Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Wed, 19 May 2021 15:58 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B74E13A15AB; Wed, 19 May 2021 08:58:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ML2eIjXf58NC; Wed, 19 May 2021 08:58:26 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D06843A15AA; Wed, 19 May 2021 08:58:25 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 14JFwGaA026538 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 19 May 2021 11:58:21 -0400
Date: Wed, 19 May 2021 08:58:15 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Job Snijders <job@fastly.com>
Cc: Peter van Dijk <peter.van.dijk@powerdns.com>, The IESG <iesg@ietf.org>, tjw.ietf@gmail.com, dnsop@ietf.org, dnsop-chairs@ietf.org, draft-ietf-dnsop-nsec-ttl@ietf.org
Message-ID: <20210519155815.GJ32395@kduck.mit.edu>
References: <162139538526.17414.5467676975353511221@ietfa.amsl.com> <1d677ffc5047a96f6e9e903185f3c08a12f3481c.camel@powerdns.com> <YKTyI++5tDMek+w3@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <YKTyI++5tDMek+w3@snel>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vjjaJXi55LJYxiNyJAx1YrXvXAQ>
Subject: Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 15:58:29 -0000
Thanks, Job -- that looks better than anything I would have come up with! -Ben On Wed, May 19, 2021 at 01:10:27PM +0200, Job Snijders wrote: > On Wed, May 19, 2021 at 12:28:16PM +0200, Peter van Dijk wrote: > > > Section 3.1, etc. > > > > > > | The TTL of the NSEC RR that is returned MUST be the lesser of the > > > | MINIMUM field of the SOA record and the TTL of the SOA itself. > > > | This matches the definition of the TTL for negative responses in > > > | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a > > > | deviating value after the SOA record has been updated, to allow > > > | for an incremental update of the NSEC chain. > > > > > > I don't think I understand what a "deviating value" would be (and in > > > which direction it would deviate). > > > > This sentence was added because some implementations may need time to > > rework the whole NSEC/NSEC3 chain after a TTL change. The deviation > > would be 'part of the chain still has the old, wrong, value - for a > > while'. I'll ponder better words - suggestions are very welcome, of > > course. > > Perhaps: > > Because some signers incrementally update the NSEC chain, a transient > inconsistency between the observed and expected TTL MAY exist. > > Kind regards, > > Job
- [DNSOP] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Peter van Dijk
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Job Snijders
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Peter van Dijk