[Gen-art] Re: Gen-ART Review of draft-ietf-dnsext-dns-name-p-s-01
Geoffrey Sisson <geoff@nominet.org.uk> Wed, 14 December 2005 10:21 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EmTlC-0006dX-L1; Wed, 14 Dec 2005 05:21:22 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EmTl0-0006ch-QV for gen-art@megatron.ietf.org; Wed, 14 Dec 2005 05:21:21 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA00629 for <gen-art@ietf.org>; Wed, 14 Dec 2005 05:20:02 -0500 (EST)
Received: from mx3.nominet.org.uk ([213.248.199.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EmTlw-0007mz-RA for gen-art@ietf.org; Wed, 14 Dec 2005 05:22:11 -0500
Received: from staff.nominet.org.uk ([213.248.199.129]) by mx3.nominet.org.uk with ESMTP; 14 Dec 2005 10:20:30 +0000
X-IronPort-AV: i="3.99,250,1131321600"; d="scan'208"; a="2162340:sNHT30690516"
Received: (from geoff@localhost) by staff.nominet.org.uk (8.12.9/8.12.9) id jBEAKSW0005388; Wed, 14 Dec 2005 10:20:28 GMT
Date: Wed, 14 Dec 2005 10:20:28 +0000
From: Geoffrey Sisson <geoff@nominet.org.uk>
Message-Id: <200512141020.jBEAKSW0005388@staff.nominet.org.uk>
To: Spencer Dawkins <spencer@mcsr-labs.org>
In-Reply-To: <406001c5fcc6$18e2d450$56087c0a@china.huawei.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cf3becbbd6d1a45acbe2ffd4ab88bdc2
Cc: Margaret Wasserman <margaret@thingmagic.com>, Olaf Kolkman <olaf@nlnetlabs.nl>, General Area Review Team <gen-art@ietf.org>, ben@algroup.co.uk, Olafur Gudmundsson <ogud@ogud.com>
Subject: [Gen-art] Re: Gen-ART Review of draft-ietf-dnsext-dns-name-p-s-01
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Sender: gen-art-bounces@ietf.org
Errors-To: gen-art-bounces@ietf.org
"Spencer Dawkins" <spencer@mcsr-labs.org> wrote: > >> Where did the uppercase US-ASCII letters come from? (I thought they had > >> already been replaced)... There is similar text in 3.1.2, 3.2.1, and > >> 3.2.2 > >> (they are pretty much symmetrical), and further into 4.2. If (3) said > >> "lowercase have already been replaced by uppercase", all this would make > >> perfect sense to me - am I misunderstanding? > > > > You're correct that all uppercase US-ASCII letters in the domain name > > have been converted to lowercase. However, an uppercase letter may be > > encountered when incrementing (3.1.2.3 and 3.2.2.3) or decrementing > > (3.1.1.4 and 3.2.1.4) an octet. For example, if an octet contains '@' > > and it gets incremented, the new value would be 'A'. Similarly, if an > > octet contains '[' and it gets decremented, the new value would be > > 'Z'. To maintain canonical sort order, these value must be skipped, > > i.e. increment('@') -> '[' and decrement('[') -> '@'. > > If this is normal DNS-speak, I apologize for my lack of knowledge, but > "skipped" confused me; I thought you were talking about skipping an octet in > the domain name, but you are talking about redefining "increment" and > "decrement" for specific octet values - did I understand correctly? If so, > perhaps this could be a little more obvious - something like > > 4. Decrement the value of the least significant (right-most) octet > of the least significant (left-most) label, repeating until the > resulting octet does not > correspond to uppercase US-ASCII letters, and then append > the least significant (left-most) label with as many octets as > possible of the maximum sort value. Continue to the next step. > > Again, if everyone in DNS land knows what you meant, that's fine - it just > confuses visitors :-) Thanks for the suggested text; however I'd be concerned that it might lead the reader to infer that results with uppercase values were typical rather than atypical. When drafting the document, I considered alternative wordings of this item, but all seemed to have the effect of reducing rather than enhancing clarity. > >> In section 4.1. "Test for Existence", why is the following text saying > >> "should reflect"? I'm wandering around "should/SHOULD" and "must/MUST" > >> here. > >> If it IS "should/SHOULD", when is it OK for the synthesized NSEC RR to > >> NOT > >> reflect the RRset types that exist? > >> > >> If it does, either a standard non-synthesised NSEC RR > >> should be used, or the synthesised NSEC RR should reflect the RRset > >> types that exist at the NSEC RR's owner name in the Type Bit Map > >> field as specified by Section 4.1.2 of [RFC4034]. > > > > We avoided RFC 2119 key words in draft-ietf-dnsext-dns-name-p-s as we > > thought that otherwise things might get messy. In view of your > > observations, perhaps it would make sense to drop Section 4.1 from the > > document altogether? > > I'm sorry, I conflated two comments here. My real question was "when is it > OK for the synthesized NSEC RR to NOT > reflect the RRset types that exist?". draft-ietf-dnsext-dnssec-online-signing states: "if an existing name is used as the NSEC owner name, that name's real NSEC record MUST be returned". Perhaps Section 4.1 should be modified as follows: OLD: Before using the result of P(N) or P'(N) as the owner name of an NSEC RR in a DNS response, a name server should test to see whether the name exists. If it does, either a standard non-synthesised NSEC RR should be used, or the synthesised NSEC RR should reflect the RRset types that exist at the NSEC RR's owner name in the Type Bit Map field as specified by Section 4.1.2 of [RFC4034]. Implementors will likely find it simpler to use a non-synthesised NSEC RR. For further details see Section 2 of [I-D.ietf-dnsext-dnssec-online-signing]. NEW: [I-D.ietf-dnsext-dnssec-online-signing] states: "if an existing name is used as the NSEC owner name, that name's real NSEC record MUST be returned". Consequently, before using the result of P(N) or P'(N) as the owner name of an NSEC RR in a DNS response, a name server which implements [I-D.ietf-dnsext-dnssec-online-signing] will need to test to see whether the name exists. If it does, either a standard non-synthesised NSEC RR may be used, or the synthesised NSEC RR will need to reflect the RRset types that exist at the NSEC RR's owner name in the Type Bit Map field as specified by Section 4.1.2 of [RFC4034]. Implementors will likely find it simpler to use a non-synthesised NSEC RR. For further details see Section 2 of [I-D.ietf-dnsext-dnssec-online-signing]. Regards Geoff _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Gen-ART Review of draft-ietf-dnsext-dns… Spencer Dawkins
- [Gen-art] Re: Gen-ART Review of draft-ietf-dnsext… Spencer Dawkins
- [Gen-art] Re: Gen-ART Review of draft-ietf-dnsext… Geoffrey Sisson
- [Gen-art] Re: Gen-ART Review of draft-ietf-dnsext… Geoffrey Sisson
- Re: [Gen-art] Re: Gen-ART Review of draft-ietf-dn… Brian E Carpenter
- [Gen-art] Re: Gen-ART Review of draft-ietf-dnsext… Spencer Dawkins
- [Gen-art] Re: Gen-ART Review of draft-ietf-dnsext… Geoffrey Sisson
- [Gen-art] Re: Gen-ART Review of draft-ietf-dnsext… Spencer Dawkins