Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt

Matthijs Mekking <> Fri, 26 November 2021 08:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 79E7B3A0C2D for <>; Fri, 26 Nov 2021 00:43:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.748
X-Spam-Status: No, score=-3.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mCRCo5JWIHRs for <>; Fri, 26 Nov 2021 00:43:06 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6EE443A0C26 for <>; Fri, 26 Nov 2021 00:43:05 -0800 (PST)
Received: from cust-69fe625f ([IPv6:fc0c:c103:c4a6:cf3c:d2f9:56fe:3f93:cb0b]) by with ESMTPSA id qWoumBm4E1HGJqWowm4U8u; Fri, 26 Nov 2021 09:43:02 +0100
References: <> <> <> <>
From: Matthijs Mekking <>
Message-ID: <>
Date: Fri, 26 Nov 2021 09:43:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4xfAzm6W6ygqn4oR8uIXKxSLpZsGdUAOh5upUEOkOPUfG5Fc0otlBLSL3DemzL6s/vcmmCc1lT4FwcrvNjpk03Css3i2gnUCyVBtUqsnFu5fzXPe6LBwbS AJGEmPNxmhLGUX6gxqPzqYylpAJ9cv7w7SVf7MA2uFeaCr9td5CCncdY/ePXFBh5olO66wGyiQqL/RzeOJacrZs/rYg3YITHVL6pmKf9+kKbTwMvj/BvAOOa wQR76/aVN0aDvEfKXhplEwgS12kdp8AbFrNZqbnyHs4jLlvvbjeqtssM140jzYcP
Archived-At: <>
Subject: Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Nov 2021 08:43:10 -0000

On 25-11-2021 13:00, Petr Špaček wrote:
> On 25. 11. 21 9:33, Matthijs Mekking wrote:

>> 3.2.  Recommendation for validating resolvers
>> I understand why the new text is here, but I think this now actually 
>> gives too little advice for operators and vendors.
>> I know, this is a vague comment, I need to think about it a bit more.
> Honestly I can't see anything more specific which will not get out of 
> date quickly.

Can we make use of the keyword MAY? This allows I think for text that 
will not get out of date:

    Validating resolvers MAY return an insecure response when processing
    NSEC3 records with iterations larger than 0. Validating resolvers MAY
    also return SERVFAIL when processing NSEC3 records with iterations
    larger than 0. This significantly decreases the requirements
    originally specified in Section 10.3 of [RFC5155]. See the Security
    Considerations for arguments on how to handle responses with non-zero
    iteration count.

Having text that says "MAY do this at value X" is more quantifiable and 
IMO a stronger signal that zone publishers really should not use value X.

Best regards,