[DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-nsec3-guidance-08: (with COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 10 May 2022 18:31 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 814B3C15952A; Tue, 10 May 2022 11:31:43 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-nsec3-guidance@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com, tjw.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 8.1.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <165220750351.60909.14025124030421009706@ietfa.amsl.com>
Date: Tue, 10 May 2022 11:31:43 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/G5fSb7efuhQdV43DSt-rb7hI3Ac>
Subject: [DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-nsec3-guidance-08: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.34
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2022 18:31:43 -0000

Roman Danyliw has entered the following ballot position for
draft-ietf-dnsop-nsec3-guidance-08: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


** I support Paul Wouter’s DISCUSS position.  Like Alvaro and Francesca also
commented, this document appears to be changing the behavior of RFC5155.  It
should formally update it in the meta data.  Specifically:

-- The language in Section 3.2. appears to “weaken” the guidance in Section
10.3 of RFC5155

-- Section 3.2 also seems to explicitly say it is updating RFC5155 with “[n]ote
that this specification updates [RFC5155] …”

** Section 2.
   The following sections describe recommendations for setting
   parameters for NSEC3 and NSEC3PARAM.

I don’t believe this is accurate.  There are few tangible recommendations about
iterations or salts in this section.  That’s in Section 3.

** Section 2.2.
   In general, NSEC3 with the Opt-Out flag enabled
   should only be used in large, highly dynamic zones with a small
   percentage of signed delegations.  Operationally, this allows for
   fewer signature creations when new delegations are inserted into a
   zone.  This is typically only necessary for extremely large
   registration points providing zone updates faster than real-time
   signing allows or when using memory-constrained hardware

Qualitative scales such as “large … dynamic zones” and “extremely large
registration points” used.  Can the operational experience informing these
statements be cited to suggest the scale?

** Section 3.1.
   Operators are encouraged to forgo using a salt entirely by using a
   zero-length salt value instead (represented as a "-" in the
   presentation format).

Section 2.4 seemed to take a stronger position on the lack of utility of the
salt.  Is there a reason normative language isn’t being used?