Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
fujiwara@jprs.co.jp Wed, 15 July 2015 11:02 UTC
Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF6A1A1BA7 for <dnsop@ietfa.amsl.com>; Wed, 15 Jul 2015 04:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.598
X-Spam-Level:
X-Spam-Status: No, score=0.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8USN-ceQWPGm for <dnsop@ietfa.amsl.com>; Wed, 15 Jul 2015 04:02:11 -0700 (PDT)
Received: from off-send01.osa.jprs.co.jp (off-send01.osa.jprs.co.jp [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED6E11A1B92 for <dnsop@ietf.org>; Wed, 15 Jul 2015 04:02:10 -0700 (PDT)
Received: from off-sendsmg01.osa.jprs.co.jp (off-sendsmg01.osa.jprs.co.jp [172.23.8.61]) by off-send01.osa.jprs.co.jp (8.14.4/8.14.4) with ESMTP id t6FB28Ui024273; Wed, 15 Jul 2015 20:02:08 +0900
Received: from off-sendsmg01.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss71 (Postfix) with ESMTP id BC971180083; Wed, 15 Jul 2015 20:02:07 +0900 (JST)
Received: from localhost (off-cpu04.osa.jprs.co.jp [172.23.4.14]) by off-sendsmg01.osa.jprs.co.jp (Postfix) with ESMTP id B192718005E; Wed, 15 Jul 2015 20:02:07 +0900 (JST)
Date: Wed, 15 Jul 2015 20:02:07 +0900
Message-Id: <20150715.200207.27803260.fujiwara@jprs.co.jp>
To: jinmei@wide.ad.jp
From: fujiwara@jprs.co.jp
In-Reply-To: <CAJE_bqcRQH0WGTaLqtMSuiOty4KHe9nN6T-wmqf3x_ohuA6TcA@mail.gmail.com> <CAHPuVdU-1e_7KPH9JdSvbPn-tYptaXbHrQvQz=UEv+QJdseJxw@mail.gmail.com> <20150714030318.6BEFF32DCCE5@rock.dv.isc.org>
References: <20150310.191541.52184726.fujiwara@jprs.co.jp> <20150707.182043.193693838.fujiwara@jprs.co.jp> <CAJE_bqcRQH0WGTaLqtMSuiOty4KHe9nN6T-wmqf3x_ohuA6TcA@mail.gmail.com>
X-Mailer: Mew version 6.5 on Emacs 22.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1690-8.0.0.1202-21678.006
X-TM-AS-Result: No--13.592-5.0-31-10
X-imss-scan-details: No--13.592-5.0-31-10
X-TMASE-MatchedRID: vwD78yC1kfRCXIGdsOwlUu5i6weAmSDKZggZX8gYmrWObf10apLcSSj5 3aEB5qDL7olUPK2npLTp5qJ3W6NwuAi0xaFtKyGqlTsGW3DmpUvL0ev0kxsIkw4NiVSCmfj5ow4 qenOOdUgv3GrRBtnu7n05BAhGyIccF8HvX707rXPQEsUfNGZ1Dvn94Go09nBsDYbe/PyX8gQ9WM jlh3FgOAPgAoOweUzo1tea4cVGihfFvZkHJO4cD5HE/ptzIwvx31t0zkBKaEzaqqH/oHw+kebGU 8GB3wTOkS6tspaeujn3t55IvXUDD/wHKYYD0xYCKWuiyZLRI4CT1q2IRL32nTRbWV7QS575o8WM kQWv6iUD0yuKrQIMCEIhOWyY9/MAz/zMrlZU/wtLSJIbrHIhlz5ZVPWbQwzPIAcCikR3vq+IyBN R3umLH6Fiz5NJmzqlbyyJA8xgTtWfskolQMKmpDAGM8b2C8RI
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/y-_swzJ2OtTDoxGTzKpNijdUIiA>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 11:02:12 -0000
Thanks to Jinmei, Shumon and Mark. > From: 神明達哉 <jinmei@wide.ad.jp> > While I see what it tries to say and don't disagree with it, I think > this is not very accurate. In fact, NXDOMAIN for "a.example.com" says > there is no such name *or any subdomain of it*. So it would still be > usable to suppress unnecessary external query for, e.g., > foo.a.example.com. I will add some text in next revision. > From: Shumon Huque <shuque@gmail.com> > That's indeed the literal meaning of NXDOMAIN, but it turns out most > current resolver implementations don't treat it that way. The wording in > RFC2308, Section 5 is not entirely precise, but it seems to say that > negative answers should be cached only for the exact qname, and not > (necessarily) for anything below it. > From: Mark Andrews <marka@isc.org> > Because the consensus at the time was not to support nxdomain > synthesis from signed zone (speaketh the author of RFC 2308). I will add texts to update RFC 2308. > Extreme care needs to be taken with nxdomain synthesis. You need > to choose the correct NSEC records especially for qnames which are > the subdomain of the NSEC owner name. The NS bit MUST NOT be set > in this case as the presence of the NS bit indicates a delegation. > > NSEC3 is even more complicted. YES. > DLV is only defined to use NSEC signed zones as I wasn't interested > in having to working out all the rules for NSEC3. I think the procedure is the same as NSEC3 validation. # and qname minimization discussion is interesting. # It may be listed in draft-ietf-dnsop-root-loopback # as a different approach. -- Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>
- [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-0… fujiwara
- [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-0… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Bob Harold
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Casey Deccio
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Stephane Bortzmeyer
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… P Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Stephane Bortzmeyer
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Roy Arends
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Roy Arends
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Evan Hunt
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Tim Wicinski
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Viktor Dukhovni
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque