IETF Logo Mail Archive

Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)

Peter van Dijk <peter.van.dijk@powerdns.com> Wed, 19 May 2021 10:28 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B16A33A25B5; Wed, 19 May 2021 03:28:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.398, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3HJ-O7qcHsif; Wed, 19 May 2021 03:28:23 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE2633A25B3; Wed, 19 May 2021 03:28:22 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPSA id 9CCA46A0DC; Wed, 19 May 2021 12:28:16 +0200 (CEST)
Received: from plato ([84.81.54.175]) by imap.open-xchange.com with ESMTPSA id m+OBJUDopGD6JAAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Wed, 19 May 2021 12:28:16 +0200
Message-ID: <1d677ffc5047a96f6e9e903185f3c08a12f3481c.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-nsec-ttl@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com
Date: Wed, 19 May 2021 12:28:16 +0200
In-Reply-To: <162139538526.17414.5467676975353511221@ietfa.amsl.com>
References: <162139538526.17414.5467676975353511221@ietfa.amsl.com>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/T8CUUlG9Twxjl9CNR4BrNsyz4LM>
Subject: Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 10:28:28 -0000

Hello Benjamin,

On Tue, 2021-05-18 at 20:36 -0700, Benjamin Kaduk via Datatracker
wrote:
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> I put a (small) handful of editorial suggestions up at
> https://github.com/PowerDNS/draft-dnsop-nsec-ttl/pull/11 .

Thanks, I merged them!

> Section 3.1, etc.
> 
>    |  The TTL of the NSEC RR that is returned MUST be the lesser of the
>    |  MINIMUM field of the SOA record and the TTL of the SOA itself.
>    |  This matches the definition of the TTL for negative responses in
>    |  [RFC2308].  A signer MAY cause the TTL of the NSEC RR to have a
>    |  deviating value after the SOA record has been updated, to allow
>    |  for an incremental update of the NSEC chain.
> 
> I don't think I understand what a "deviating value" would be (and in
> which direction it would deviate).

This sentence was added because some implementations may need time to
rework the whole NSEC/NSEC3 chain after a TTL change. The deviation
would be 'part of the chain still has the old, wrong, value - for a
while'. I'll ponder better words - suggestions are very welcome, of
course.

> Section 3.4
> 
>    |  A resolver that supports aggressive use of NSEC and NSEC3 MAY
>    |  limit the TTL of NSEC and NSEC3 records to the lesser of the
>    |  SOA.MINIMUM field and the TTL of the SOA in a response, if
>    |  present.  It MAY also use a previously cached SOA for a zone to
>    |  find these values.
> 
> The original 8198 has "SHOULD reduce", but now we only have "MAY limit".
> Why should the requirements level be weaker for the new, more-correct,
> guidance?

Rob Wilton also raised this - please see my reply here: 
https://mailarchive.ietf.org/arch/msg/dnsop/pMPe-KcbWUrFVcITCf3fmGk5ztY/

> Section 4
> 
>    If signers & DNS servers for a zone cannot immediately be updated to
>    conform to this document, zone operators are encouraged to consider
>    setting their SOA record TTL and the SOA MINIMUM field to the same
>    value.  That way, the TTL used for aggressive NSEC and NSEC3 use
>    matches the SOA TTL for negative responses.
> 
> Are there any negative consequences of such a move that would need to be
> weighed against the stated benefits?

Signers might use either value (the SOA TTL or the SOA MINIMUM) as a
default for some other value. For example, PowerDNS uses the SOA
MINIMUM value as the TTL for DNSKEYs. So, lowering the SOA MINIMUM
would also lower the DNSKEY TTL (in PowerDNS).

A quick skim of the BIND dnssec-keygen manual page suggests that BIND
might sometimes take the SOA TTL as the DNSKEY TTL.

So, yes, there might be consequences. I will add a note.

> Section 8
> 
> Why is RFC 8174 only an informative reference?  Shouldn't it be given
> the same treatment as RFC 2119?

An oversight, already fixed in my local copy.

Thank you!
 
Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

v2.23.0 | Report a Bug | By Email