Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance

Wes Hardaker <wjhns1@hardakers.net> Fri, 21 May 2021 16:01 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7AEA3A15D4 for <dnsop@ietfa.amsl.com>; Fri, 21 May 2021 09:01:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FvGA66D_jzQy for <dnsop@ietfa.amsl.com>; Fri, 21 May 2021 09:01:16 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54D1D3A15D3 for <dnsop@ietf.org>; Fri, 21 May 2021 09:01:16 -0700 (PDT)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id 86787258B0; Fri, 21 May 2021 09:01:13 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Tony Finch <dot@dotat.at>
Cc: Wes Hardaker <wjhns1@hardakers.net>, Vladimír Čun át <vladimir.cunat+ietf@nic.cz>, DNSOP Working Group <dnsop@ietf.org>
References: <bfaa3ab3-3d96-dcec-a175-5803de03d852@NLnetLabs.nl> <eb62e04b-2511-ac14-b2e1-c29eab64acfc@nic.cz> <yblwns5ckje.fsf@w7.hardakers.net> <d72220fe-8a6b-d8e6-8b3-1749faddb4fb@dotat.at>
Date: Fri, 21 May 2021 09:01:13 -0700
In-Reply-To: <d72220fe-8a6b-d8e6-8b3-1749faddb4fb@dotat.at> (Tony Finch's message of "Tue, 11 May 2021 22:33:44 +0100")
Message-ID: <ybl1ra0axfa.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ubOd05q4q1laoD7Xv1p1g1MserU>
Subject: Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2021 16:01:21 -0000

Tony Finch <dot@dotat.at> writes:

> The draft is operational advice, so I think the relevant advice here is
> that if you are signing your zone with sloooow NSEC3 parameters, make sure
> your secondaries are willing to serve such a zone first.

[this is sort of unrelated to the call for adoption, is good discussion
about future text]

So, what guidance do we want to insert?

We have two potential guidance to include: guidance for primaries and
guidance for secondaries.  Maybe something like (better wordsmithing
needed still):

Operators of secondary services should advertise the parameter caps
their servers will support. Primaries need to ensure that secondaries
support the NSEC3 parameters they expect to use in their zones.
Primaries, after changing parameters, should query their secondaries
with appropriate known non-existent queries to verify the secondary
servers are responding as expected.

-- 
Wes Hardaker
USC/ISI