[DNSOP] Re: Andy Newton's Discuss on draft-ietf-dnsop-cds-consistency-09: (with DISCUSS and COMMENT)
Andy Newton <andy@hxr.us> Wed, 19 November 2025 15:22 UTC
Return-Path: <andy@hxr.us>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CCFF28C7C590 for <dnsop@mail2.ietf.org>; Wed, 19 Nov 2025 07:22:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=hxr-us.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gK5PONULUnr2 for <dnsop@mail2.ietf.org>; Wed, 19 Nov 2025 07:22:54 -0800 (PST)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 40C768C7C44A for <dnsop@ietf.org>; Wed, 19 Nov 2025 07:22:02 -0800 (PST)
Received: by mail-qv1-xf34.google.com with SMTP id 6a1803df08f44-88059c28da1so69750526d6.2 for <dnsop@ietf.org>; Wed, 19 Nov 2025 07:22:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hxr-us.20230601.gappssmtp.com; s=20230601; t=1763565716; x=1764170516; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=APW1f0AFSy4KftXLH2WRjEh/KulCn5XdCaqrKpm1aRc=; b=ka+UjFna7doOkoZoiy7TeYlafReMy9JAmv4FQdVSnW7ESJLGWYlsnhsA0WtX6Fh2xR rR9zUcBJ6yuE8UtTXW2HYICpcZHmkdKiN44xipCHlAJ8gZehXMRIiM3eqepaBdi4M0Gb UYad50nBee9bclUZivlwJYLxdfXuOMJeWK2K2dm0tEXPmISEV7A5OzdTPfav6RLKQEnw 6NKY5uOywds+8X7LzvXnTrPQGGl5mpVZ9mj/VgfybdjouARF1UDFOZez4+zryEyTGxHO hsAK+5Zqsl6Cd8TyetbGRZ7laUhTFDBpmn0oykGY99RoG3Oe61zjaq9/2yOmMTzOsU2u xY6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763565716; x=1764170516; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=APW1f0AFSy4KftXLH2WRjEh/KulCn5XdCaqrKpm1aRc=; b=QnZQQoIdzGxRkm8wAR5NohFnGEjJ/7Qz2UrJzuii3at7Q/Y4Jmty2yDgOvV3Yys8Fk UD46fe75UTxuX0X+QUJ+Qc67hbTg/6osbGzNMO2rgDOWxywaj72Nk8xVl4+9W/Wd9UyZ Qzh7+kOPLq/+L4XHfsNhoproRjAPj8CwjtFm96Epqaz2qB95j9e1AKK7xOzYVygfNMhq fjOse+0er8EY7f4cQe/CRHFMygsq27dCWUJJ+m5CSrpgT/Bxc/O+D7asWhcy5K4Dpx7Q yR6/esW6gY1zd+d5ESCrUC23899RX5QHkRtp+ecGrJQqHIE80oPUigsnNd0F1KYHzZmm ZFOA==
X-Forwarded-Encrypted: i=1; AJvYcCVnzcks9JKEaAWUjnGikmDpPu2Wx4tO1FF4XMFD1U5hicOfujKpKprMbHz8u/JK0uuOt7gM0A==@ietf.org
X-Gm-Message-State: AOJu0YyNtt1ScsHo/eSDY/Ob3WQicdPqdQzt9b817eNtSMwVLFkhOwje VNi1P8/Gjwso0ZTDtrlKZviQNZ/xS8p79ar8C3k5enZJ4TsjpAl9rDzCZPKpf4A6RmpIl33sjPP NPEy9occBVg==
X-Gm-Gg: ASbGnctw68MwhXH0fzL7SMhCMtUkIMaRmagenPVQdfrbJyYP1rGUHl9YayLfeOrtcim y+O2g4X4LFGiw33I4ZlVaxuy0fnPzZI/ndBP8Ocx0ZDUWbSMDpoSpYh6i/iuCiUVmce+wnkweQs UK1xwhRvcn7kQ0EcZJ1LTn1fnJfZmxlmCx6t21g3HyWd1Sb51DINdPNddxiaVXDISlb8UI0Do1F ebBBF538QQx9r1+hbvbQRHgzqRbjFDZSEvJNNpTqIYEFxl9rG+v1zk74pFxt10jiXicxgQX9v/i ckhoWJ7+OtvlU1Yhu8sMvoQOWduAl0WGpnOd01alNrgCIKQ89xSAXPbD+4I9EucrtpawYoHjmQb yaJGzdSo10vfFVfNP3kRTGB5lLO0Atfe/PKbvG6k5udE6dsI4AivscmLOZYHmcaDIeG/SEJ7XJF C0l0I1RcXEVv5I0TG1v33CVbPIf7STioJmGhBfksHMOLEr
X-Google-Smtp-Source: AGHT+IF/mIl+tdhLAgdQ9Ogo3Jiyvt17KLE6uIbA75mmXEU8k5BfTQmesYFXA+9iJ6/VxuUeEcdZsA==
X-Received: by 2002:a05:6214:226f:b0:882:8746:b047 with SMTP id 6a1803df08f44-88292594583mr238787356d6.10.1763565715990; Wed, 19 Nov 2025 07:21:55 -0800 (PST)
Received: from [10.47.61.124] (47-236.dc.icann.org. [192.0.47.236]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8828613962esm136856516d6.0.2025.11.19.07.21.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 19 Nov 2025 07:21:55 -0800 (PST)
Message-ID: <55f7e055-9a50-4734-ab3d-e711260cb9eb@hxr.us>
Date: Wed, 19 Nov 2025 10:21:54 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Peter Thomassen <peter@desec.io>, The IESG <iesg@ietf.org>
References: <176349738066.1121286.17839241354136322982@dt-datatracker-5bd94c585b-wk4l4> <5f811ad7-e688-434c-93ff-2c69966c6053@desec.io>
Content-Language: en-US
From: Andy Newton <andy@hxr.us>
In-Reply-To: <5f811ad7-e688-434c-93ff-2c69966c6053@desec.io>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 7UNX66AIHUSHB4GHGKNLPTLJRXMZJLSK
