Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt
Matthijs Mekking <matthijs@pletterpet.nl> Fri, 26 November 2021 08:43 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79E7B3A0C2D for <dnsop@ietfa.amsl.com>; Fri, 26 Nov 2021 00:43:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.748
X-Spam-Level:
X-Spam-Status: No, score=-3.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mCRCo5JWIHRs for <dnsop@ietfa.amsl.com>; Fri, 26 Nov 2021 00:43:06 -0800 (PST)
Received: from lb1-smtp-cloud9.xs4all.net (lb1-smtp-cloud9.xs4all.net [194.109.24.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EE443A0C26 for <dnsop@ietf.org>; Fri, 26 Nov 2021 00:43:05 -0800 (PST)
Received: from cust-69fe625f ([IPv6:fc0c:c103:c4a6:cf3c:d2f9:56fe:3f93:cb0b]) by smtp-cloud9.xs4all.net with ESMTPSA id qWoumBm4E1HGJqWowm4U8u; Fri, 26 Nov 2021 09:43:02 +0100
To: dnsop@ietf.org
References: <163777315136.16773.10633006296842101587@ietfa.amsl.com> <yblh7c1fpwf.fsf@w7.hardakers.net> <914ced6b-52c7-9354-4b91-87f80cd26037@pletterpet.nl> <6153c0ed-523a-5225-40ac-5be9fd5e6ed5@isc.org>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <92dde682-7b1b-9fa3-f469-cb6623dc5ac4@pletterpet.nl>
Date: Fri, 26 Nov 2021 09:43:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <6153c0ed-523a-5225-40ac-5be9fd5e6ed5@isc.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4xfAzm6W6ygqn4oR8uIXKxSLpZsGdUAOh5upUEOkOPUfG5Fc0otlBLSL3DemzL6s/vcmmCc1lT4FwcrvNjpk03Css3i2gnUCyVBtUqsnFu5fzXPe6LBwbS AJGEmPNxmhLGUX6gxqPzqYylpAJ9cv7w7SVf7MA2uFeaCr9td5CCncdY/ePXFBh5olO66wGyiQqL/RzeOJacrZs/rYg3YITHVL6pmKf9+kKbTwMvj/BvAOOa wQR76/aVN0aDvEfKXhplEwgS12kdp8AbFrNZqbnyHs4jLlvvbjeqtssM140jzYcP
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QXPv9N26zU8wEPtFy5_ib5ZnhxU>
Subject: Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2021 08:43:10 -0000
On 25-11-2021 13:00, Petr Špaček wrote:
> On 25. 11. 21 9:33, Matthijs Mekking wrote:
>> 3.2. Recommendation for validating resolvers
>>
>> I understand why the new text is here, but I think this now actually
>> gives too little advice for operators and vendors.
>>
>> I know, this is a vague comment, I need to think about it a bit more.
>
> Honestly I can't see anything more specific which will not get out of
> date quickly.
Can we make use of the keyword MAY? This allows I think for text that
will not get out of date:
Validating resolvers MAY return an insecure response when processing
NSEC3 records with iterations larger than 0. Validating resolvers MAY
also return SERVFAIL when processing NSEC3 records with iterations
larger than 0. This significantly decreases the requirements
originally specified in Section 10.3 of [RFC5155]. See the Security
Considerations for arguments on how to handle responses with non-zero
iteration count.
Having text that says "MAY do this at value X" is more quantifiable and
IMO a stronger signal that zone publishers really should not use value X.
Best regards,
Matthijs
- [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-guidan… internet-drafts
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Wes Hardaker
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Matthijs Mekking
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Petr Špaček
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Paul Vixie
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Matthijs Mekking
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Petr Špaček
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-gu… Vladimír Čunát
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Petr Špaček
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Paul Vixie
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Viktor Dukhovni
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Petr Špaček
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Vladimír Čunát
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Wes Hardaker
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Wes Hardaker
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Wes Hardaker
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Wes Hardaker
- Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nse… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-gu… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-gu… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-gu… Geoff Huston
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-gu… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-gu… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-gu… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-gu… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-gu… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-gu… Vladimír Čunát