Re: [DNSOP] Working Group Last Call [draft-ietf-dnsop-nsec-aggressiveuse]

Matthijs Mekking <matthijs@pletterpet.nl> Tue, 04 October 2016 11:35 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDB4412981A for <dnsop@ietfa.amsl.com>; Tue, 4 Oct 2016 04:35:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8o_r8h5S5fFP for <dnsop@ietfa.amsl.com>; Tue, 4 Oct 2016 04:35:39 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4CB4129814 for <dnsop@ietf.org>; Tue, 4 Oct 2016 04:35:38 -0700 (PDT)
Received: from [172.19.128.42] (vpn-10-mht.dyndns.com [216.146.45.33]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id F1C67B7F4 for <dnsop@ietf.org>; Tue, 4 Oct 2016 13:35:34 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: dnsop@ietf.org
References: <40d5f4b1-3019-7f8a-ecc0-2f4d13e3eadf@gmail.com> <20160925170411.GB14945@laperouse.bortzmeyer.org>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <62f353a5-4ac2-7c83-f0ed-987176d7a5dd@pletterpet.nl>
Date: Tue, 4 Oct 2016 13:35:32 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <20160925170411.GB14945@laperouse.bortzmeyer.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yKgHCySagJI728THymm9w3LzYbg>
Subject: Re: [DNSOP] Working Group Last Call [draft-ietf-dnsop-nsec-aggressiveuse]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Oct 2016 11:35:42 -0000

Hi,

On 25-09-16 19:04, Stephane Bortzmeyer wrote:
> On Thu, Sep 22, 2016 at 08:19:17AM -0400,
>  Tim Wicinski <tjw.ietf@gmail.com> wrote
>  a message of 31 lines which said:
>
>> This starts a Working Group Last Call for:
>> 	"Aggressive use of NSEC/NSEC3"
>>       draft-ietf-dnsop-nsec-aggressiveuse
>
> I like the basic idea and I think the document is good but I would not
> like it to be published as it is (-02).
>
> My biggest concern is that it seems the original idea was to mention
> only the synthesis of _negative_ replies (NXDOMAIN), _positive_
> replies (synthesis from a wildcard) were mentioned for a long time in
> the draft but never fully integrated. Section 7 mentions this
> synthesis of positive answers but, for instance, the abstract, the
> section 1, section 3, the first paragraph of section 5.5, and the
> first paragraph of section 9 do not mention the positive answers, but
> they should (they seem to assume that only negative caching matters).
>
> Either we need to match the document to put the synthesis of negative
> and positive answers on an equal footing, or we should delete the
> synthesis of positive answers from wildcards.

I agree with Stephane here, although I think it can be easily fixed by 
saying "Aggressive use of negative caching", since to give out the 
positive answers (wildcard responses) aggressively, also applies to the 
negative cache. Perhaps in the introduction mention it explicitly.


> Related to this issue is the fact that the proposed updated text for
> RFC 4035 is not the same in section 5.1 and in section 7...
>
> Another concern is section 9 which says "Aggressive use of NSEC /
> NSEC3 resource records without DNSSEC validation may cause security
> problems.  It is highly recommended to apply DNSSEC validation." Not
> only it fails to use RFC 2119 but allowing NXDOMAIN synthesis without
> DNSSEC validation seems dangerous. Why not a MUST instead of the
> current "informal SHOULD"?

+1

Best regards,
   Matthijs



> Details
> *******
>
> IMHO, it should say from the beginning that this document is only for
> validating resolvers. (It is not in section 1, for instance.)
>
> Editorial
> *********
>
> Section 1 says "This document updates RFC 4035 to allow recursive
> resolvers to use NSEC/NSEC3 resource records to aggressively cache
> negative answers."  It would be more descriptive, IMHO, to say "This
> document updates RFC 4035 to allow recursive resolvers to use
> NSEC/NSEC3 resource records to synthetize negative answers from the
> information they have in the cache." (It is an aggressive use of the
> cache, not aggressive caching.)
>
> Bikeshedding
> ************
>
> Section 5.2 says "Implementations SHOULD provide a configuration switch to disable
> aggressive use of NSEC and allow it to be enabled or disabled per
> domain." Such as switch (the per-domain one) seems costly and I would
> prefer a MAY here.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>