Re: [DNSOP] Adam Roach's No Objection on draft-ietf-dnsop-serve-stale-09: (with COMMENT)

Dave Lawrence <> Tue, 03 December 2019 22:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7F25B12004D; Tue, 3 Dec 2019 14:27:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lIgZwYY--F2R; Tue, 3 Dec 2019 14:27:05 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CF9DD12003F; Tue, 3 Dec 2019 14:27:02 -0800 (PST)
Received: by (Postfix, from userid 102) id BB53CB8C62; Tue, 3 Dec 2019 17:27:00 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <>
Date: Tue, 3 Dec 2019 17:27:00 -0500
From: Dave Lawrence <>
To: "The IESG" <>,,,
In-Reply-To: <>
References: <>
Archived-At: <>
Subject: Re: [DNSOP] Adam Roach's No Objection on draft-ietf-dnsop-serve-stale-09: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Dec 2019 22:27:06 -0000

Thank you very much for your review, Adam.  I have incorporated your
feedback into the document (which is not yet pushed to datatracker).

Here's the diff:

Adam Roach via Datatracker writes:
> The addition of what I must presume is intended to be RFC 2119
> language to a document that doesn't cite RFC 2119 seems
> questionable.  I would suggest either explicitly adding RFC 2119
> boilerplate to RFC 1035 as part of this update, or using plain
> English language to convey the same concepts as are intended.

I definitely agree it is questionable, and if something needs to be
done to resolve this then your first suggestion is the one that is
more agreeable to me personally, but I can also see how that too is
questionable and might get some pushback.  It's a bit of a weird

It is perhaps worth noting that several other RFCs that have updated
1035, starting with 3658, have already used 2119 normative keywords.
So in spirit it's already there, just not with an explicit remark in
any of the that formally puts the boilerplate on 1035 itself.  (And,
in the end, that means 1035 is a weird hodge-podge of old world and new.)

> >  A proposed mitigation is that certificate authorities
> >  should fully look up each name starting at the DNS root for every
> >  name lookup.  Alternatively, CAs should use a resolver that is not
> >  serving stale data.
> This seems like a perfectly good solution, although I wonder how
> many CAs are likely to read this document. If I were the type to
> engage in wagering, I'd put all of my money on "zero." I'm not sure
> specific action is called for prior to publication of this document
> as an RFC, but it seems that additional publicity of this issue and
> the way that serve-stale interacts with it -- e.g., to CAB Forum and
> its members -- is warranted.

Completely agree, except to the point that if it were known that there
was money riding on it then someone at a CA would read it just to take
your money. :)  That said, anyone have thoughts on how best to bring
it to their attention?