Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl-03.txt
Matthijs Mekking <matthijs@pletterpet.nl> Wed, 10 February 2021 08:03 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D58023A0E09 for <dnsop@ietfa.amsl.com>; Wed, 10 Feb 2021 00:03:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WUWS0hwKJWwO for <dnsop@ietfa.amsl.com>; Wed, 10 Feb 2021 00:03:30 -0800 (PST)
Received: from lb1-smtp-cloud7.xs4all.net (lb1-smtp-cloud7.xs4all.net [194.109.24.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 200E33A0E08 for <dnsop@ietf.org>; Wed, 10 Feb 2021 00:03:29 -0800 (PST)
Received: from cust-69fe625f ([IPv6:fc0c:c103:c4a6:cf3c:d2f9:56fe:3f93:cb0b]) by smtp-cloud7.xs4all.net with ESMTPSA id 9kT5lxf6VzWq69kT6lRQ4o; Wed, 10 Feb 2021 09:03:25 +0100
To: dnsop@ietf.org
References: <161290187813.15742.11466954240139771085@ietfa.amsl.com> <d3fcfb5ff33d8c093e7073b1b5b44162b955677b.camel@powerdns.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <928c9223-4e70-650c-7aa9-1aeb8dfb33af@pletterpet.nl>
Date: Wed, 10 Feb 2021 09:03:23 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <d3fcfb5ff33d8c093e7073b1b5b44162b955677b.camel@powerdns.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4xfD5bMcvJrnH23L6gYd4xHTL+0ZqRroZlF2H+9lnBXxuxWamgb9iYaTw9KS5OGXe61833K1c4k4yTySEZWz+HqiZfCz5KvO4l86vJj3/3wxwFgdkanFPv 5FkiZbU501zsqMlvmJhTPJkvhdNco2MCTelvnC367saQ2qzFXpopNsv5q5+kVufKJwUfJ0wyiroyeF5huVuPQ3fUL1BpRJ4rBd86WDGADkSfF7qOVL0KaQBr pmXrMHeeDA5ZMZgqT0QlnA8CJ85VNrhbeR99hMbLCZU/3/anl3nrPILK5Eq152f5
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qSvSY9MFQ7U_BRA62GYHk8VyTug>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2021 08:03:33 -0000
Peter,
Personally I still think we shouldn't change these SHOULDs to MUSTs.
Quoting from RFC 2119:
1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the
definition is an absolute requirement of the specification.
3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
I think the text you provided on incremental signers is such a valid
reason why we should use SHOULD here instead of MUST.
If the WG consensus is that this does need to change to a MUST then I
would like to request the following adaptations to the draft.
- The text should update the updates to include the exception. For
example:
| The TTL of the NSEC RR that is returned MUST be the lesser of the
| MINIMUM field of the SOA record and the TTL of the SOA itself.
| This matches the definition of the TTL for negative responses in
| [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a
| deviating value after the SOA record has been updated, to allow
| for an incremental update of the NSEC chain.
- There should be a reason provided in the document why these SHOULD
keywords are changed to a MUST.
Best regards,
Matthijs
On 09-02-2021 22:06, Peter van Dijk wrote:
> Hello dnsop,
>
> thank you to all who responded in the WGLC thread. After the discussion
> I felt I had nothing to ask or add, so instead, here is a draft
> revision that I feel addresses everything that was said.
>
> (Matthijs, this revision changes the requirements back to MUST as that
> feels like it more closely matches the majority opinion voiced, but I
> added a section allowing for the incremental signer situation - please
> let me know if this is workable for you.)
>
> My understanding of the discussion is that the document failed to
> address various assorted vagueness, and separations between developer
> and operator concerns, and role differences between signers,
> authoritatives and resolvers/validators, in the original documents.
> Paul Hoffman provided a bunch of text clarifying 'what goes where' so
> that this document can improve that situation, thanks Paul!
>
> Changes in this version, as listed in the Document History section:
>
> * document now updates resolver behaviour in 8198
> * lots of extra text to clarify what behaviour goes where (thanks Paul
> Hoffman)
> * replace 'any' with 'each' (thanks Duane)
> * upgraded requirement level to MUST, plus a note on incremental
> signers
>
> Your comments are, again, very much welcome.
>
> On Tue, 2021-02-09 at 12:17 -0800, internet-drafts@ietf.org wrote:
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Domain Name System Operations WG of the IETF.
>>
>> Title : NSEC and NSEC3 TTLs and NSEC Aggressive Use
>> Author : Peter van Dijk
>> Filename : draft-ietf-dnsop-nsec-ttl-03.txt
>> Pages : 9
>> Date : 2021-02-09
>>
>> Abstract:
>> Due to a combination of unfortunate wording in earlier documents,
>> aggressive use of NSEC and NSEC3 records may deny names far beyond
>> the intended lifetime of a denial. This document changes the
>> definition of the NSEC and NSEC3 TTL to correct that situation. This
>> document updates RFC 4034, RFC 4035, RFC 5155, and RFC 8198.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec-ttl/
>>
>> There is also an HTML version available at:
>> https://www.ietf.org/archive/id/draft-ietf-dnsop-nsec-ttl-03.html
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-nsec-ttl-03
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>>
>
> Kind regards,
>
- [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl-03.… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl… Peter van Dijk
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl… Matthijs Mekking
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-ns… Paul Hoffman