Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Aggressive Use' (New Version Notification for draft-vandijk-dnsop-nsec-ttl-00.txt)
Peter van Dijk <peter.van.dijk@powerdns.com> Wed, 13 January 2021 09:28 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29DAB3A09DE for <dnsop@ietfa.amsl.com>; Wed, 13 Jan 2021 01:28:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.009, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qUDKJ4WADTVM for <dnsop@ietfa.amsl.com>; Wed, 13 Jan 2021 01:28:51 -0800 (PST)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A83C3A09D7 for <dnsop@ietf.org>; Wed, 13 Jan 2021 01:28:51 -0800 (PST)
Received: from imap.open-xchange.com (imap.open-xchange.com [84.81.54.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPSA id 60CE66A279; Wed, 13 Jan 2021 10:28:49 +0100 (CET)
Received: from plato ([84.81.54.175]) by imap.open-xchange.com with ESMTPSA id WAGoFlG9/l+IHQAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Wed, 13 Jan 2021 10:28:49 +0100
Message-ID: <60a04fe44e56d68b3686a661c5bf233f6feb0641.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Wed, 13 Jan 2021 10:28:48 +0100
In-Reply-To: <6db6b3e464f9ba99d8a24ce0ad66ad8ea25b36cc.camel@powerdns.com>
References: <160616178406.24526.15858981444327414727@ietfa.amsl.com> <ca6217f45a8b3be86fb62f4967a342bb50b241a0.camel@powerdns.com> <bf61d356-0e9b-6b42-3ee2-9420be0d1460@nic.cz> <bbd6c5d2866abcff6617e09c9a4e3ab319cc096a.camel@powerdns.com> <0cbcea9e-b55b-5fc5-8dbc-53a3e5af4612@nic.cz> <6db6b3e464f9ba99d8a24ce0ad66ad8ea25b36cc.camel@powerdns.com>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/z34_Vib9NX68bAXKCLBAEbm5X_k>
Subject: Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Aggressive Use' (New Version Notification for draft-vandijk-dnsop-nsec-ttl-00.txt)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2021 09:28:53 -0000
On Wed, 2021-01-13 at 10:21 +0100, Peter van Dijk wrote: > On Fri, 2021-01-08 at 11:33 +0100, Vladimír Čunát wrote: > > Well, if the client requests the proof (+dnssec), you have to include > > those NSEC*s and I'd consider it incorrect to prolong their TTL. I'd be > > surprised if someone chose that lack of +dnssec could change this TTL > > behavior, except for implementations without DNSSEC support. At least > > that's _my_ understanding of the current RFCs (even before > > DNSSEC-aggressive caching). > > Ah yes, now I get it. The impact of NSEC TTL on wildcard validity is > not really something that 8198 did, or that this document does. This > document does, of course, change that TTL for some setups. I was wrong, 8198 says this: | Once the records are validated, DNSSEC-enabled validating | | resolvers SHOULD use wildcards and NSEC/NSEC3 resource records | | to generate positive and negative responses until the | | effective TTLs or signatures for those records expire. 4035 only vaguely hints at it. So, a correct implementation of 8198 would get the TTLs right, but an implementer that only read other documents might not realise that they should only keep the wildcard around as long as the proof is valid - even though it is obvious once you think about it :-) That all said, I now no longer think we need to do a whole update/clarification thing on this, but I will add a note to my document saying that changing the NSEC TTL might affect wildcards, as you requested earlier. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
- [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Aggress… Peter van Dijk
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Peter van Dijk
- Re: [DNSOP] [Ext] new draft: 'NSEC(3) TTLs and NS… Paul Hoffman
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Tim Wicinski
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Vladimír Čunát
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Matthijs Mekking
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Peter van Dijk
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Peter van Dijk
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Vladimír Čunát
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Peter van Dijk
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Peter van Dijk
- Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Agg… Vladimír Čunát