Re: [DNSOP] Working Group Last Call on "Aggressive use of NSEC/NSEC3"

Matthijs Mekking <matthijs@pletterpet.nl> Fri, 07 October 2016 17:15 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EBD7129555 for <dnsop@ietfa.amsl.com>; Fri, 7 Oct 2016 10:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAXy4KfkRMYU for <dnsop@ietfa.amsl.com>; Fri, 7 Oct 2016 10:14:59 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 033EE1294FE for <dnsop@ietf.org>; Fri, 7 Oct 2016 10:14:58 -0700 (PDT)
Received: from [172.19.128.42] (vpn-10-mht.dyndns.com [216.146.45.33]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id B5036B43F; Fri, 7 Oct 2016 19:14:55 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: Warren Kumari <warren@kumari.net>
References: <40d5f4b1-3019-7f8a-ecc0-2f4d13e3eadf@gmail.com> <20160922150453.93721.qmail@ary.lan> <CAHw9_iKFOn9KGNV0jh1cHPdJWEoqFH_OygHGtsgk=ow+J1eh_w@mail.gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <1221861e-5d1b-49df-cf49-254fce6b6c49@pletterpet.nl>
Date: Fri, 7 Oct 2016 19:14:52 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CAHw9_iKFOn9KGNV0jh1cHPdJWEoqFH_OygHGtsgk=ow+J1eh_w@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zSnu6plSuuQVlipmud5f7wAAGq8>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call on "Aggressive use of NSEC/NSEC3"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 17:15:01 -0000

Warren,

On 04-10-16 18:56, Warren Kumari wrote:
> On Thu, Sep 22, 2016 at 11:04 AM, John Levine <johnl@taugh.com> wrote:
>>> Please review the draft and offer relevant comments. Also, if someone
>>> feels the document is *not* ready for publication, please speak out with
>>> your reasons.
>>
>> I think it's ready to publish with one small caveat.  In section 5.1,
>> the text in the box says "resolvers MAY use NSEC/NSEC3 resource
>> records" and the text in the next paragraph says "the resolver SHOULD
>> use NSEC/NSEC3/wildcard records".  There's a similar MAY in the box in
>> section 7.
>>
>> The authors SHOULD make up their minds.  Assuming they really believe
>> this is a good idea, change the MAY's to SHOULD.
>
> Doh. Thanks.
> This was simply sloppiness on my part.
>
> (my editor shows pre-formatted / figure text on a yellow background,
> and my eye's now assume that that is protocol layout, so I skip over
> it :-)).
> Fixed and pushed to repo in
> https://github.com/wkumari/draft-ietf-dnsop-nsec-aggressiveuse/tree/12b2d9d46a50502e20d33cfa8f2db89ccb6dadff
> - will publish new version with these integrated soon.

To summarize my things:

1. Inconsistent SHOULD and MAY.
2. Get rid of RFC 2119 keywords for configuration recommendations.
3. Reference for "currently around 65% of queries to Root Name servers 
result in NXDOMAIN responses." (and replace currently with "at the time 
of writing")
4. The PR
5. Rewording sections 5.2 and 5.3 by either a repeating exercise (see 
suggested text, or cross-referencing (see Tony's mail).

I think points 2, 3, and 5 were not yet addressed.

Best regards,
   Matthijs



>
> W
>
>
>>
>> R's,
>> John
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>
>
>