Re: [DNSOP] Second Working Group Last Call - draft-ietf-dnsop-nsec-aggressiveuse
Matthijs Mekking <matthijs@pletterpet.nl> Fri, 16 December 2016 09:05 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB5E412954D for <dnsop@ietfa.amsl.com>; Fri, 16 Dec 2016 01:05:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnRLTT-wwjs6 for <dnsop@ietfa.amsl.com>; Fri, 16 Dec 2016 01:05:57 -0800 (PST)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F8C3129461 for <dnsop@ietf.org>; Fri, 16 Dec 2016 01:05:56 -0800 (PST)
Received: from [IPv6:2001:981:19be:1:d8a7:3102:b5ba:4246] (unknown [IPv6:2001:981:19be:1:d8a7:3102:b5ba:4246]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id D7152AB22 for <dnsop@ietf.org>; Fri, 16 Dec 2016 10:05:54 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: dnsop@ietf.org
References: <CADyWQ+EJ0LO=pU-yUdEHwC3aP5KdXxsnD9kEvmmTeAoe0BxK3A@mail.gmail.com> <20161214135300.gl7t7zwrd7huqdq2@nic.fr> <CA+nkc8D2BQ7B827YeuEn7nDDUxcqOW8Qmdr0zcc0zxTuNOG_qg@mail.gmail.com> <CAHw9_iLiEKJ6PUqApEn0wLXU7ThrkUfvTn_GFKsdMT6pu0eShg@mail.gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <46c047b1-d37e-1cee-8ef9-7019f3dd66d7@pletterpet.nl>
Date: Fri, 16 Dec 2016 10:05:52 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CAHw9_iLiEKJ6PUqApEn0wLXU7ThrkUfvTn_GFKsdMT6pu0eShg@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/feUWfnUIUcvp3tKdYGOm7FaOj4E>
Subject: Re: [DNSOP] Second Working Group Last Call - draft-ietf-dnsop-nsec-aggressiveuse
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Dec 2016 09:05:59 -0000
I have read the -07 version and I think this document is ready for publication. I do still think that the end of section 4 and start of section 5 is too similar and can be combined such that it only quotes RFC 4035 one time. Perhaps Section 5 can just start with: 5. Aggressive use of Cache This document relaxes the restriction given in Section 4.5 of [RFC4035], see Section 7 for more detail. If the negative cache of the validating resolver has sufficient... Best regards, Matthijs On 15-12-16 15:55, Warren Kumari wrote: > > > On Thu, Dec 15, 2016 at 9:38 AM Bob Harold <rharolde@umich.edu > <mailto:rharolde@umich.edu>> wrote: > > > On Wed, Dec 14, 2016 at 8:53 AM, Stephane Bortzmeyer > <bortzmeyer@nic.fr <mailto:bortzmeyer@nic.fr>> wrote: > > On Tue, Dec 13, 2016 at 02:13:27PM -0500, > tjw ietf <tjw.ietf@gmail.com <mailto:tjw.ietf@gmail.com>> wrote > a message of 94 lines which said: > > > This starts a Working Group Last Call for: > > "Aggressive use of NSEC/NSEC3" > > draft-ietf-dnsop-nsec-aggressiveuse > > I've read -07 and I believe it is OK and ready for publication. > All my > (many) remarks have been addressed, I think. > > Two details: > > > [RFC8020], and [I-D.vixie-dnsext-resimprove] proposes first > steps to > > using NXDOMAIN information for more effective caching > > IMHO, RFC 8020 supersedes draft-vixie-dnsext-resimprove, so it > is not > necessary to mention both. If you prefer to do so for historical > completeness, may be you should mention them in the chronological > order? > > > Yup, I think that having them both is useful, both for historical > purposes, but also because resimprove contains much worth reading -- I > like you swapping the order suggestion... > > > > As these benefits are only accrued by those using DNSSEC, it is > > hoped that these techniques will lead to more DNSSEC deployment. > > This sentence should really be deleted. It seems to imply that > DNSSEC > cannot work on its own merits and need extra arguments. "NSEC > aggressive use of caching"'s goal is not to promote DNSSEC, it is to > improve the DNS! > > > That was certainly not the intent, but rather what Bob had suggested > below -- this adds yet another point to the "how to justify spending the > $$$ to management / bean-counters" list. I *do* understand where you are > coming from, but am not sure how to word something appropriate -- would > "These benefits are only accrued by those using DNSSEC, it is hoped that > these techniques will speed the deployment of DNSSEC validation". > That makes it more clear that DNSSEC is the right thing to do anyway, > and that this just helps us get there faster? > > > I would like to respectfully disagree. I read the sentence as > saying that this adds one more benefit to running DNSSEC, which > makes people like me want to move DNSSEC closer to the top of my > priority list. > > > Yup, that was the intent - many people want to deploy, but need to > juggle priorities, or convince bean-counters why this is the right thing > to do. Waving the security flag makes them shrug, but pointing how this > might help save money gets more management buy-in for the ask. > > W > (Yes, I did use "management buy-in for the ask." in an IETF mail. It was > oddly thrilling :-)) > > -- > Bob Harold > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > https://www.ietf.org/mailman/listinfo/dnsop > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Second Working Group Last Call - draft-ie… tjw ietf
- Re: [DNSOP] Second Working Group Last Call - draf… Warren Kumari
- Re: [DNSOP] Second Working Group Last Call - draf… Matthijs Mekking
- Re: [DNSOP] Second Working Group Last Call - draf… tjw ietf
- Re: [DNSOP] Second Working Group Last Call - draf… Stephane Bortzmeyer
- Re: [DNSOP] Second Working Group Last Call - draf… Bob Harold
- Re: [DNSOP] Second Working Group Last Call - draf… Warren Kumari
- Re: [DNSOP] Second Working Group Last Call - draf… Matthijs Mekking
- Re: [DNSOP] Second Working Group Last Call - draf… Stephane Bortzmeyer
- Re: [DNSOP] Second Working Group Last Call - draf… Ralph Dolmans
- Re: [DNSOP] Second Working Group Last Call - draf… Paul Wouters
- Re: [DNSOP] Second Working Group Last Call - draf… Stephane Bortzmeyer
- Re: [DNSOP] Second Working Group Last Call - draf… Paul Wouters
- Re: [DNSOP] Second Working Group Last Call - draf… Warren Kumari
- Re: [DNSOP] Second Working Group Last Call - draf… 神明達哉
- Re: [DNSOP] Second Working Group Last Call - draf… Stephane Bortzmeyer
- Re: [DNSOP] Second Working Group Last Call - draf… Stephane Bortzmeyer