X-Message-ID-Hash: 7UNX66AIHUSHB4GHGKNLPTLJRXMZJLSK
X-MailFrom: andy@hxr.us
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop-chairs@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-cds-consistency@ietf.org, ondrej@sury.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Andy Newton's Discuss on draft-ietf-dnsop-cds-consistency-09: (with DISCUSS and COMMENT)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Jva38U4Pj0FeNkL6mFOqbs58v9s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On 19-11-2025 9:17 AM, Peter Thomassen wrote: > In telechat preparation, the side-by-side diff from -09 is here: https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-dnsop-cds-consistency-09&url_2=https://peterthomassen.github.io/draft-ietf-dnsop-cds-consistency/draft-ietf-dnsop-cds-consistency-10.txt > > > Hi Andy, > > Thank you very much for your review, and discuss points! Please see below. > > On 11/18/25 21:23, Andy Newton via Datatracker wrote: >> Andy Newton has entered the following ballot position for >> draft-ietf-dnsop-cds-consistency-09: Discuss > [...]> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- > [...]> ### BCP 14 Language >> >> See the [IESG statement on BCP14 >> language](https://datatracker.ietf.org/doc/statement-iesg-statement-on-clarifying-the-use-of-bcp-14-key-words/). >> >> Would these RECOMMENDS be better with explanations? Or if there is no further >> advice to give, would making these non-normative be a good solution? >> >> 204 .. A configurable retry schedule with >> 205 exponential back-off is RECOMMENDED (e.g., after 5, 10, 20, 40, ... >> 206 minutes). ... >> >> 218 ... A >> 219 schedule with exponential back-off is RECOMMENDED. > > My impression is that this recommendation has (obvious) technical merit. Not following it typically will not be technically justified; rather, implementing a back-off scheme requires introducing state, which may cost a few days of work (depending on a system's architecture), and thus is a cost. In other words, I think that a the main reason to not follow this will be a business consideration. > > OTOH, I think we can hardly write "... is RECOMMENDED unless your boss thinks it's too expensive." > OTOH, I have a hard time seeing how the situation is improved by getting rid of the RECOMMENDation. > > So, I'm at a loss here, and will be happy to follow any guidance. My personal view though it that it's OK as is. Is a retry policy fundamental to this specification? And if so, is exponential back-off the only type of retry policy that works? Neither is obvious to me. If you want to leave it as RECOMMENDED, then there should be an explanation about what happens if no retry policy or a different retry policy is implemented. This is just my opinion, but maybe some language such as: A configurable retry schedule is RECOMMENDED to increase the likelihood of collecting data from all nameservers. An exponential back-off schedule provides the balance between faster task completion while accommodating less transient operational problems. > >> In this case, what happens if queries are not continued? Is this a lowercase >> "may" or should an explanation be provided about what happens if an >> implementation does not follow the advice. >> >> 225 in which case nothing needs to happen. Queries MAY be continued >> 226 across all nameservers for reporting purposes. > > You are correct, this is better lowercased. I've made the change locally, for upload after the telechat. +1 > >> In the paragraph below, "(reachable) nameservers" in a MUST sentence appears to >> be