[DNSOP] Alvaro Retana's No Objection on draft-ietf-dnsop-nsec3-guidance-08: (with COMMENT)
Alvaro Retana via Datatracker <noreply@ietf.org> Tue, 10 May 2022 15:37 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dnsop@ietf.org
Delivered-To: dnsop@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C2CE0C15E41E; Tue, 10 May 2022 08:37:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Alvaro Retana via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-nsec3-guidance@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com, tjw.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 8.1.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Alvaro Retana <aretana.ietf@gmail.com>
Message-ID: <165219706078.31003.2473140903964739813@ietfa.amsl.com>
Date: Tue, 10 May 2022 08:37:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/R5H2wF1h03YogKnhfBiAcMwMhUo>
Subject: [DNSOP] Alvaro Retana's No Objection on draft-ietf-dnsop-nsec3-guidance-08: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.34
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2022 15:37:40 -0000
Alvaro Retana has entered the following ballot position for draft-ietf-dnsop-nsec3-guidance-08: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec3-guidance/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Should this document formally Update RFC5155? Besides providing "guidance on setting NSEC3 parameters", there is also Normative language that seems similar to what is in rfc5155, but not the same. For example: In §3.2 this document says: Validating resolvers MAY return an insecure response to their clients when processing NSEC3 records with iterations larger than 0. Note also that a validating resolver returning an insecure response MUST still validate the signature over the NSEC3 record to ensure the iteration count was not altered since record publication (see [RFC5155] section 10.3). I couldn't find text in rfc5155 about how returning insecure responses is optional, but I did find this in §10.3 that seems related to the validation requirement: A resolver MAY treat a response with a higher value as insecure, after the validator has verified that the signature over the NSEC3 RR is correct. Reading further, §3.2 does say that "this specification updates [RFC5155]", but there's no indication in the header or anywhere else.
- [DNSOP] Alvaro Retana's No Objection on draft-iet… Alvaro Retana via Datatracker
- Re: [DNSOP] Alvaro Retana's No Objection on draft… Wes Hardaker