IETF Logo Mail Archive

Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16

Matthijs Mekking <matthijs@nlnetlabs.nl> Wed, 01 February 2012 16:27 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75E0021F88E3; Wed, 1 Feb 2012 08:27:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328113653; bh=hAMG93PrBW2AtJ4DtAKcQpaAZiHGnuf9ZUvOi/Bc+PE=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=draWjb/bWOlvw0kh5qynGbJttSRB5bz5TnU6oEnpw9stPQiUcW80FfcmFE24YhqHp X8NoUkxJBbVXZBjYx/DW3tF+ZU0O3zsph2UPgEW2jRLYo1m+K3ioHbuWqoulZ6x8Wn SqJWfWjnAx8vbaerRtcHSbpZ9SySIeAhe/CFTJnQ=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C1421F8893 for <dnsext@ietfa.amsl.com>; Wed, 1 Feb 2012 08:27:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.549
X-Spam-Level:
X-Spam-Status: No, score=-102.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BI+sacVrx995 for <dnsext@ietfa.amsl.com>; Wed, 1 Feb 2012 08:27:30 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AE5921F88E3 for <dnsext@ietf.org>; Wed, 1 Feb 2012 08:27:30 -0800 (PST)
Received: from [192.168.178.23] (a83-160-139-153.adsl.xs4all.nl [83.160.139.153]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id q11GRRbN011979 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsext@ietf.org>; Wed, 1 Feb 2012 17:27:28 +0100 (CET) (envelope-from matthijs@nlnetlabs.nl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1328113649; bh=u71upagdCjGlnEOtDcVSD2OO/W3UdTinRgGcSNdHh9s=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=MAbUicfJH589DSn2QTCnoPoxjV1Zb6ZeLNXAq8A2CfYLADnS/COK6/e2NvxLii9fe UYLU48VF6zccsZV8UzxBEsOWGmMjMzaUB/u6wAXZf/oo+Tu3fgvf55CdOYyh9oNoHN uW6mkmlFjaiqiMYYM9Vy+saX1zlLFdwhuUONvA6I=
Message-ID: <4F2967EF.8070502@nlnetlabs.nl>
Date: Wed, 01 Feb 2012 17:27:27 +0100
From: Matthijs Mekking <matthijs@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111109 Thunderbird/3.1.16
MIME-Version: 1.0
To: dnsext@ietf.org
References: <20120120054939.GD4365@mail.yitter.info> <20120120142243.GE4944@mail.yitter.info>
In-Reply-To: <20120120142243.GE4944@mail.yitter.info>
X-Enigmail-Version: 1.1.2
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [213.154.224.1]); Wed, 01 Feb 2012 17:27:28 +0100 (CET)
Subject: Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have reviewed and support publication. Here are my comments.

1. Section 5.4. Caution About Local Policy and Multiple RRSIGs

1a. Nit
The second paragraph raises concerns when a resolver adopts a more
restrictive security policy. On the first read, it is not immediately
obvious why there can be unnecessary validation failures. Perhaps a
small explanation is needed, that the restrictive policy is requiring
all signatures to validate?

2. Section 5.11. Mandatory Algorithm Rules

2a. Nit
Typo: pressence -> presence

2b.
The section states that a signed zone MUST include a DNSKEY for each
algorithm present in the zone's DS RRset and expected trust anchors for
the zone. I argue if MUST is too strong, and would vote for SHOULD, for
the reason that the expected trust anchors and DS RRset are being
maintained outside the administrative boundaries of the zone owner.

3. Section 6.4. Erros in RFC 5155

I would like to see some clarifying or guiding text about the
contradiction in this RFC on the Flags field I posted earlier to this list:

Section 8.2 of RFC 5155 states that a validator MUST ignore NSEC3 RRs
with a Flag fields value other than zero or one. But in the IANA
Considerations section, bits 0-6 are available for assignment.

However, assigning a meaning to one of the bits 0-6 would break NSEC3
conformance because that would allow for Flag fields value larger than
one and that conflicts with the rule in Section 8.2 . As a result,
assigning a meaning to one of the bits 0-6 in the NSEC3 Flag fields
would require an update at the resolver side to ignore the bits it does
not implement, regardless of the total outcome value of the Flag fields.
Such a requirement allows for a more flexible approach for future
updates of the NSEC3 Flag fields, with a nice backwards compatibility
property.


Best regards,
  Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPKWfvAAoJEA8yVCPsQCW5XUEH/2IbCyR84dhWWp9qX5zI9tJ3
7YF9wwgd4i9a3IEtESQvyaFPWpvwTy0RnLOdG7XbataQcnf7URfJOQjIhjmuq+Lj
9Yk7DCIxyH6WNlGuAPaX7Lxq86HFO8BZDn5cdwHJtBljrZAN91HvHuazBuPw1xzc
3bf5+B9R/TfNO4shQw9sIdjNDgwm4lpW9P62X8MATk0P7tDnkLHgFbP8dug1kxes
yzMhoHO8CB/uwS6VrB1tIjoHaw1+QLYO99xXKWQ2778SuQobmASvz4iq4GE/FV/0
mQFuyy5eb5ilVerYGUQChRaHDlz7BsmzNZI17zSH8UW0/oEF/Sc3boOKiX3MrC8=
=xD3b
-----END PGP SIGNATURE-----
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email