[DNSOP] Alvaro Retana's No Objection on draft-ietf-dnsop-nsec3-guidance-08: (with COMMENT)

Alvaro Retana via Datatracker <noreply@ietf.org> Tue, 10 May 2022 15:37 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C2CE0C15E41E; Tue, 10 May 2022 08:37:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Alvaro Retana via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-nsec3-guidance@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com, tjw.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 8.1.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Alvaro Retana <aretana.ietf@gmail.com>
Message-ID: <165219706078.31003.2473140903964739813@ietfa.amsl.com>
Date: Tue, 10 May 2022 08:37:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/R5H2wF1h03YogKnhfBiAcMwMhUo>
Subject: [DNSOP] Alvaro Retana's No Objection on draft-ietf-dnsop-nsec3-guidance-08: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.34
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2022 15:37:40 -0000

Alvaro Retana has entered the following ballot position for
draft-ietf-dnsop-nsec3-guidance-08: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec3-guidance/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Should this document formally Update RFC5155?  Besides providing "guidance on
setting NSEC3 parameters", there is also Normative language that seems similar
to what is in rfc5155, but not the same.  For example:

In §3.2 this document says:

   Validating resolvers MAY return an insecure response to their clients
   when processing NSEC3 records with iterations larger than 0.  Note
   also that a validating resolver returning an insecure response MUST
   still validate the signature over the NSEC3 record to ensure the
   iteration count was not altered since record publication (see
   [RFC5155] section 10.3).

I couldn't find text in rfc5155 about how returning insecure responses is
optional, but I did find this in §10.3 that seems related to the validation
requirement:

   A resolver MAY treat a response with a higher value as insecure,
   after the validator has verified that the signature over the NSEC3
   RR is correct.

Reading further, §3.2 does say that "this specification updates [RFC5155]", but
there's no indication in the header or anywhere else.