Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt

Bob Harold <rharolde@umich.edu> Tue, 07 July 2015 16:09 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 544EF1ACDCA for <dnsop@ietfa.amsl.com>; Tue, 7 Jul 2015 09:09:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EmcUEAnbFJM0 for <dnsop@ietfa.amsl.com>; Tue, 7 Jul 2015 09:09:36 -0700 (PDT)
Received: from mail-yk0-f169.google.com (mail-yk0-f169.google.com [209.85.160.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F5E31ACDC6 for <dnsop@ietf.org>; Tue, 7 Jul 2015 09:09:36 -0700 (PDT)
Received: by ykfs198 with SMTP id s198so77380466ykf.2 for <dnsop@ietf.org>; Tue, 07 Jul 2015 09:09:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=doeFVYSpnpCz7FWvGTeJb97BFFLiZFqLo3DiXKhwyxw=; b=HuzIWN2OLTZz8K0FhWs4mCwO+z8E4JsWLqt0Pz63ItItCedvULVLx0kO9ReSD0EavT XTLQTZ6poaCtyw58P820cyW4o0e/xmzmRQ5t7WxoYkUdOfk5H/5u0QtbStBxSINl0h1y +9T8byYCkvrm2M1YoDXHBOjbbOTA9zklNsnyvsPuAERZ6K61mJ+lgsBi8ikkeJ+jn04V zxITwxDgXjwZsb8zZHw/mu+ivG5Xn0aqv/nE1Hgu5BEVMTKDBKrZiIIJJJxtZKuPi95d CUpKhCKlgkaEDDg5/Y9xGgNeN8NovgE/cVwAgrqc4Z5PeYF3HiRhnFHJZEqyC1+eLovq PR9Q==
X-Gm-Message-State: ALoCoQnNk+2w6nBl3Gt1TEpN5P7MHtW+u9OwHas4VQIoc04DenTXX7IU8ccuikwjAZWhyW92NBfq
MIME-Version: 1.0
X-Received: by 10.129.125.213 with SMTP id y204mr5988014ywc.42.1436285375318; Tue, 07 Jul 2015 09:09:35 -0700 (PDT)
Received: by 10.129.52.194 with HTTP; Tue, 7 Jul 2015 09:09:35 -0700 (PDT)
In-Reply-To: <20150707.182043.193693838.fujiwara@jprs.co.jp>
References: <20150310.191541.52184726.fujiwara@jprs.co.jp> <20150707.182043.193693838.fujiwara@jprs.co.jp>
Date: Tue, 07 Jul 2015 12:09:35 -0400
Message-ID: <CA+nkc8DS2bXmQct_D05kK2Mx6OAyC+zbBLb1jwXKKmjNx+X=yw@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
To: fujiwara@jprs.co.jp
Content-Type: multipart/alternative; boundary="001a11492654979ae6051a4b3f36"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/olXLB0WQEqmvXHQTfztC4j5e-TQ>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 16:09:38 -0000

On Tue, Jul 7, 2015 at 5:20 AM, <fujiwara@jprs.co.jp> wrote:

> Akira Kato and I submitted draft-fujiwara-dnsop-nsec-aggressiveuse-01.
>
>
> https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/
>
>
> ...

> --
> Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>
>
> I am concerned that the "AN" flag allows for easy zone walking, defeating
the purpose of minimal range NSEC records.  So I don't think authoritative
servers would want to respect it.

I am also concerned that random subdomain queries will set the CD bit, if
that avoids aggressive negative caching.  So I would think that the CD bit
should not be allowed to stop aggressive negative caching.

-- 
Bob Harold