Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt

fujiwara@jprs.co.jp Wed, 15 July 2015 11:02 UTC

Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF6A1A1BA7 for <dnsop@ietfa.amsl.com>; Wed, 15 Jul 2015 04:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.598
X-Spam-Level:
X-Spam-Status: No, score=0.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8USN-ceQWPGm for <dnsop@ietfa.amsl.com>; Wed, 15 Jul 2015 04:02:11 -0700 (PDT)
Received: from off-send01.osa.jprs.co.jp (off-send01.osa.jprs.co.jp [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED6E11A1B92 for <dnsop@ietf.org>; Wed, 15 Jul 2015 04:02:10 -0700 (PDT)
Received: from off-sendsmg01.osa.jprs.co.jp (off-sendsmg01.osa.jprs.co.jp [172.23.8.61]) by off-send01.osa.jprs.co.jp (8.14.4/8.14.4) with ESMTP id t6FB28Ui024273; Wed, 15 Jul 2015 20:02:08 +0900
Received: from off-sendsmg01.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss71 (Postfix) with ESMTP id BC971180083; Wed, 15 Jul 2015 20:02:07 +0900 (JST)
Received: from localhost (off-cpu04.osa.jprs.co.jp [172.23.4.14]) by off-sendsmg01.osa.jprs.co.jp (Postfix) with ESMTP id B192718005E; Wed, 15 Jul 2015 20:02:07 +0900 (JST)
Date: Wed, 15 Jul 2015 20:02:07 +0900
Message-Id: <20150715.200207.27803260.fujiwara@jprs.co.jp>
To: jinmei@wide.ad.jp
From: fujiwara@jprs.co.jp
In-Reply-To: <CAJE_bqcRQH0WGTaLqtMSuiOty4KHe9nN6T-wmqf3x_ohuA6TcA@mail.gmail.com> <CAHPuVdU-1e_7KPH9JdSvbPn-tYptaXbHrQvQz=UEv+QJdseJxw@mail.gmail.com> <20150714030318.6BEFF32DCCE5@rock.dv.isc.org>
References: <20150310.191541.52184726.fujiwara@jprs.co.jp> <20150707.182043.193693838.fujiwara@jprs.co.jp> <CAJE_bqcRQH0WGTaLqtMSuiOty4KHe9nN6T-wmqf3x_ohuA6TcA@mail.gmail.com>
X-Mailer: Mew version 6.5 on Emacs 22.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1690-8.0.0.1202-21678.006
X-TM-AS-Result: No--13.592-5.0-31-10
X-imss-scan-details: No--13.592-5.0-31-10
X-TMASE-MatchedRID: vwD78yC1kfRCXIGdsOwlUu5i6weAmSDKZggZX8gYmrWObf10apLcSSj5 3aEB5qDL7olUPK2npLTp5qJ3W6NwuAi0xaFtKyGqlTsGW3DmpUvL0ev0kxsIkw4NiVSCmfj5ow4 qenOOdUgv3GrRBtnu7n05BAhGyIccF8HvX707rXPQEsUfNGZ1Dvn94Go09nBsDYbe/PyX8gQ9WM jlh3FgOAPgAoOweUzo1tea4cVGihfFvZkHJO4cD5HE/ptzIwvx31t0zkBKaEzaqqH/oHw+kebGU 8GB3wTOkS6tspaeujn3t55IvXUDD/wHKYYD0xYCKWuiyZLRI4CT1q2IRL32nTRbWV7QS575o8WM kQWv6iUD0yuKrQIMCEIhOWyY9/MAz/zMrlZU/wtLSJIbrHIhlz5ZVPWbQwzPIAcCikR3vq+IyBN R3umLH6Fiz5NJmzqlbyyJA8xgTtWfskolQMKmpDAGM8b2C8RI
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/y-_swzJ2OtTDoxGTzKpNijdUIiA>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 11:02:12 -0000

Thanks to Jinmei, Shumon and Mark.

> From: 神明達哉 <jinmei@wide.ad.jp>
> While I see what it tries to say and don't disagree with it, I think
> this is not very accurate.  In fact, NXDOMAIN for "a.example.com" says
> there is no such name *or any subdomain of it*.  So it would still be
> usable to suppress unnecessary external query for, e.g.,
> foo.a.example.com.

I will add some text in next revision.

> From: Shumon Huque <shuque@gmail.com>
> That's indeed the literal meaning of NXDOMAIN, but it turns out most
> current resolver implementations don't treat it that way. The wording in
> RFC2308, Section 5 is not entirely precise, but it seems to say that
> negative answers should be cached only for the exact qname, and not
> (necessarily) for anything below it.

> From: Mark Andrews <marka@isc.org>
> Because the consensus at the time was not to support nxdomain
> synthesis from signed zone (speaketh the author of RFC 2308).

I will add texts to update RFC 2308.

> Extreme care needs to be taken with nxdomain synthesis. You need
> to choose the correct NSEC records especially for qnames which are
> the subdomain of the NSEC owner name.  The NS bit MUST NOT be set
> in this case as the presence of the NS bit indicates a delegation.
> 
> NSEC3 is even more complicted.

YES.

> DLV is only defined to use NSEC signed zones as I wasn't interested
> in having to working out all the rules for NSEC3.

I think the procedure is the same as NSEC3 validation.

# and qname minimization discussion is interesting.
# It may be listed in draft-ietf-dnsop-root-loopback 
# as a different approach.

--
Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>