softening the requirement to the level of RECOMMENDED. If there is a firm >> requirement that nameservers be reachable, then that should be stated clearly. >> "(reachable)" is again used on lines 244, 268, and 283. >> >> 234 To retrieve a Child's CDS/CDNSKEY RRset for DNSSEC delegation trust >> 235 maintenance, the Parental Agent, knowing both the Child zone name and >> 236 its NS hostnames, MUST ascertain that queries are made against all >> 237 (reachable) nameservers listed in the Child's delegation from the >> 238 Parent, and ensure that each key referenced in any of the received >> 239 answers is also referenced in all other received responses, or that >> 240 responses consistently indicate a request for removal of the entire >> 241 DS RRset ([RFC8078], Section 6). >> >> I see that the paragraph at line 201 discusses reachability, but IMO it is >> still not clear that an implementation MUST accomodate for it as consideration >> of reachability is a SHOULD: >> >> 201 When a response cannot be obtained from a given nameserver, the >> 202 Parental Agent SHOULD attempt to obtain it at a later time, before >> 203 concluding that the nameserver is permanently unreachable and >> 204 removing it from consideration. ... >> >> If reachability is implementation dependent, should that not be stated? > > Yes and no. Queries are actually made against all nameservers, also the unreachable ones, because that's how you learn about reachability in the first place. This is what you MUST do. The SHOULD is about attempting retries, not about the requirement to query all servers. > > The "(reachable)" was intended to improve readability, as one might wonder "why does it say all? Didn't it say elsewhere one can ignore unreachable servers?". But indeed, it is imprecise. > > I now realized that the notion that unreachable servers don't matter is already captured by the text, as the consistency requirement is specified across "received responses" only. It's thus fine to remove the "(reachable)" from the sentences about CDS/CDNSKEY/CSYNC queries. > > I've made the corresponding changes, and also the following related fix (for upload after the telechat): > > OLD > Further, when retrieving the data record sets as indicated in the > CSYNC record (such as NS or A/AAAA records), the Parental Agent MUST > ascertain that all queries are made against all (reachable) > nameservers listed in the delegation, and ensure that all return > responses with equal rdata sets (including all empty). > > NEW > Further, when retrieving the data record sets as indicated in the > CSYNC record (such as NS or A/AAAA records), the Parental Agent MUST > ascertain that all queries are made against all nameservers from > which a CSYNC record was received, and ensure that all return > responses with equal rdata sets (including all empty). +1 > >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> ## Comments >> >> ## Nits >> >> ### Network Vantage Point >> >> Maybe this is minor, but "network vantage point" is more specificly descriptive. >> >> 206 ... To sidestep localized routing issues, the Parental Agent >> 207 MAY also attempt contacting the nameserver from another vantage >> 208 point. > > Good point; I've made the change locally, for upload after the telechat. > +1 -andy, ART AD
- [DNSOP] Andy Newton's Discuss on draft-ietf-dnsop… Andy Newton via Datatracker
- [DNSOP] Re: Andy Newton's Discuss on draft-ietf-d… Peter Thomassen
- [DNSOP] Re: Andy Newton's Discuss on draft-ietf-d… Andy Newton
- [DNSOP] Re: Andy Newton's Discuss on draft-ietf-d… Peter Thomassen
- [DNSOP] Re: Andy Newton's Discuss on draft-ietf-d… Andy Newton