Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-aggressiveuse-02.txt

Warren Kumari <warren@kumari.net> Tue, 04 October 2016 16:33 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 347AF1295A1 for <dnsop@ietfa.amsl.com>; Tue, 4 Oct 2016 09:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ZWB0AYcQNZp for <dnsop@ietfa.amsl.com>; Tue, 4 Oct 2016 09:33:32 -0700 (PDT)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5958129572 for <dnsop@ietf.org>; Tue, 4 Oct 2016 09:33:31 -0700 (PDT)
Received: by mail-qk0-x233.google.com with SMTP id o68so55458535qkf.3 for <dnsop@ietf.org>; Tue, 04 Oct 2016 09:33:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=P8NNiQwAOBgNYzYSRnvlWw64nq9Eqa0Te0bkYvEVrhY=; b=RzjsDcGtGV1Vo8qzu6DuFBiqlpumU4X+8tq8kwx1/KBPXUQLVVuzDC+4lIxJPbHzS0 5TW5r0JHw/gPkO1ZSl4Uz68sKYIlXHZHCQAkWRBKet70WnbebocHzzz3BTTdIvjd9zbi 9GZw2iywJb1m9Wk3pS7Jk7l7oLrQKIVoWsQiJIjjG/lH+imstgYU/tPWZO+IxLb5v2pa C10SsnXKQo7A1aCreDiYX6R87LT/Y+jQEEZw2X2vJnXbVhJismgOc3+egZFH0Qgc9CGL DplmhZ3CTn08kiLvAheoyl+xlKStDoEB5QFPtZMFageYqQy+XDcL2VnvyAPR58SwGVrG N3cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=P8NNiQwAOBgNYzYSRnvlWw64nq9Eqa0Te0bkYvEVrhY=; b=PP0zU5lstP5eJV3ZdiA7h8qLBMuUkSo9CXDV0UQA+S4apyuIPLT59148kXlw2xgm2l kWrntDBE19HRlaX/S6Ajrth8YyMzy5nj4PByp07sXdhwPVn/zhAlfAFOSjT+Cq1Pf6Eq +HMQE3i28fEGggkB+mQ4a+g3WCH++Dg8Fah1M6qvfZ9JUzbmpfH6myo93ZDb4MozruRA ygb6rwVHjij7fCwQHH09huNd0KPjTj6ysMTAUOtDJA1LBjgszSNL76exC9WFwRvQqlR5 AD922L/m+7463dFlzFwzlVMFydtti4qoPLHpK8dIB18EkeIAFbR6Xz3QDM5CjInDH7vv 7MZQ==
X-Gm-Message-State: AA6/9RnKs7R0I2riO4jj/KNHPRZ0LXRZJsfrKLGMzagMgS+sZH5dMUoqjxgs0qpx6oswef5hSbs0TqW0LBs1yecV
X-Received: by 10.233.237.145 with SMTP id c139mr4467898qkg.29.1475598810581; Tue, 04 Oct 2016 09:33:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.147.196 with HTTP; Tue, 4 Oct 2016 09:33:00 -0700 (PDT)
In-Reply-To: <CA+nkc8AGUPafGmRsfs+0gRk6ZZ-aeFK4VPwmZdSVqUHy0We9Gw@mail.gmail.com>
References: <147378048323.23516.13638129997007497154.idtracker@ietfa.amsl.com> <CA+nkc8AGUPafGmRsfs+0gRk6ZZ-aeFK4VPwmZdSVqUHy0We9Gw@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 4 Oct 2016 12:33:00 -0400
Message-ID: <CAHw9_iJ9M=J3bziNYt6TV=q29zeDno3QBoGtjQMGX5dLbEr7KA@mail.gmail.com>
To: Bob Harold <rharolde@umich.edu>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bM3495C1PhQJg66ACx-XTPyS018>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-aggressiveuse-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Oct 2016 16:33:35 -0000
X-List-Received-Date: Tue, 04 Oct 2016 16:33:35 -0000

Thank you. I have attempted to reword this so that it is more
readable. I'm making multiple sets of changes; they are being staged
on github and will be published soon.
https://github.com/wkumari/draft-ietf-dnsop-nsec-aggressiveuse

W

On Tue, Sep 13, 2016 at 3:50 PM, Bob Harold <rharolde@umich.edu> wrote:
>
> On Tue, Sep 13, 2016 at 11:28 AM, <internet-drafts@ietf.org> wrote:
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Domain Name System Operations of the
>> IETF.
>>
>>         Title           : Aggressive use of NSEC/NSEC3
>>         Authors         : Kazunori Fujiwara
>>                           Akira Kato
>>                           Warren Kumari
>>         Filename        : draft-ietf-dnsop-nsec-aggressiveuse-02.txt
>>         Pages           : 13
>>         Date            : 2016-09-13
>>
>> Abstract:
>>    The DNS relies upon caching to scale; however, the cache lookup
>>    generally requires an exact match.  This document specifies the use
>>    of NSEC/NSEC3 resource records to generate negative answers within a
>>    range.  This increases performance / decreases latency, decreases
>>    resource utilization on both authoritative and recursive servers, and
>>    also increases privacy.  It may also help increase resilience to
>>    certain DoS attacks in some circumstances.
>>
>>    This document updates RFC4035 by allowing resolvers to generate
>>    negative answers based upon NSEC/NSEC3 records.
>>
>>    [ Ed note: Text inside square brackets ([]) is additional background
>>    information, answers to frequently asked questions, general musings,
>>    etc.  They will be removed before publication.This document is being
>>    collaborated on in Github at: https://github.com/wkumari/draft-ietf-
>>    dnsop-nsec-aggressiveuse.  The most recent version of the document,
>>    open issues, etc should all be available here.  The authors
>>    (gratefully) accept pull requests.
>>
>>    Known / open issues [To be moved to Github issue tracker]:
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec-aggressiveuse/
>>
>> There's also a htmlized version available at:
>> https://tools.ietf.org/html/draft-ietf-dnsop-nsec-aggressiveuse-02
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-nsec-aggressiveuse-02
>>
>>
> Looks good, but this one sentence in  "5.4. Wildcard" does not read well to
> me:
>
> "But, it will be more
> effective when both are enabled since the resolver can determine the
> name subject to wildcard would not otherwise exist more efficiently."
>
> Not sure how to reword it.
>
> --
> Bob Harold
>
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf