IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag-02.txt

神明達哉 <jinmei@wide.ad.jp> Fri, 19 August 2016 18:38 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D98F912DA2B for <dnsop@ietfa.amsl.com>; Fri, 19 Aug 2016 11:38:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4FWxBg4r225 for <dnsop@ietfa.amsl.com>; Fri, 19 Aug 2016 11:38:17 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6D0512D5AA for <dnsop@ietf.org>; Fri, 19 Aug 2016 11:38:16 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id f6so32409464ith.0 for <dnsop@ietf.org>; Fri, 19 Aug 2016 11:38:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=uuoSiDQwahLuZ+wFnQP+i5/JTRSXaTzf2fCAqvlKOvY=; b=amIhtfbQj4OFhynB2k6AweSY3VKCxMR5b/XOxqAs/Np+WcHp9SOsMLR/LqN6awaraf ngfPIyr9Bd0o7X2GVHx4Vek6Rehsdi/bUhoSxPVKhi6oGrw/5udLg7E4eCMCGrvuNH7I 0RXKSRSK/KeoMJo8XdSk+VF+BQM3lyj9s0stQlIGFPw83xuoa/j+q3BJPiw54g4MPKT9 p34i0Vrni4fV0Fz9ywuKDP7eqOy3EGZft4pTIG1TrUHJaY72T9bFHI9D2RDtso2tjlDP y5YvHUo8+kzaU1/cWRcgnNIM0q5RClutlXPsGzvvLPWXAAWZQUL2uP3FL5Fa8OYW9cyE PWZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=uuoSiDQwahLuZ+wFnQP+i5/JTRSXaTzf2fCAqvlKOvY=; b=H5VPjPNolIQf0ocOdg9TxAYGwcSkQFZC3hWw0zH4uTVt14S1NnaFwGp5HfHLHDHCLd S6DwuhYWtwE8MSFi06UMql2el9nE9g1wLixzDF8OTwXY0fszZhzil3ZjahMi0iJyYxng BriOJJns7DcBMDc4HKapLBDsiTVQP1Evx9ZoBZWRVqBueIXN0MTJl6RrHzaPq0OO9Ex9 I3BhVfxH11I6thsg+qCPTX7mg6JOODZG425FPNjlaXZjOKQ2TS/BQV31ImwwbgqrSaI6 RIHWdtw5cQAtr3STUEmROnIeM+l/OTvbDOtAFBxyrGdSZrwOhnmlLkWTTEGvhVzG0uxb UULw==
X-Gm-Message-State: AEkoouvDNRlT/dORztX4jdt5ZCMknmk5RLe65L5LQn+hvNLd0TW6e2EXDMyEHtmeQMX8hQMljo9aVKDONegyOQ==
X-Received: by 10.36.212.6 with SMTP id x6mr7560461itg.71.1471631896180; Fri, 19 Aug 2016 11:38:16 -0700 (PDT)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.64.144.65 with HTTP; Fri, 19 Aug 2016 11:38:15 -0700 (PDT)
In-Reply-To: <9E342C42-7649-4776-BA22-DF9F5A84654A@vpnc.org>
References: <20160708223044.32131.72663.idtracker@ietfa.amsl.com> <8FD4B2FF-9E51-4FF3-829A-1D4D7CFAB19E@vpnc.org> <9E342C42-7649-4776-BA22-DF9F5A84654A@vpnc.org>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Fri, 19 Aug 2016 11:38:15 -0700
X-Google-Sender-Auth: MFLDrwWghPszPRRU97bGKJfrIyU
Message-ID: <CAJE_bqfxADtCgk9nMBXGH5B_PxQDxdLQJN3hKUz-p+7A+GSiBQ@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OgqBrHtGyPExKMES_hj2A9ls_zk>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-key-tag-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2016 18:38:19 -0000

At Wed, 10 Aug 2016 16:54:39 -0700,
"Paul Hoffman" <paul.hoffman@vpnc.org> wrote:

> [[ A month later, we're still eager to hear responses to the draft. We
> got a few that we have incorporated for a new version, but want to be
> sure we're on the right track before we move ahead. ]]

> > We understand that "specify more than one" is often an unpopular
> > choice in the IETF, about as unpopular as "don't get consensus on
> > one". This is a WG document so we need consensus even to go with two
> > ways. We look forward to hearing from you about this choice and how we
> > can move forwards.

On this specific point I don't have a strong opinion.  Personally, I
can live with the two-solution approach if it's deemed to be nearly
impossible to reach consensus on a single solution.  While I'd
definitely prefer a single solution, the current draft seems to
provide a reasonable explanation on why we have two at least for now.

Some specific comments on the 02 version follows:

- Section 1.1 (or for general discussion): another obvious downside of
  the QNAME-based approach is that it can't be used for all possible
  zone names because of the size limitation (255 octets) while adding
  extra label.  In practice, this is less likely to be a real issue
  since trust anchors would only be configured a higher level zones.
  But I think it's worth mentioning explicitly.

- Section 4.3

   A responder MUST NOT include the edns-key-tag option in any DNS
   response.

  I wonder whether it might be useful for a responder to signal its
  capability of understanding the option, either by including this
  option in the response or in some other way.  Then the resolver may
  use that information to suppress further unnecessary generation and
  inclusion of the key-tag option.  Not a strong opinion, but raising
  it just in case it's worth considering.

- Section 5.3

   Unless the zone operator has intentionally added
   "_ta-xxxx" records to the zone, the server MUST generate an NXDOMAIN
   response.

  Perhaps a pedantic comment, but I suspect this is not 100% accurate
  in that it could legitimately result in other response than
  NXDOMAIN, e.g., if there's a wildcard that would match the
  "_ta_xxxx" name even if (a record of) that specific name itself
  isn't added to the zone.  On the other hand, ignoring this
  nitpicking this requirement seems to be too obvious; if a name
  really doesn't exist in the zone, the server MUST surely return an
  NXDOMAIN, but it's not specific to this protocol, right?  So, in the
  end, I'd primarily suggest just removing this sentence.  Then we
  don't have to worry about making it very accurate, while IMO not
  leaving any obscure points.

- Section 5.3.1

   Aggressive NSEC/NSEC3 negative caching [draft-fujiwara-dnsop-nsec-
   aggressiveuse] may also affect the quality of key tag signaling.

  (nit) nsec-aggressiveuse is now a dnsop wg document.

- Section 5.3.1

   When the response code for a key tag query is NXDOMAIN, DNS resolvers
   that implement aggressive negative caching will send fewer key tag
   queries than resolvers that do not implement it.

  In the context of the interaction with nsec-aggressiveuse, I think
  this should be more generalized than the response to a key tag query
  itself, e.g.:

   When a query results in an NXDOMAIN response with NSEC or NSEC3
   that covers the name of a key tag query, DNS resolvers that
   implement aggressive negative caching will send fewer key tag
   queries than resolvers that do not implement it.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email