Re: [DNSOP] Working Group Last Call
Matthijs Mekking <matthijs@pletterpet.nl> Tue, 04 October 2016 12:07 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDB1F129835 for <dnsop@ietfa.amsl.com>; Tue, 4 Oct 2016 05:07:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.92
X-Spam-Level:
X-Spam-Status: No, score=-6.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A5YWJt-NMjZG for <dnsop@ietfa.amsl.com>; Tue, 4 Oct 2016 05:07:02 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36B18129834 for <dnsop@ietf.org>; Tue, 4 Oct 2016 05:07:01 -0700 (PDT)
Received: from [172.19.128.42] (vpn-10-mht.dyndns.com [216.146.45.33]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id E2401B852 for <dnsop@ietf.org>; Tue, 4 Oct 2016 14:06:56 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: dnsop@ietf.org
References: <40d5f4b1-3019-7f8a-ecc0-2f4d13e3eadf@gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <eda9f6f0-6ecc-9fcf-d961-d60d20831549@pletterpet.nl>
Date: Tue, 04 Oct 2016 14:06:54 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <40d5f4b1-3019-7f8a-ecc0-2f4d13e3eadf@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZsV1bQNoAwN_FFJ5Hq_KFUf6njw>
Subject: Re: [DNSOP] Working Group Last Call
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Oct 2016 12:07:06 -0000
All, I reviewed this draft and while it is shaping up nicely, I don't think it is quite ready for publication: 1. As John pointed out earlier, the document makes an inconsistent use of RFCC 2119 keywords, and we need to decide whether to use MAY or SHOULD. Looking at the definitions of the keywords again I am leaning towards MAY, but given the described benefits I could see how SHOULD would be appropriate. Either way, it should be consistent. Also, the used keyword for NSEC should not be different than that for NSEC3. 2. In addition to the first point, I don't think it is appropriate to use RFC 2119 keywords to dictate name server configuration. Mentioning it would be useful to have configuration options for enabling and disabling this functionality seems okay, but drop the RFC 2119 formalities. 3. In section 6 on Benefits, it says "currently around 65% of queries to Root Name servers result in NXDOMAIN responses." This is quickly outdated, so I would replace 'currently' with 'at the time of writing'. But more importantly, where does this number come from? A reference here seems appropriate. 4. There are several bikeshedding issues/nits that I have put up a PR for here: https://github.com/wkumari/draft-ietf-dnsop-nsec-aggressiveuse/pull/1 5. It seems that sections 5.2 and 5.3 only consider NXDOMAIN responses. Is it perhaps that at the end of section 5.1 NODATA answers are covered? I would suggest a better structure to make more explicit the scope. Currently it reads as if NODATA answers should always be subject to aggressive use of negative cache, while NXDOMAIN answers only if the configuration option enables it. Given these remarks, I suggest the following structure and text: If the negative cache of the validating resolver has sufficient information to validate the query, the resolver MAY use NSEC, NSEC3 and wildcard records aggressively. Otherwise, it MUST fall back to send the query to the authoritative DNS servers. It is recommended that resolvers that implement Aggressive Use of Negative Caching provide a configuration switch to disable the feature. Separate configuration switches can be implemented for the aggressive use of NSEC, NSEC3 and wildcard records. 5.2 NSEC 5.2.1 No Data If the query has an NSEC record matching the query name, proving the data requested does not exist, the resolver MAY respond with an empty NOERROR (No Data) answer. 5.2.2 Name Error If the resolver has an NSEC record covering the source of synthesis and an NSEC record covering the query name, it MAY respond with an NXDOMAIN answer. 5.2.3 Wildcard No Data If the resolver has an NSEC record matching the source of synthesis and an NSEC record covering the query name, it MAY respond with an empty NOERROR (No Data) answer. 5.2.3 Wildcard Answer If the resolver has an NSEC record covering the query name, but no NSEC record matching the source of synthesis, it MAY respond with an wildcard expanded answer from the cache. If the corresponding wildcard record is not in the cache, it MUST fall back to send the query to the authoritative DNS servers. 5.2 NSEC3 ... A similar layout for NSEC3 should be provided, and I am willing to provide that if this layout is accepted. Best regards, Matthijs On 22-09-16 14:19, Tim Wicinski wrote: > All > > This draft has been worked on and it seems that the Working Group is > happy with the updates that have been made and I feel it's ready for the > next step. > > This starts a Working Group Last Call for: > "Aggressive use of NSEC/NSEC3" > draft-ietf-dnsop-nsec-aggressiveuse > > Current versions of the draft is available here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec-aggressiveuse/ > > Please review the draft and offer relevant comments. Also, if someone > feels the document is *not* ready for publication, please speak out with > your reasons. > > It's currently marked as "Proposed Standard", so if folks feel > differently then please speak up. > > > This starts a two week Working Group Last Call process, and ends at > midnight 7 October 2016 UTC. > > thanks > tim > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Working Group Last Call Tim Wicinski
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call on "Aggressiv… John Levine
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Stephane Bortzmeyer
- Re: [DNSOP] Working Group Last Call 神明達哉
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Matthijs Mekking
- Re: [DNSOP] Working Group Last Call Matthijs Mekking
- Re: [DNSOP] Working Group Last Call 神明達哉
- Re: [DNSOP] Working Group Last Call on "Aggressiv… Warren Kumari
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Warren Kumari
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… John Levine
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call Matthijs Mekking
- Re: [DNSOP] Working Group Last Call 神明達哉
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Bob Harold
- Re: [DNSOP] Working Group Last Call Tim Wicinski
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Stephane Bortzmeyer
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… John R Levine
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Stephane Bortzmeyer
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Tim Wicinski
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Warren Kumari
- Re: [DNSOP] Working Group Last Call 神明達哉
- Re: [DNSOP] Working Group Last Call on "Aggressiv… Matthijs Mekking
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call Tim Wicinski
- Re: [DNSOP] Working Group Last Call [draft-ietf-d… Warren Kumari
- Re: [DNSOP] Working Group Last Call Matthijs Mekking
- Re: [DNSOP] Working Group Last Call Warren Kumari
- Re: [DNSOP] Working Group Last Call Warren Kumari