Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl-03.txt
Peter van Dijk <peter.van.dijk@powerdns.com> Tue, 09 February 2021 21:06 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2266B3A003E for <dnsop@ietfa.amsl.com>; Tue, 9 Feb 2021 13:06:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xrsNNIYe9eIB for <dnsop@ietfa.amsl.com>; Tue, 9 Feb 2021 13:06:35 -0800 (PST)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A51DF3A003D for <dnsop@ietf.org>; Tue, 9 Feb 2021 13:06:35 -0800 (PST)
Received: from imap.open-xchange.com (imap.open-xchange.com [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id B63EE6A285; Tue, 9 Feb 2021 22:06:31 +0100 (CET)
Received: from plato ([84.81.54.175]) by imap.open-xchange.com with ESMTPSA id yVFvK1f5ImB+XwAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Tue, 09 Feb 2021 22:06:31 +0100
Message-ID: <d3fcfb5ff33d8c093e7073b1b5b44162b955677b.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Tue, 09 Feb 2021 22:06:31 +0100
In-Reply-To: <161290187813.15742.11466954240139771085@ietfa.amsl.com>
References: <161290187813.15742.11466954240139771085@ietfa.amsl.com>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Rfnf4B3FGxJucrH7bYVogTNOj9Y>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 21:06:37 -0000
Hello dnsop, thank you to all who responded in the WGLC thread. After the discussion I felt I had nothing to ask or add, so instead, here is a draft revision that I feel addresses everything that was said. (Matthijs, this revision changes the requirements back to MUST as that feels like it more closely matches the majority opinion voiced, but I added a section allowing for the incremental signer situation - please let me know if this is workable for you.) My understanding of the discussion is that the document failed to address various assorted vagueness, and separations between developer and operator concerns, and role differences between signers, authoritatives and resolvers/validators, in the original documents. Paul Hoffman provided a bunch of text clarifying 'what goes where' so that this document can improve that situation, thanks Paul! Changes in this version, as listed in the Document History section: * document now updates resolver behaviour in 8198 * lots of extra text to clarify what behaviour goes where (thanks Paul Hoffman) * replace 'any' with 'each' (thanks Duane) * upgraded requirement level to MUST, plus a note on incremental signers Your comments are, again, very much welcome. On Tue, 2021-02-09 at 12:17 -0800, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Domain Name System Operations WG of the IETF. > > Title : NSEC and NSEC3 TTLs and NSEC Aggressive Use > Author : Peter van Dijk > Filename : draft-ietf-dnsop-nsec-ttl-03.txt > Pages : 9 > Date : 2021-02-09 > > Abstract: > Due to a combination of unfortunate wording in earlier documents, > aggressive use of NSEC and NSEC3 records may deny names far beyond > the intended lifetime of a denial. This document changes the > definition of the NSEC and NSEC3 TTL to correct that situation. This > document updates RFC 4034, RFC 4035, RFC 5155, and RFC 8198. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec-ttl/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-dnsop-nsec-ttl-03.html > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-nsec-ttl-03 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl-03.… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl… Peter van Dijk
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl… Matthijs Mekking
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-ns… Paul Hoffman