Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-nsec-ttl-03.txt
Paul Hoffman <paul.hoffman@icann.org> Wed, 10 February 2021 15:58 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82FA73A0E4A for <dnsop@ietfa.amsl.com>; Wed, 10 Feb 2021 07:58:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WPXMXowRENXL for <dnsop@ietfa.amsl.com>; Wed, 10 Feb 2021 07:58:28 -0800 (PST)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95D103A0E49 for <dnsop@ietf.org>; Wed, 10 Feb 2021 07:58:28 -0800 (PST)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa4.dc.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 11AFwM1h004899 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 10 Feb 2021 15:58:22 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.721.2; Wed, 10 Feb 2021 07:58:21 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0721.006; Wed, 10 Feb 2021 07:58:21 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Matthijs Mekking <matthijs@pletterpet.nl>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl-03.txt
Thread-Index: AQHW/8WN8J0tPYtv8k+3JO/uMOwrUw==
Date: Wed, 10 Feb 2021 15:58:20 +0000
Message-ID: <314FA0C9-D695-46C6-8A1B-F4CEACDA615D@icann.org>
References: <161290187813.15742.11466954240139771085@ietfa.amsl.com> <d3fcfb5ff33d8c093e7073b1b5b44162b955677b.camel@powerdns.com> <928c9223-4e70-650c-7aa9-1aeb8dfb33af@pletterpet.nl>
In-Reply-To: <928c9223-4e70-650c-7aa9-1aeb8dfb33af@pletterpet.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_4F10D319-8982-4887-A4FD-60F58CA2BB8C"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.737 definitions=2021-02-10_06:2021-02-10, 2021-02-10 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sy1q9L2KYpzAlM7KjrMj4dUJ28I>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-nsec-ttl-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2021 15:58:31 -0000
On Feb 10, 2021, at 12:03 AM, Matthijs Mekking <matthijs@pletterpet.nl> wrote: > > Personally I still think we shouldn't change these SHOULDs to MUSTs. Quoting from RFC 2119: > > 1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the > definition is an absolute requirement of the specification. > > 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there > may exist valid reasons in particular circumstances to ignore a > particular item, but the full implications must be understood and > carefully weighed before choosing a different course. > > I think the text you provided on incremental signers is such a valid reason why we should use SHOULD here instead of MUST. > > If the WG consensus is that this does need to change to a MUST then I would like to request the following adaptations to the draft. > > - The text should update the updates to include the exception. For > example: > > | The TTL of the NSEC RR that is returned MUST be the lesser of the > | MINIMUM field of the SOA record and the TTL of the SOA itself. > | This matches the definition of the TTL for negative responses in > | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a > | deviating value after the SOA record has been updated, to allow > | for an incremental update of the NSEC chain. > > - There should be a reason provided in the document why these SHOULD > keywords are changed to a MUST. The new wording in each of the SHOULD-to-MUST change seems fine, even if repetitive. It is good to put clarifying text near the source. The SHOULD was changed to MUST for interoperability. That is, a resolver would not know whether this auth server was following the wiggly part of the spec without evaluating every response. The fact that the earlier documents used SHOULD without any qualification was a mistake, and we don't have to rub those authors' noses in it. --Paul Hoffman
- [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl-03.… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl… Peter van Dijk
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-ttl… Matthijs Mekking
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-ns… Paul Hoffman