[DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-nsec3-guidance-08: (with COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 10 May 2022 18:31 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-nsec3-guidance@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com, tjw.ietf@gmail.com
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <165220750351.60909.14025124030421009706@ietfa.amsl.com>
Date: Tue, 10 May 2022 11:31:43 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/G5fSb7efuhQdV43DSt-rb7hI3Ac>
Subject: [DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-nsec3-guidance-08: (with COMMENT)

Roman Danyliw has entered the following ballot position for
draft-ietf-dnsop-nsec3-guidance-08: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec3-guidance/

----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

** I support Paul Wouter’s DISCUSS position. Like Alvaro and Francesca also
commented, this document appears to be changing the behavior of RFC5155. It
should formally update it in the meta data. Specifically:

-- The language in Section 3.2. appears to “weaken” the guidance in Section
10.3 of RFC5155

-- Section 3.2 also seems to explicitly say it is updating RFC5155 with “[n]ote
that this specification updates [RFC5155] …”

** Section 2.
The following sections describe recommendations for setting
parameters for NSEC3 and NSEC3PARAM.

I don’t believe this is accurate. There are few tangible recommendations about
iterations or salts in this section. That’s in Section 3.

** Section 2.2.
In general, NSEC3 with the Opt-Out flag enabled
should only be used in large, highly dynamic zones with a small
percentage of signed delegations. Operationally, this allows for
fewer signature creations when new delegations are inserted into a
zone. This is typically only necessary for extremely large
registration points providing zone updates faster than real-time
signing allows or when using memory-constrained hardware

Qualitative scales such as “large … dynamic zones” and “extremely large
registration points” used. Can the operational experience informing these
statements be cited to suggest the scale?

** Section 3.1.
Operators are encouraged to forgo using a salt entirely by using a
zero-length salt value instead (represented as a "-" in the
presentation format).

Section 2.4 seemed to take a stronger position on the lack of utility of the
salt. Is there a reason normative language isn’t being used?

[DNSOP] Roman Danyliw's No Objection on draft-iet… Roman Danyliw via Datatracker
Re: [DNSOP] Roman Danyliw's No Objection on draft… Wes Hardaker
Re: [DNSOP] Roman Danyliw's No Objection on draft… Petr Špaček
Re: [DNSOP] Roman Danyliw's No Objection on draft… Wes Hardaker