IETF Logo Mail Archive

Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Wed, 19 May 2021 15:58 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B74E13A15AB; Wed, 19 May 2021 08:58:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ML2eIjXf58NC; Wed, 19 May 2021 08:58:26 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D06843A15AA; Wed, 19 May 2021 08:58:25 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 14JFwGaA026538 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 19 May 2021 11:58:21 -0400
Date: Wed, 19 May 2021 08:58:15 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Job Snijders <job@fastly.com>
Cc: Peter van Dijk <peter.van.dijk@powerdns.com>, The IESG <iesg@ietf.org>, tjw.ietf@gmail.com, dnsop@ietf.org, dnsop-chairs@ietf.org, draft-ietf-dnsop-nsec-ttl@ietf.org
Message-ID: <20210519155815.GJ32395@kduck.mit.edu>
References: <162139538526.17414.5467676975353511221@ietfa.amsl.com> <1d677ffc5047a96f6e9e903185f3c08a12f3481c.camel@powerdns.com> <YKTyI++5tDMek+w3@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <YKTyI++5tDMek+w3@snel>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vjjaJXi55LJYxiNyJAx1YrXvXAQ>
Subject: Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 15:58:29 -0000

Thanks, Job -- that looks better than anything I would have come up with!

-Ben

On Wed, May 19, 2021 at 01:10:27PM +0200, Job Snijders wrote:
> On Wed, May 19, 2021 at 12:28:16PM +0200, Peter van Dijk wrote:
> > > Section 3.1, etc.
> > > 
> > > |  The TTL of the NSEC RR that is returned MUST be the lesser of the
> > > |  MINIMUM field of the SOA record and the TTL of the SOA itself.
> > > |  This matches the definition of the TTL for negative responses in
> > > |  [RFC2308].  A signer MAY cause the TTL of the NSEC RR to have a
> > > |  deviating value after the SOA record has been updated, to allow
> > > |  for an incremental update of the NSEC chain.
> > > 
> > > I don't think I understand what a "deviating value" would be (and in
> > > which direction it would deviate).
> > 
> > This sentence was added because some implementations may need time to
> > rework the whole NSEC/NSEC3 chain after a TTL change. The deviation
> > would be 'part of the chain still has the old, wrong, value - for a
> > while'. I'll ponder better words - suggestions are very welcome, of
> > course.
> 
> Perhaps:
> 
> 	Because some signers incrementally update the NSEC chain, a transient
> 	inconsistency between the observed and expected TTL MAY exist.
> 
> Kind regards,
> 
> Job

v2.23.0 | Report a Bug | By Email