Re: [DNSOP] Working Group Last Call [draft-ietf-dnsop-nsec-aggressiveuse]

"John R Levine" <johnl@taugh.com> Thu, 06 October 2016 17:47 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76D08129748 for <dnsop@ietfa.amsl.com>; Thu, 6 Oct 2016 10:47:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=Qyohfvol; dkim=pass (1536-bit key) header.d=taugh.com header.b=XQSviTU9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4SNPwpdFYNiD for <dnsop@ietfa.amsl.com>; Thu, 6 Oct 2016 10:47:31 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3165E129745 for <dnsop@ietf.org>; Thu, 6 Oct 2016 10:47:31 -0700 (PDT)
Received: (qmail 84100 invoked from network); 6 Oct 2016 17:47:28 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=14883.57f68e30.k1610; bh=v9jGKhvRBaoE21q3Ox3E2JNBwr1Pz1F9FMPEe1aW9WY=; b=Qyohfvol2c45pvgN34wpWYyEb1u8oHkBzekRLF2czlFeey6jg2zxMl+LbSqSTfhYV0WkBl4zleoru46rnxWygpvook9LWjX8i/TjCAVDC2RVJ0tEJ2nFGynC4VlzsyIOK4FLk1GSeASOBziZrMF6xJHgPi2urt+35BJs93DCRevtgkqymahXUHX/Qj9eHskakIVkfkTpnkHHi/LfUyUyj9KXYB97FBVgD/lRvabLiV/RHitz5q7riqmzLcI3A7gR
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=14883.57f68e30.k1610; bh=v9jGKhvRBaoE21q3Ox3E2JNBwr1Pz1F9FMPEe1aW9WY=; b=XQSviTU9XgMGBKTvd+KclEh+AU69ojW792zfeWqAJtT5JdyR/D9nIsLum84603gGbVImzN+72ctUnsK1vKdEF6zp4H739+7xEngwWbfFSgZ4cQ6ztneh3kPyF3Worq6Cnrv1Hfzb05247np62umZ0xUQ/4QZ1UdQEfxAMuDquFgDR4O83AInh0pQ6aRKFLEcMQrjye0n3fAD/6A22WhVidEQ5XFQKJV+tll3dIt9jEjWrGMGRDKiBrtgEopSak16
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 06 Oct 2016 17:47:28 -0000
Date: 6 Oct 2016 13:47:28 -0400
Message-ID: <alpine.OSX.2.11.1610061248310.47126@ary.qy>
From: "John R Levine" <johnl@taugh.com>
To: "Stephane Bortzmeyer" <bortzmeyer@nic.fr>
In-Reply-To: <20161006163735.GA18000@laperouse.bortzmeyer.org>
References: <CAHw9_iJrgF3w-=0e8XbBLbDNPN9Nyuw15WS7AcZO5LbzBLKR8A@mail.gmail.com> <20161004192237.15135.qmail@ary.lan> <CA+nkc8CNx9-ROWkV8gs5N5+Pjw1NJb8qQ3DPXAxDUC5+mJv-=w@mail.gmail.com> <20161006163735.GA18000@laperouse.bortzmeyer.org>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UbO7KNUMGfXzpNHeaYOEB4o71ns>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call [draft-ietf-dnsop-nsec-aggressiveuse]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 17:47:34 -0000

>>> I'd rather you keep it [positive answers]
>>>
>>> +1
>> Keep the positive, rather than writing a separate RFC for that later.
>
> Why not but, in that case, this would send back the document for
> several weeks, since the text about positive answers in -02 was very
> limited and unclear (dropping it, like -03 did, is easier.)
>
> It is not just a matter of "keeping positive answers", it is a matter
> of "seriously studying the case of positive answers, which was
> neglected in the previous discussions".

It still seems to me that the time to add the wildcards back in would be 
less than the time to do two separate documents.  Unless there's some 
reason that this needs to be published in a hurry, I'd rather get to a 
point where we agree that wildcard synthesis is OK.

Having looked at this probably more than most people, there are some 
points worth clarifying.  Most notably, due to the closest encloser rule, 
it is not possible in general to synthesize every wildcard result but I 
it's possible to synthesize many useful ones.

For example, let's say you query a.foo.example, and get back an answer 
saying it was synthesized from *.foo.example and the NSEC says the next 
name is c.foo.example. Then you can synthesize b.foo.example, but you 
can't synthesize d.foo.example.  That's a limitation, but that's OK.  It 
looks to me like most of the wildcards where this would be useful have no 
exceptions, such as the ones to put all of a IPv6 /64 into a DNS whitelist 
or blacklist.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly