Re: [DNSOP] Working Group Last Call [draft-ietf-dnsop-nsec-aggressiveuse]
Stephane Bortzmeyer <bortzmeyer@nic.fr> Sun, 25 September 2016 17:09 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5634A12B223 for <dnsop@ietfa.amsl.com>; Sun, 25 Sep 2016 10:09:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KqbDjydQKWPv for <dnsop@ietfa.amsl.com>; Sun, 25 Sep 2016 10:09:26 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [217.70.190.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1EB31200DF for <dnsop@ietf.org>; Sun, 25 Sep 2016 10:09:25 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 7CCD831CA6; Sun, 25 Sep 2016 19:09:23 +0200 (CEST)
Received: by godin (Postfix, from userid 1000) id D0E6DEC0B77; Sun, 25 Sep 2016 19:04:11 +0200 (CEST)
Date: Sun, 25 Sep 2016 17:04:11 +0000
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Tim Wicinski <tjw.ietf@gmail.com>
Message-ID: <20160925170411.GB14945@laperouse.bortzmeyer.org>
References: <40d5f4b1-3019-7f8a-ecc0-2f4d13e3eadf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <40d5f4b1-3019-7f8a-ecc0-2f4d13e3eadf@gmail.com>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 16.04 (xenial)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Wa1_b841s1f2PHUImjvKUPtchVk>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call [draft-ietf-dnsop-nsec-aggressiveuse]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2016 17:09:27 -0000
On Thu, Sep 22, 2016 at 08:19:17AM -0400, Tim Wicinski <tjw.ietf@gmail.com> wrote a message of 31 lines which said: > This starts a Working Group Last Call for: > "Aggressive use of NSEC/NSEC3" > draft-ietf-dnsop-nsec-aggressiveuse I like the basic idea and I think the document is good but I would not like it to be published as it is (-02). My biggest concern is that it seems the original idea was to mention only the synthesis of _negative_ replies (NXDOMAIN), _positive_ replies (synthesis from a wildcard) were mentioned for a long time in the draft but never fully integrated. Section 7 mentions this synthesis of positive answers but, for instance, the abstract, the section 1, section 3, the first paragraph of section 5.5, and the first paragraph of section 9 do not mention the positive answers, but they should (they seem to assume that only negative caching matters). Either we need to match the document to put the synthesis of negative and positive answers on an equal footing, or we should delete the synthesis of positive answers from wildcards. Related to this issue is the fact that the proposed updated text for RFC 4035 is not the same in section 5.1 and in section 7... Another concern is section 9 which says "Aggressive use of NSEC / NSEC3 resource records without DNSSEC validation may cause security problems. It is highly recommended to apply DNSSEC validation." Not only it fails to use RFC 2119 but allowing NXDOMAIN synthesis without DNSSEC validation seems dangerous. Why not a MUST instead of the current "informal SHOULD"? Details ******* IMHO, it should say from the beginning that this document is only for validating resolvers. (It is not in section 1, for instance.) Editorial ********* Section 1 says "This document updates RFC 4035 to allow recursive resolvers to use NSEC/NSEC3 resource records to aggressively cache negative answers." It would be more descriptive, IMHO, to say "This document updates RFC 4035 to allow recursive resolvers to use NSEC/NSEC3 resource records to synthetize negative answers from the information they have in the cache." (It is an aggressive use of the cache, not aggressive caching.) Bikeshedding ************ Section 5.2 says "Implementations SHOULD provide a configuration switch to disable aggressive use of NSEC and allow it to be enabled or disabled per domain." Such as switch (the per-domain one) seems costly and I would prefer a MAY here.
- [DNSOP] Working Group Last Call Tim Wicinski
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call on "Aggressiv… John Levine
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Stephane Bortzmeyer
- Re: [DNSOP] Working Group Last Call 神明達哉
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Matthijs Mekking
- Re: [DNSOP] Working Group Last Call Matthijs Mekking
- Re: [DNSOP] Working Group Last Call 神明達哉
- Re: [DNSOP] Working Group Last Call on "Aggressiv… Warren Kumari
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Warren Kumari
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… John Levine
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call Matthijs Mekking
- Re: [DNSOP] Working Group Last Call 神明達哉
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Bob Harold
- Re: [DNSOP] Working Group Last Call Tim Wicinski
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Stephane Bortzmeyer
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… John R Levine
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Stephane Bortzmeyer
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Tim Wicinski
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Warren Kumari
- Re: [DNSOP] Working Group Last Call 神明達哉
- Re: [DNSOP] Working Group Last Call on "Aggressiv… Matthijs Mekking
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call Tim Wicinski
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Warren Kumari
- Re: [DNSOP] Working Group Last Call Matthijs Mekking
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call Warren Kumari