considered glue records.  Thus,
[RFC9471] does not apply to the priming response and root servers are not
required to set the TC bit if not all root server addresses fit within
message size constraints. There are no requirements on the number of root
server addresses that a root server must include in a priming response.

Willem's email to the list which suggests changes to section 3.3 to better
explain what is signed when; the chairs feel that these changes should be
incorporated into the draft as well
https://mailarchive.ietf.org/arch/msg/dnsop/D2Ha-Hk2lpvvkcXx7k4RILpgaPQ/
The addition of a reference to RSSAC 0028 (
https://www.icann.org/en/system/files/files/rssac-028-03aug17-en.pdf,
“Technical Analysis of the Naming Scheme Used For Individual Root Servers,”
as an informative reference; it discusses the rationale for not signing
root-servers.net.


We liked to hear from the WG on this by Friday June 14, 2024.

Thanks
tim, et al