Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)
Peter van Dijk <peter.van.dijk@powerdns.com> Tue, 18 May 2021 17:26 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0D973A1A3E; Tue, 18 May 2021 10:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id antYmxVgipCL; Tue, 18 May 2021 10:26:21 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 068DB3A1A39; Tue, 18 May 2021 10:26:20 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id 1DA426A0D9; Tue, 18 May 2021 19:26:17 +0200 (CEST)
Received: from plato ([84.81.54.175]) by imap.open-xchange.com with ESMTPSA id 4Vt/Brn4o2AmEgAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Tue, 18 May 2021 19:26:17 +0200
Message-ID: <f2e4bceead9660d8f0b64724e6303c3e6deb7237.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: Robert Wilton <rwilton@cisco.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-nsec-ttl@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com
Date: Tue, 18 May 2021 19:26:16 +0200
In-Reply-To: <162135024662.12090.17595940999634564709@ietfa.amsl.com>
References: <162135024662.12090.17595940999634564709@ietfa.amsl.com>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pMPe-KcbWUrFVcITCf3fmGk5ztY>
Subject: Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2021 17:26:26 -0000
Hello Rob, On Tue, 2021-05-18 at 08:04 -0700, Robert Wilton via Datatracker wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Hi, > > Thanks for this document. > > Regarding: > > 3.4. Updates to RFC8198 > > [RFC8198] section 5.4 (Consideration on TTL) is completely replaced > by the following text: > > | The TTL value of negative information is especially important, > | because newly added domain names cannot be used while the negative > | information is effective. > | > | Section 5 of [RFC2308] suggests a maximum default negative cache > | TTL value of 3 hours (10800). It is RECOMMENDED that validating > | resolvers limit the maximum effective TTL value of negative > | responses (NSEC/NSEC3 RRs) to this same value. > | > | A resolver that supports aggressive use of NSEC and NSEC3 MAY > | limit the TTL of NSEC and NSEC3 records to the lesser of the > | SOA.MINIMUM field and the TTL of the SOA in a response, if > | present. It MAY also use a previously cached SOA for a zone to > | find these values. > > I'm not a DNS expert, and this is just a non binding comment, but I was > wondering why it is only "MAY" limit the TTL on NSEC and NSEC3 records to the > lesser of the SOA.MINIMUM field and the TTL of the SOA in a response rather > than a "SHOULD". Thank you for your comment. The old text was this: > A resolver that supports aggressive use of NSEC and NSEC3 SHOULD reduce the TTL of NSEC and NSEC3 records to match the SOA.MINIMUM field in the authority section of a negative response, if SOA.MINIMUM is smaller. but this text did nothing (this is also noted in section 1 of the draft), as signers/authoritatives already took that TTL from the SOA.MINIMUM field - which this document corrects. Furthermore, during WG discussion we realised that in many cases, a validator handling NSEC/NSEC3 records would not have access to the relevant SOA at all - for example, in wildcard responses. 'SHOULD' is quite strong language for something that often is not even possible. And, finally, the MAY you ask about is behaviour that is only useful in validators until signers/authoritatives become compliant with this draft. It is a secondary measure (that the WG explicitly requested so as to attempt to solve the problem in multiple places) that should become irrelevant as signers (most of which already have software fixes pending, merged, or released) get upgraded. I hope this answers your question; please let me know if not. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- [DNSOP] Robert Wilton's No Objection on draft-iet… Robert Wilton via Datatracker
- Re: [DNSOP] Robert Wilton's No Objection on draft… Peter van Dijk
- Re: [DNSOP] Robert Wilton's No Objection on draft… Rob Wilton (rwilton)