Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-aggressiveuse-02.txt
Warren Kumari <warren@kumari.net> Tue, 13 September 2016 16:22 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09ED112B493 for <dnsop@ietfa.amsl.com>; Tue, 13 Sep 2016 09:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.579
X-Spam-Level:
X-Spam-Status: No, score=-1.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Deh6_eE_nImt for <dnsop@ietfa.amsl.com>; Tue, 13 Sep 2016 09:22:20 -0700 (PDT)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C855712B586 for <dnsop@ietf.org>; Tue, 13 Sep 2016 09:04:26 -0700 (PDT)
Received: by mail-qk0-x22d.google.com with SMTP id t7so77214250qkh.2 for <dnsop@ietf.org>; Tue, 13 Sep 2016 09:04:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:cc; bh=Tsx2mR+owe51GOGCRhYRR2vzhl4YqHpu12rv+slYvJI=; b=QTdK8GFIX8y4gGPjeyGxtxJAL6Y3QaoRiNzuGEFtXjwXinNF+3WFue/2WGPT4pCtyc ZA02iRvuLILfRVqdrA9xofMP5W7z8JMSnbgdLVIhxdcVUFI/+dTRBG7pTKdvhQypqWgp CsI+nZUyqIVB2oSAnL23YrhGnMlL+wH5noZGC84G3wEhxN2MhgtbaRoJOYaqDnqSweRO /FDj82hgaX0RvV4rJNYQ2nBoQ284COQ9RZBGMd0mYRop/D/3q5jyO/P/i+n+rR+eT0lr bQ4LjDZYlC63HXTaUNU9FT1lfc5xIUpSWJL8aj5kfYZWDx31mmcPc8WjqJl8xxmz7KUA 15vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:cc; bh=Tsx2mR+owe51GOGCRhYRR2vzhl4YqHpu12rv+slYvJI=; b=irP8p6yeAAvO8bXUjbOKIyZ4OiBy3D6i+NfAtBUoOC2J6WUAVsRfrYXbZvNyX2BA8S /+pU7RXfc0eJm/vrDwV25d/MGVAImppe+gM1yEJVkkWhNtuzrMvAOx1+8sT5h3P8A238 jlDubC6gkzyfw3iGjciIbnbxKJACWFDZ3M3l2+WNa+tQT3QlaDXvijkOhila2j9xIYGJ lTzxyA7aby+aGii18UZ+cmvXaIyU1sDStCtskZtVnSNcGDY85qC2qSyJgPDQf/bnbha7 eNw8XHBdZQajceIL+UbHQwwRnZHPxuqd2EUunAlvyp+n/wBemuSZA6hZzPfFtJKL0HRp +mIw==
X-Gm-Message-State: AE9vXwPIrEa4DVs9rUaGandxoI2+79rIXanvuvRagnPwxe4iJueyrR0uBZszi1nSUSpQRey/UKB60vElMLGl2G/P
X-Received: by 10.55.110.199 with SMTP id j190mr1916359qkc.203.1473782665701; Tue, 13 Sep 2016 09:04:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.147.196 with HTTP; Tue, 13 Sep 2016 09:03:55 -0700 (PDT)
In-Reply-To: <147378048323.23516.13638129997007497154.idtracker@ietfa.amsl.com>
References: <147378048323.23516.13638129997007497154.idtracker@ietfa.amsl.com>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 13 Sep 2016 12:03:55 -0400
Message-ID: <CAHw9_i+GyZQZ_E5AWpSs2+Mu-ytAe=hQVy57d-G84nxPgvJzkA@mail.gmail.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OfXR4kbhd9y-O1E34XPDx_yqVTA>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-aggressiveuse-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2016 16:22:22 -0000
Hi all,
The authors have attempted to integrate / incorporate all comments received.
One of the main changes was suggested by Jinmei ("we might want to
follow the style of draft-ietf-dnsop-nxdomain-cut-04."), and resulted
in Section 6 - Benefits.
I'd really appreciate a review of this section, especially the last 2
paragraphs (starting with):
"[ Editor note: There has been some discussion on if this document
should discuss this attack and mitigation. The authors think that
this is useful / important, but some participants feel that it
oversells the DoS mitigation benefit. Please let us know if the
below is helpful. Also, the below description is not as clear as it
could be - it's been tricky to balance readability, correctness and
conciseness. Text gratefully accepted... ]"
W
On Tue, Sep 13, 2016 at 11:28 AM, <internet-drafts@ietf.org> wrote:
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations of the IETF.
>
> Title : Aggressive use of NSEC/NSEC3
> Authors : Kazunori Fujiwara
> Akira Kato
> Warren Kumari
> Filename : draft-ietf-dnsop-nsec-aggressiveuse-02.txt
> Pages : 13
> Date : 2016-09-13
>
> Abstract:
> The DNS relies upon caching to scale; however, the cache lookup
> generally requires an exact match. This document specifies the use
> of NSEC/NSEC3 resource records to generate negative answers within a
> range. This increases performance / decreases latency, decreases
> resource utilization on both authoritative and recursive servers, and
> also increases privacy. It may also help increase resilience to
> certain DoS attacks in some circumstances.
>
> This document updates RFC4035 by allowing resolvers to generate
> negative answers based upon NSEC/NSEC3 records.
>
> [ Ed note: Text inside square brackets ([]) is additional background
> information, answers to frequently asked questions, general musings,
> etc. They will be removed before publication.This document is being
> collaborated on in Github at: https://github.com/wkumari/draft-ietf-
> dnsop-nsec-aggressiveuse. The most recent version of the document,
> open issues, etc should all be available here. The authors
> (gratefully) accept pull requests.
>
> Known / open issues [To be moved to Github issue tracker]:
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec-aggressiveuse/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-nsec-aggressiveuse-02
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-nsec-aggressiveuse-02
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
- [DNSOP] I-D Action: draft-ietf-dnsop-nsec-aggress… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-agg… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-agg… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-agg… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-agg… Bob Harold
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-agg… Warren Kumari