secdir review of draft-ietf-dnsop-nsec-aggressiveuse

Sandra Murphy <> Tue, 28 March 2017 16:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C2637120724; Tue, 28 Mar 2017 09:34:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VP3qpkn_TIXJ; Tue, 28 Mar 2017 09:34:38 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 679E2126DFB; Tue, 28 Mar 2017 09:34:35 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id C36FB28B0041; Tue, 28 Mar 2017 12:34:33 -0400 (EDT)
Received: from [] (localhost.localdomain []) by (Postfix) with ESMTP id 2AE6A1F8036; Tue, 28 Mar 2017 12:34:33 -0400 (EDT)
From: Sandra Murphy <>
X-Pgp-Agent: GPGMail
Content-Type: multipart/signed; boundary="Apple-Mail=_FC2E29DD-1191-43F4-99A0-C3D82E427BCC"; protocol="application/pgp-signature"; micalg=pgp-sha512
Subject: secdir review of draft-ietf-dnsop-nsec-aggressiveuse
Date: Tue, 28 Mar 2017 12:34:32 -0400
Message-Id: <>
Cc: Sandra Murphy <>
To:,,, The IETF <>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 28 Mar 2017 16:34:41 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document suggests that resolvers should use NSEC/NSEC3 proof of non-existence for a domain name in a received query to generate a negative reply, rather than relying on the current spec of an exact match to the domain name.  Generating positive replies from wildcard answers is also suggested.

The motivation is improvements in latency for queriers and improvements in bandwidth and CPU load on recursive resolvers and validation servers.

I have no serious objections about the draft.

I am curious about my thought that an attacker might find this of benefit, as they can learn of non-existence in just one query, rather than every name in a NSEC denied range. I know zone walking is a concern to some, but I do not know if ease of determining non-existence is also a concern.

Section 7 explicitly spells out the changes to RFC4035 are explicitly spelled
out as to what is removed and what replaces it.  Section 5 is not so clearly

The last paragraph of 5., nothing in 5.1 or 5.2, and the last paragraph of 5.3
use SHOUD/MUST/MAY kinds of language.  For the paragraphs that don’t - should
they?  For the paragraphs that do, is this additional behavior or a
replacement for existing spec (i.e. like the section 7 update to RFC4035).
If a replacement, a replacement of what?  If not, where do the new paragraphs

The following is a sequential set of comments, not in importance order.

page 3

  This document updates RFC 4035 to allow recursive resolvers to use
  NSEC/NSEC3 resource records to synthesize negative answers from the
  information they have in the cache.

re: recursive resolvers - is the technique not applicable to stub resolvers?
(I do see references to stub resolver caches in a web search, but you can’t
trust the web.)

 [RFC8020], and [I-D.vixie-dnsext-resimprove] proposes first steps to
  using NXDOMAIN information for more effective caching.  This takes
  this technique further.

Unless rfc8020 and the vixie draft are the same thing (don’t think so),
should be “propose”.

Too many uses of “this” in that last sentence - I presume you mean
  This draft takes those previous techniques further.

page 4

  If a validating resolver receives a query for, it
  contacts its resolver (which may be itself)


  If a validating resolver receives a query for, it
  contacts its recursive resolver (which may be itself)


  and also has
  privacy implications (e.g: typos leak out further than necessary).

Does it also make certain explorations easier, where someone can find out a range
that does not exist by doing just one query rather than query every name in the
range?  Or is that sort of exploration already prevented by other techniques?

  If a query is received for, it contacts its resolver
  (which may be itself)

I suggest “the resolver contacts its <recursive> resolver” - the query is not
doing the contacting.

page 6

section 5.1 and 5.2 say “resolver can immediately return” - is this meant
to specify new behavior, should they have SHOULD/MAY/MUST kinds of words?

page 7

  Section 5 of [RFC2308] states that the maximum number of negative
  cache TTL value is 3 hours (10800).

I don’t find a maximum in RFC2308.  I do find:
                   Values of one to three hours have been found to work well
  and would make sensible a default.
Did I miss something?

“the maximum number of negative cache TTL value is” - a bit twisty.  Did you
mean something like:

 Section 5 of [RFC2308] states that the maximum negative cache TTL value is”

otherwise, I’d think “number of … values”, but even so I don’t think there are
multiple values here. Are there?

page 9

<truly nitty>

The text says

  Thanks to Mark Andrews for providing the helpful notes for
  implementors provided in Appendix B.

  The authors would like to specifically thank
  Mark Andrews also provided the
  helpful notes for implementors (
  archive/web/dnsop/current/msg18332.html) which we made into
  Appendix B.

Perhaps you intended to thank him twice?  No problem, just wondering.