Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
"Wessels, Duane" <dwessels@verisign.com> Wed, 17 January 2024 00:47 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB31FC14F739 for <dnsop@ietfa.amsl.com>; Tue, 16 Jan 2024 16:47:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2cIYqlHm8Lfp for <dnsop@ietfa.amsl.com>; Tue, 16 Jan 2024 16:46:56 -0800 (PST)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61634C14F714 for <dnsop@ietf.org>; Tue, 16 Jan 2024 16:46:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=4750; q=dns/txt; s=VRSN; t=1705452416; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=EIUJ9UvYv5VuUITbR3csumDsUC4KZc2zOZHoIZqgs+E=; b=U2wX5Q0QqgwLXJXrddWsTqZCcMcIT/Wu9aWOC4hjlbQi3q5a4QmUPox2 qrSZA6qOMzJ64pDRiDaUyLeJHp3SrWu4t6orpnF1yMzkoY1vCIum/dY8q BY8pMZ80vfEWzYi4XjrwwHcN1Fk+NeIVoeOR6tRaU+orBul5K1w+a74/5 swuEqu8AP5oujkwKhNc3+ptFnSJJzgCmgYzh7ssIhR5Jy5e0e3p2c8lb6 JNElfzmHFwGviIPadVQ+VDe1er9QBmXPgWnGXzV7P3oT1eD/oltHvRVp8 RHG/QqqNkm2gDdMPSikvLDpg+rtyVJiIjKwjaphD+c1ySTBfg/gpL76nI Q==;
X-CSE-ConnectionGUID: NanHXwqjR8Oa5VhtMdVo+A==
X-CSE-MsgGUID: McRVyi8XRQSeLhy+CRcrQg==
X-ThreatScanner-Verdict: Negative
IronPort-Data: A9a23:qCDEFqyblGiHMZJ+dyZ6t+ddxyrEfRIJ4+MujC+fZmUNrF6WrkVWn 2oZWmyDPvbYNzCnctF1a4XnoBgGuMfcztJmTAVurS00HyNBpPSeCIXCJC8cHc8wwu7rFxs7s ppEOrEsCOhuExcwcz/0auCJQUFUjPzOHvykTrecZkidfCc8IA85kxVvhuUltYBhhNm9Emult Mj7yyHlEAbNNwVcbCRMtspvlDs15K6u4GpB4ARlDRx2lAS2e0c9Xcp3yZ6ZciOQrrl8RoaSW +vFxbelyWLVlz9F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq/0Te5p0G2M80Mi+7vR3Sxowsl 48d3XCHYVxB0qXkwIzxWjEGS30uZfUuFLXveRBTuuTLp6HKnueFL1yDwyjaMKVBktubD12i+ tQ+ITYtXg+ahdjm57vmdOlwo8gdK4rCadZ3VnFIlVk1DN4Me7aafIPn1YcBmik7gdpWW//SI dQDcjwpZxPFC/FNEg5PTsthx6Hx2yK5L20wRFG9/MLb50Df0wFqy7XpK/LLd8aLXsRamACTo WeuE2HRWUpKaYHCmWbtHnSEo+T1ozL6CLIoLYa10v57w3apzXYqB0hDPbe8ibzj4qKkYPpHI lEQvCopo6Y3/UqDT9L0WRv+p2SL1jYQXcFXC8U75R2DjK3O7G6k6nMsRCRHMcMgud9uHHkxy EXPmtLyQDZo9rePTyvb6K2Pq3W5Pi19wXI+WBLohDAtu7HLyLzfRDqVJjq/OMZZVuHIJAw=
IronPort-HdrOrdr: A9a23:aPNjQK7l/cnsnxU/BAPXwBHXdLJyesId70hD6qkoc20xTiQB// re5sjzpiWE7Ar5P0tQ5OxoWZPwOk80mqQV3WB8B92ftUzdyQmVxeJZnPffKl/bexEWn9Q1vc xdmupFeb7N5DNB4foSlTPXLz9W+ra6Gc6T6Ns2hE0dKj2CI5sQiTuQQGygYzRLrSd9dOIEKK Y=
X-Talos-CUID: 9a23:tWn0Km3Hz5mEf6az8Vj94rxfPMkjUk3C1XXqc2ixVFhpVJiZd1jT0fYx
X-Talos-MUID: 9a23:yas0Kw2QtBgTpmAJSlRiESdkgjUjxq+UNlEMwaU8gvKJESxheBynhy6OTdpy
X-IronPort-AV: E=Sophos;i="6.05,200,1701129600"; d="scan'208";a="33855584"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Tue, 16 Jan 2024 19:46:54 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.035; Tue, 16 Jan 2024 19:46:54 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
Thread-Index: AQHaSLtc1vlCBVTbp02Vhg871ShuHrDc+ZMA
Date: Wed, 17 Jan 2024 00:46:54 +0000
Message-ID: <D4128A66-2157-4671-A534-92A0193672DC@verisign.com>
References: <CADyWQ+FW_9pbQFrOJz7R5BQEdL075wXBc=aZ=mcifqT8fekORg@mail.gmail.com> <CADyWQ+HkQ2vq9kq2Nk-nE8cogOpgCA86Hqc=ahR2AcaUV4pWTQ@mail.gmail.com> <D04F21A9-57F5-4283-A578-BE64EB372ED5@icann.org>
In-Reply-To: <D04F21A9-57F5-4283-A578-BE64EB372ED5@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.80.23121017
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <5B6615AE79E4B745B35DB3D35A2A7099@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FwCcL7dWh3Rfl0GLK_dRhZbiwBE>
Subject: Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 00:47:00 -0000
