Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)
Peter van Dijk <peter.van.dijk@powerdns.com> Thu, 20 May 2021 08:04 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE9D33A1135; Thu, 20 May 2021 01:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.398, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70CV9yCYP7eM; Thu, 20 May 2021 01:04:11 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD98E3A1133; Thu, 20 May 2021 01:04:10 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id 056456A0D8; Thu, 20 May 2021 10:04:07 +0200 (CEST)
Received: from plato ([84.81.54.175]) by imap.open-xchange.com with ESMTPSA id aQ9/APcXpmA4JwAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Thu, 20 May 2021 10:04:07 +0200
Message-ID: <5490506fc198f15f2dcebc9226097e7b5464a083.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-nsec-ttl@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com
Date: Thu, 20 May 2021 10:04:06 +0200
In-Reply-To: <1d677ffc5047a96f6e9e903185f3c08a12f3481c.camel@powerdns.com>
References: <162139538526.17414.5467676975353511221@ietfa.amsl.com> <1d677ffc5047a96f6e9e903185f3c08a12f3481c.camel@powerdns.com>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sCqxK6gfP4tA92gPmUQMOb60CFE>
Subject: Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2021 08:04:16 -0000
On Wed, 2021-05-19 at 12:28 +0200, Peter van Dijk wrote: > Hello Benjamin, > > On Tue, 2021-05-18 at 20:36 -0700, Benjamin Kaduk via Datatracker > wrote: > > I don't think I understand what a "deviating value" would be (and in > > which direction it would deviate). > > This sentence was added because some implementations may need time to > rework the whole NSEC/NSEC3 chain after a TTL change. The deviation > would be 'part of the chain still has the old, wrong, value - for a > while'. I'll ponder better words - suggestions are very welcome, of > course. I took Job's text for this, thanks Job! > > Section 4 > > > > If signers & DNS servers for a zone cannot immediately be updated to > > conform to this document, zone operators are encouraged to consider > > setting their SOA record TTL and the SOA MINIMUM field to the same > > value. That way, the TTL used for aggressive NSEC and NSEC3 use > > matches the SOA TTL for negative responses. > > > > Are there any negative consequences of such a move that would need to be > > weighed against the stated benefits? > > Signers might use either value (the SOA TTL or the SOA MINIMUM) as a > default for some other value. For example, PowerDNS uses the SOA > MINIMUM value as the TTL for DNSKEYs. So, lowering the SOA MINIMUM > would also lower the DNSKEY TTL (in PowerDNS). > > A quick skim of the BIND dnssec-keygen manual page suggests that BIND > might sometimes take the SOA TTL as the DNSKEY TTL. > > So, yes, there might be consequences. I will add a note. I have now added this: > Note that some signers might use the SOA TTL or MINIMUM as a default for other values, like the TTL for DNSKEY records. Operators should consult documentation before changing values. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- [DNSOP] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Peter van Dijk
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Job Snijders
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Peter van Dijk