Re: [DNSOP] Working Group Last Call

Tim Wicinski <> Thu, 06 October 2016 06:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E35171200DF for <>; Wed, 5 Oct 2016 23:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OOIy4n29PbsB for <>; Wed, 5 Oct 2016 23:49:39 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4A06E1294C7 for <>; Wed, 5 Oct 2016 23:49:39 -0700 (PDT)
Received: by with SMTP id t7so8523581qkh.2 for <>; Wed, 05 Oct 2016 23:49:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=DfeWWbR5GVdrn62UIP65ApqGnJYYUAlfskzKdmZBUJU=; b=e8iaoPKbZGcrGsaiPYTCLSHl983DP9HrIJP7rgjJEF/nMtOA1F/g+DOlwE0RoZf/Xk QzQt01EtGxuU2z0tweeH/JAZp01fm1R0NvRGea1BgnoS+xzS3rdkl+eX49M5mtZ92nrg AFfa2OrN491odMUTAxAV/HcK+u5MkCfNg5fNlCBhZeY9Lif+LuBPqCBaI2KdPcnLQNTN bfj/t6q2cZLbfIwNf0hTheVAlEKVkUAKbMg1nvEm0IIWwJdEe9EpSnObKhvKWZzjtIzk FVxPdSu1j24umVP//tQJ5qqFeRFJQyNve/bz6ZxTgwuvaMx/fOo4dqexO8Q2L6NgXgh/ wILA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=DfeWWbR5GVdrn62UIP65ApqGnJYYUAlfskzKdmZBUJU=; b=R+oqlldhnwpptvSx07MqUj154ONFLNxdDKFAcCXpLMxytCUixD1CV/Vvmpm42EfQPf FwmPDfyxG+KGmFLMBdGCCromggMpIL56sHjk0EiNp3OhkrDFKukXaxVHAoQ6ZClAis7H Sd3XRalYEB1mbT77hWWTIx/xGDcuMuVD4i2ICKrcJT5pPyTYfu0cXWemzf8hBPek9Ger MqiJkhjd1/olZY9HlbIHe1OzQVbJOTIY+g/KcPrr/AtsHgyG7tBAH74nToClZd8QqDJN /XSWXC1ENXPBluxAKxxyr57h6vgRdj7BnaeqZ4cQNXVMSUt4QKVS2JoMQBMBN6ZyCbW0 f1ag==
X-Gm-Message-State: AA6/9RltzEJem+iuApHttdQx7jWVybZWWP8W01AO/UJwhe6DhhwU38c/7mYblMdq/095NQ==
X-Received: by with SMTP id q129mr13982540qkb.52.1475736578424; Wed, 05 Oct 2016 23:49:38 -0700 (PDT)
Received: from ([]) by with ESMTPSA id v10sm4750704qkg.20.2016. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Oct 2016 23:49:37 -0700 (PDT)
To: 神明達哉 <>, Warren Kumari <>
References: <> <> <> <>
From: Tim Wicinski <>
Message-ID: <>
Date: Thu, 06 Oct 2016 02:49:34 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Cc: dnsop <>
Subject: Re: [DNSOP] Working Group Last Call
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Oct 2016 06:49:42 -0000

On 10/5/16 2:30 PM, 神明達哉 wrote:
> At Tue, 4 Oct 2016 17:39:55 -0400,
> Warren Kumari <> wrote:
>>> - Section 3: this section also has an issue of "recursive resolver".
>>>   Although it may not be as critical as other part of the draft since
>>>   it's only used as an example scenario, it's probably better to not
>>>   limit the role of resolver to avoid misleading.  Maybe "recursive
>>>   resolver" is just changed to "validating resolver", and
>>>   "authoritative server" is changed to, e.g., "external servers"
>>>   (meaning either authoritative or or other recursive servers).
>> DONE.
>> I did some fix up - how do you like:
>> "If a validating resolver gets a query for, it will
>> query the servers and will get back an NSEC (or NSEC3)
>> record starting that there are no records between apple and elephant.
>> The resolver then knows that does not exist; however,
>> it does not use the fact that the proof covers a range (apple to
>> elephant) to suppress queries for other labels that fall within this
>> range. This means that if the validating resolver gets a query for
>> (or it will once again go off and
>> query the servers for these names."
>> Does that cover it sufficiently? (and I think I now better understand
>> your concern).
> To be perfectly generic, "it will query the servers" is
> not always the case.  It (= validating resolver) might query another
> intermediate resolver (often called a "forwarder") that performs
> recursion.  By "external server" I tried to generalize the concept.

Maybe this?

"If a validating resolver receives a query for, it 
contacts its resolver (which may be itself) to query the 
servers and will get back an NSEC (or NSEC3) record starting that there 
are no records between apple and elephant."

> I'm not sure how we address the subtlety without being overly
> verbose.  Perhaps we can note in the terminology section that this
> draft generally describes (validating) resolvers as those performing
> recursive resolution, but the proposal will also work for resolvers
> that rely on other recursive (or "full service" if you love to use
> this term) resolvers.  And then we can keep Section 3 as is (as of ver
> 02).

I'm now understanding the distinction you're trying to make.  I've spent 
some time staring at 7719 and 4035 with no better suggestion.

>> How is:
>> "Aggressive use of NSEC / NSEC3 resource records without DNSSEC
>> validation may create serious security issues, and so this technique
>> requires DNSSEC validation."? I don't love it, additional suggestions
>> or text welcomed.
> To me the main point isn't address with this text.  I might be able to
> offer alternative text, but can't we perhaps just remove these 2
> sentences?  In a sense these talk about the obvious, and in other
> sense it could be even harmful as it can be misleading.

I think you could drop the "Aggressive" and discussing NSEC/NSEC3 
records w/out validation.  4035 is pretty clear on that