I made a pass through the document and have the following feedback. > Priming is described in Sections 5.3.2 and 5.3.3 of [RFC1034]. The > scenario used in that description, that of a recursive server that is > also authoritative, is no longer as common. Since RFC 1034 doesn't use the term "priming" maybe it would be good to be more descriptive here? For example: Priming is described in Sections 5.3.2 and 5.3.3 of [RFC1034], where it is referred to as a "safety belt" or part of the SBELT structure. > Research shows that after those addresses change, some resolvers > never get the new addresses. If you feel like this would benefit from a reference, https://indico.dns-oarc.net/event/24/contributions/378/ is one such that would fit. > Root server > identifier and address changes are the main reasons that resolvers > need to do priming instead of just going from a configured list to > get a full and accurate list of root servers. I find "to get a full..." at the end here to be confusing. Maybe a slight reordering and rewording? Root server identifier and address changes are the main reasons that resolvers need to use priming to get a full and accurate list of root servers, instead of just using a statically configured list. > A priming query is a DNS query used to get the root server > information in a resolver. I find the above imprecise. Perhaps: A priming query is a DNS query whose response provides root server names and addresses. > If a resolver chooses to pre-fetch the root NS RRset before that > RRset has expired in its cache, it needs to choose whether to use the > addresses for the root NS RRset that it already has in its cache or > to use the addresses it has in its configuration. Such a resolver > SHOULD send queries to the addresses in its cache in order to reduce > the chance of delay due to out-of-date addresses in its > configuration. This section doesn't say what a non-pre-fetching resolver should do. Does it imply or mean that a non-pre-fetching resolver can only re-prime from the original configuration? > Resolver software SHOULD NOT expect 13 NS RRs because This is somewhat out of the blue. There is no prior discussion on the number of root server identifiers. Although there is immediately after... > If the Additional section is truncated, there is no expectation that > the TC bit in the response will be set to 1. At the time that this > document is written, many of the root servers are not setting the TC > bit on responses with a truncated Additional section. I think I tried to argue about this phrasing before, but looks like I was unsuccessful. IMO truncated should mean TC=1 and TC=1 should mean truncated. I don't think its okay to say that a message can be truncated but TC bit not set. RFC 1035 says: TC TrunCation - specifies that this message was truncated due to length greater than that permitted on the transmission channel. It would be better to use "partial" instead of "truncated" here. e.g.: If the Additional section contains a partial set of A / AAAA RRsets, there is no expectation that the TC bit in the response will be set to 1. At the time that this document is written, many of the root servers are not setting the TC bit on responses when not all A / AAAA RRsets fit in the Additional section. DW
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- [DNSOP] Priming and RFC 8806 Paul Hoffman
- [DNSOP] typos/language corrections (Re: Working G… Štěpán Němec
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Wouters
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last Call for draft-iet… Roy Arends
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… George Michaelson
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Wessels, Duane
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski