Re: [DNSOP] Working Group Last Call [draft-ietf-dnsop-nsec-aggressiveuse]

Stephane Bortzmeyer <bortzmeyer@nic.fr> Sun, 25 September 2016 17:09 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5634A12B223 for <dnsop@ietfa.amsl.com>; Sun, 25 Sep 2016 10:09:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KqbDjydQKWPv for <dnsop@ietfa.amsl.com>; Sun, 25 Sep 2016 10:09:26 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [217.70.190.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1EB31200DF for <dnsop@ietf.org>; Sun, 25 Sep 2016 10:09:25 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 7CCD831CA6; Sun, 25 Sep 2016 19:09:23 +0200 (CEST)
Received: by godin (Postfix, from userid 1000) id D0E6DEC0B77; Sun, 25 Sep 2016 19:04:11 +0200 (CEST)
Date: Sun, 25 Sep 2016 17:04:11 +0000
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Tim Wicinski <tjw.ietf@gmail.com>
Message-ID: <20160925170411.GB14945@laperouse.bortzmeyer.org>
References: <40d5f4b1-3019-7f8a-ecc0-2f4d13e3eadf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <40d5f4b1-3019-7f8a-ecc0-2f4d13e3eadf@gmail.com>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 16.04 (xenial)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Wa1_b841s1f2PHUImjvKUPtchVk>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call [draft-ietf-dnsop-nsec-aggressiveuse]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2016 17:09:27 -0000

On Thu, Sep 22, 2016 at 08:19:17AM -0400,
 Tim Wicinski <tjw.ietf@gmail.com> wrote 
 a message of 31 lines which said:

> This starts a Working Group Last Call for:
> 	"Aggressive use of NSEC/NSEC3"
>       draft-ietf-dnsop-nsec-aggressiveuse

I like the basic idea and I think the document is good but I would not
like it to be published as it is (-02).

My biggest concern is that it seems the original idea was to mention
only the synthesis of _negative_ replies (NXDOMAIN), _positive_
replies (synthesis from a wildcard) were mentioned for a long time in
the draft but never fully integrated. Section 7 mentions this
synthesis of positive answers but, for instance, the abstract, the
section 1, section 3, the first paragraph of section 5.5, and the
first paragraph of section 9 do not mention the positive answers, but
they should (they seem to assume that only negative caching matters).

Either we need to match the document to put the synthesis of negative
and positive answers on an equal footing, or we should delete the
synthesis of positive answers from wildcards.

Related to this issue is the fact that the proposed updated text for
RFC 4035 is not the same in section 5.1 and in section 7...

Another concern is section 9 which says "Aggressive use of NSEC /
NSEC3 resource records without DNSSEC validation may cause security
problems.  It is highly recommended to apply DNSSEC validation." Not
only it fails to use RFC 2119 but allowing NXDOMAIN synthesis without
DNSSEC validation seems dangerous. Why not a MUST instead of the
current "informal SHOULD"?

Details
*******

IMHO, it should say from the beginning that this document is only for
validating resolvers. (It is not in section 1, for instance.)

Editorial
*********

Section 1 says "This document updates RFC 4035 to allow recursive
resolvers to use NSEC/NSEC3 resource records to aggressively cache
negative answers."  It would be more descriptive, IMHO, to say "This
document updates RFC 4035 to allow recursive resolvers to use
NSEC/NSEC3 resource records to synthetize negative answers from the
information they have in the cache." (It is an aggressive use of the
cache, not aggressive caching.)

Bikeshedding
************

Section 5.2 says "Implementations SHOULD provide a configuration switch to disable
aggressive use of NSEC and allow it to be enabled or disabled per
domain." Such as switch (the per-domain one) seems costly and I would
prefer a MAY here.