Re: [DNSOP] Working Group Last Call

Warren Kumari <> Fri, 07 October 2016 23:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3FA4812945E for <>; Fri, 7 Oct 2016 16:08:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GAj5U6Fvcxak for <>; Fri, 7 Oct 2016 16:08:09 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6C2201293D6 for <>; Fri, 7 Oct 2016 16:08:09 -0700 (PDT)
Received: by with SMTP id n189so55806447qke.0 for <>; Fri, 07 Oct 2016 16:08:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=3QA8JkEy4ArdADj9mhizEjJQj5ntPiChQdpK3iTHntQ=; b=AsEKZmbNgsjm+ZyWWsHhwHQ9OcwAf0Xf3iBq+2ViSoUZeSyAUHzQAjUSTr9KPYGvkX XSf5pF1pBo4mSqwVUhbH7vfnEkbi2ImE0aG+JB/YphQ2V0e0AqK1n15x9+rMTKbWPMu3 GQ6ykNpBmFzVYDFQV5RSyTWhvuz/KRwhwoWx7YBOg7CHxGOni/sDgts6YFt8OvrV6KjJ hDgmZNr77m4oCGE99hCyLonE9+jIZLUS6Y9Vu4yvQCH2+tLVA1Tet86LEbmEHWq+gJ+y a6Mg0GQe9J1GQAzF9YS6oA9HuDsHwHKxEdqtBdGfqfZDT5fcZxSLQlVaHt6reSqZvD0w R3ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=3QA8JkEy4ArdADj9mhizEjJQj5ntPiChQdpK3iTHntQ=; b=BQZRGrNAqSNBBwfWuJPaQm004ifiTmFzqQguA4+a33Ft6LC7OW09uJqjEld5g459yL ccQSgsM3ICU4i5Viem1SQpPyqCaFNnUqFFAVC6Bc8auHBEB9o02zB0xzYvtXf52p4mcS +91gttNaGLfMQbGpc+uHB3LZlt6Rc9X61kasVAvXbQVTBhj9H0xbP0rQMPT75A8WaWqX 269bM1Kijd8YYLr4PE4ajFJSncRCGW3cSAf1SSDQEhQ8c73Fakwc0j5/0DDk18c7HPBe tU97WGhPAbvx0K/eLQGY/2FsFl8f+J3p0wC438m8zEAb6HLRLhric6cGmkonq4kJ2ISS fCxQ==
X-Gm-Message-State: AA6/9Rlxmg7CTSxM2K+yFd3N37bYCU+9Sbh15aMNUExB9oge+mywYjtVUhpntFnw2/C9EK7/DTm0cqxwo/L/6nRo
X-Received: by with SMTP id z128mr5234348qke.180.1475881688579; Fri, 07 Oct 2016 16:08:08 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 7 Oct 2016 16:07:38 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
From: Warren Kumari <>
Date: Fri, 07 Oct 2016 19:07:38 -0400
Message-ID: <>
To: Tim Wicinski <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: dnsop <>
Subject: Re: [DNSOP] Working Group Last Call
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Oct 2016 23:08:11 -0000

On Thu, Oct 6, 2016 at 2:49 AM, Tim Wicinski <> wrote:
> On 10/5/16 2:30 PM, 神明達哉 wrote:
>> At Tue, 4 Oct 2016 17:39:55 -0400,
>> Warren Kumari <> wrote:
>>>> - Section 3: this section also has an issue of "recursive resolver".
>>>>   Although it may not be as critical as other part of the draft since
>>>>   it's only used as an example scenario, it's probably better to not
>>>>   limit the role of resolver to avoid misleading.  Maybe "recursive
>>>>   resolver" is just changed to "validating resolver", and
>>>>   "authoritative server" is changed to, e.g., "external servers"
>>>>   (meaning either authoritative or or other recursive servers).
>>> DONE.
>>> I did some fix up - how do you like:
>>> "If a validating resolver gets a query for, it will
>>> query the servers and will get back an NSEC (or NSEC3)
>>> record starting that there are no records between apple and elephant.
>>> The resolver then knows that does not exist; however,
>>> it does not use the fact that the proof covers a range (apple to
>>> elephant) to suppress queries for other labels that fall within this
>>> range. This means that if the validating resolver gets a query for
>>> (or it will once again go off and
>>> query the servers for these names."
>>> Does that cover it sufficiently? (and I think I now better understand
>>> your concern).
>> To be perfectly generic, "it will query the servers" is
>> not always the case.  It (= validating resolver) might query another
>> intermediate resolver (often called a "forwarder") that performs
>> recursion.  By "external server" I tried to generalize the concept.
> Maybe this?
> "If a validating resolver receives a query for, it contacts
> its resolver (which may be itself) to query the servers and will
> get back an NSEC (or NSEC3) record starting that there are no records
> between apple and elephant."
>> I'm not sure how we address the subtlety without being overly
>> verbose.  Perhaps we can note in the terminology section that this
>> draft generally describes (validating) resolvers as those performing
>> recursive resolution, but the proposal will also work for resolvers
>> that rely on other recursive (or "full service" if you love to use
>> this term) resolvers.  And then we can keep Section 3 as is (as of ver
>> 02).
> I'm now understanding the distinction you're trying to make.  I've spent
> some time staring at 7719 and 4035 with no better suggestion.
>>> How is:
>>> "Aggressive use of NSEC / NSEC3 resource records without DNSSEC
>>> validation may create serious security issues, and so this technique
>>> requires DNSSEC validation."? I don't love it, additional suggestions
>>> or text welcomed.
>> To me the main point isn't address with this text.  I might be able to
>> offer alternative text, but can't we perhaps just remove these 2
>> sentences?  In a sense these talk about the obvious, and in other
>> sense it could be even harmful as it can be misleading.
> I think you could drop the "Aggressive" and discussing NSEC/NSEC3 records
> w/out validation.  4035 is pretty clear on that

I now have:
"Use of NSEC / NSEC3 resource records without DNSSEC validation may
create serious security issues, and so this technique requires DNSSEC

I could just drop this sentence, but someone (Stephane?) wanted
reinforcement that validation is needed.


> tim

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.