[DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis
Paul Hoffman <paul.hoffman@icann.org> Wed, 05 June 2024 16:28 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A9D1C214247; Wed, 5 Jun 2024 09:28:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4NEbNYWha9zI; Wed, 5 Jun 2024 09:28:11 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A68EC16A126; Wed, 5 Jun 2024 09:28:11 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa4.dc.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 455GOl9B014042 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 5 Jun 2024 09:24:48 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Wed, 5 Jun 2024 09:28:05 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.034; Wed, 5 Jun 2024 09:28:05 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: dnsop <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP]Requesting final comments on draft-ietf-dnsop-rfc8109bis
Thread-Index: AQHat1zFOqSEV4gQ+0y2Dpik/dsQnLG50U6A
Date: Wed, 05 Jun 2024 16:28:05 +0000
Message-ID: <3B172CF5-F76C-4B21-984D-F19CF5B40F48@icann.org>
References: <CADyWQ+HLxyAkhdYsOEQz09ByF5EtuvDMh2oAWb_tt_c7YN+59A@mail.gmail.com>
In-Reply-To: <CADyWQ+HLxyAkhdYsOEQz09ByF5EtuvDMh2oAWb_tt_c7YN+59A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <9F7F488E43248C48956D0B45DED4D193@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-05_02,2024-06-05_02,2024-05-17_01
Message-ID-Hash: TWJHVD5NYZMSNJPRVUTASWG3UAY3ODCT
X-Message-ID-Hash: TWJHVD5NYZMSNJPRVUTASWG3UAY3ODCT
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop-chairs <dnsop-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP]Re: [Ext] Requesting final comments on draft-ietf-dnsop-rfc8109bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JEChrjGKGhQzwo5dCuWZm4lcm5g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Tim jumped the gun by about an hour: we just submitted the -05. It incorporates the suggested text from below; you can see the diff at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-05 FWIW, this new text is somewhat based on the findings from NLnetLabs and SIDN on a project supported by ICANN. You can see the report, and an earlier report on a related topic, at: https://www.icann.org/resources/pages/octo-commissioned-documents-2020-11-05-en Please let us know if you have any issues with the changed text in the new version. --Paul Hoffman On Jun 5, 2024, at 08:25, Tim Wicinski <tjw.ietf@gmail.com> wrote: > > All > > The chairs are requesting some final comments on draft-ietf-dnsop-rfc8109bis. As you might recall, this document has already been through WGLC and had consensus to advance, but our AD reviewed it and raised some additional questions. (Warren Kumari, “AD Review of draft-ietf-dnsop-rfc8109bis,” email to the list on 31 January.) > > Here are specific things we particularly want feedback on: > > > -Discussion on the list suggested a change regarding the use of the TC bit in the context of a priming response, which appears in the -04 (current) version of the document but hasn’t been reviewed by the full WG: > > OLD: > Note that [RFC9471] updates [RFC1035] with respect to the use of the TC bit. It says "If message size constraints prevent the inclusion of all glue records for in-domain name servers, the server must set the TC (Truncated) flag to inform the client that the response is incomplete and that the client should use another transport to retrieve the full response." Note, however, the root server addresses are not glue records, so setting the TC bit in truncated responses from the root servers is not required by [RFC9471]. > > NEW: > Note that [RFC9471] updates [RFC1035] with respect to the use of the TC bit. It says "If message size constraints prevent the inclusion of all glue records for in-domain name servers, the server must set the TC (Truncated) flag to inform the client that the response is incomplete and that the client should use another transport to retrieve the full response." Because the priming response is not a referral, root server addresses in the priming response are not considered glue records. Thus, [RFC9471] does not apply to the priming response and root servers are not required to set the TC bit if not all root server addresses fit within message size constraints. There are no requirements on the number of root server addresses that a root server must include in a priming response. > > Willem's email to the list which suggests changes to section 3.3 to better explain what is signed when; the chairs feel that these changes should be incorporated into the draft as well https://mailarchive.ietf.org/arch/msg/dnsop/D2Ha-Hk2lpvvkcXx7k4RILpgaPQ/ [mailarchive.ietf.org] > The addition of a reference to RSSAC 0028 (https://www.icann.org/en/system/files/files/rssac-028-03aug17-en.pdf, “Technical Analysis of the Naming Scheme Used For Individual Root Servers,” as an informative reference; it discusses the rationale for not signing root-servers.net [root-servers.net] > > > We liked to hear from the WG on this by Friday June 14, 2024. > > Thanks > tim, et al
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Paul Hoffman
- [DNSOP]Requesting final comments on draft-ietf-dn… Tim Wicinski
- [DNSOP]Re: [Ext] Requesting final comments on dra… Paul Hoffman
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… A. Schulze
- [DNSOP] Re: [Ext] [DNSOP]Requesting final comment… Tim Wicinski
- [DNSOP] Re: [Ext] [DNSOP]Requesting final comment… jabley
- [DNSOP] Re: [Ext] [DNSOP]Requesting final comment… jabley
- [DNSOP] Re: [Ext] [DNSOP]Requesting final comment… Willem Toorop
- [DNSOP] Re: [Ext] [DNSOP]Requesting final comment… Willem Toorop
- [DNSOP] To sign root-servers.net or not? Geoff Huston
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Paul Hoffman
- [DNSOP] Re: [Ext] To sign root-servers.net or not? Paul Hoffman
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Tim Wicinski
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Joe Abley
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Tim Wicinski
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Joe Abley
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Tim Wicinski
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Paul Hoffman
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Joe Abley
- [DNSOP] Re: [Ext] To sign root-servers.net or not? Geoff Huston
- [DNSOP] Re: [Ext] To sign root-servers.net or not? Tim Wicinski
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Tim Wicinski