Re: [DNSOP] Reminder: WGLC for draft-ietf-dnsop-nsec-aggressiveuse ends Tonight

Warren Kumari <> Fri, 07 October 2016 19:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4E438127735 for <>; Fri, 7 Oct 2016 12:07:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4hG110yq5MJe for <>; Fri, 7 Oct 2016 12:07:47 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 905E0120726 for <>; Fri, 7 Oct 2016 12:07:47 -0700 (PDT)
Received: by with SMTP id q7so25460839qtq.1 for <>; Fri, 07 Oct 2016 12:07:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=U1mp0gZjXMBsMgIssVth/VSf2mkcFZ6dCjm6ucLs4vs=; b=joi903UHQ6yF/DDKLOqWbynE1tKpOSAfviDPj/YekwABAeER9P0+yK7OWe3Jyjz89a jgFZHwwGWwQCyl+Q3E6GQyhB0QFzhedIhVLOf8cV9tgvkTMClZp0tmhnqw0yTS+078kt EhwBFGW4t8feM7DZSIpH9Ufy8ElZBYOAiETFd5rceMnv07y6w5Iy7PuHN3XK4TMhfC4F 3OhDIoqD4dKkAxrJd6OI8UK9GGUN4gObXfvk6dhuNPrD/tOsv9mKyB6m8gVABfGYZiqO rWbK8eheAIEKTyRq5TRoAYJEXntfIQrE0rGPAuSOiFWvk+iZICvvjueYLX+S9hePYqKW f99Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=U1mp0gZjXMBsMgIssVth/VSf2mkcFZ6dCjm6ucLs4vs=; b=bYBNJ68fOHcEMoqK2dBooPiZ+60Hdp2N7PzMnlN5q28PyueYsufYsZKrqXtijUKt7/ XtlV3pcYQsUSakhVSs7DbyIlXm+VmhfHgXgTe0H57XrVnqGSxb/c0Nk1DhoYXVko3JcT 7KL8by73t+ehYCojoRzqC/wboIB9EqmhW2njtWLE7cGj0P1tbiNHW7BlFcgV//Jgl0Zz TNC8AuQSOlBvaRTi0I/GsSaBI64LkRkJoIc+QvLw+Pxad0a/CPSDgWaGhgd9JJRH3PKY J98T3IGlXSMUYQw7jUdxGkq7OxCTgCoT2KXO+2IyQceW96J39Gua9zu57qPgonvv/3+y wJOg==
X-Gm-Message-State: AA6/9RlQakXxun3Eb34BDnSj2/XlC1ffcIhPZRXJSDiQeje6ddrwfNRdtfJaN83JfNfhUDsoBj85xlLRqGIgkL/s
X-Received: by with SMTP id z18mr21945951qtb.82.1475867266614; Fri, 07 Oct 2016 12:07:46 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 7 Oct 2016 12:07:15 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Warren Kumari <>
Date: Fri, 07 Oct 2016 15:07:15 -0400
Message-ID: <>
To: Stephane Bortzmeyer <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: Tim Wicinski <>, dnsop <>
Subject: Re: [DNSOP] Reminder: WGLC for draft-ietf-dnsop-nsec-aggressiveuse ends Tonight
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Oct 2016 19:07:50 -0000

On Thu, Oct 6, 2016 at 12:32 PM, Stephane Bortzmeyer <> wrote:
> On Thu, Oct 06, 2016 at 02:53:38AM -0400,
>  Tim Wicinski <> wrote
>  a message of 17 lines which said:
>> Just a reminder that the WGLC for
>> draft-ietf-dnsop-nsec-aggressiveuse will end later today (barring
>> any stuck issues).  The authors appear to have addressed all open
>> issues
> The way I understand it, in -03, there is no more *positive* answers
> (NOERROR synthetized from a wildcard in the cache), only negative ones
> (NXDOMAIN). Am I correct? (If so, I agree with the change.)

Yes, you *were* correct -- however, since then the WG has demanded^w
requested that we re-introduce the positive answer text, and so I have
just committed that to Github.
I have not yet, however, incorporated your original text fixup, I'll
do that now...


> If this is true, then I would suggest some work on rewriting section 7
> new text for updating RFC 4035. True, the cache needs to look at
> wildcards to see if it can synthetize NXDOMAINs or not but the way it
> is written, it is confusing, since a wildcard would *prevent*
> synthesis. May be:
>    Once the records are validated, DNSSEC enabled validating
>    resolvers MAY use NSEC/NSEC3 resource records
>    to generate negative responses until their effective TTLs
>    or signatures for those records expire. (This requires to also
>    check there is no wildcard applicable for the QNAME.)
> _______________________________________________
> DNSOP mailing list

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.