Re: [secdir] SECDIR review: draft-ietf-dnsext-dnssec-rsasha256

Andrew Sullivan <> Wed, 23 September 2009 14:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A34083A6905; Wed, 23 Sep 2009 07:04:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.924
X-Spam-Status: No, score=-1.924 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, J_CHICKENPOX_45=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zE0nwGrDbTQT; Wed, 23 Sep 2009 07:04:01 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D83B63A659A; Wed, 23 Sep 2009 07:04:01 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 56B1B2FE8CE3; Wed, 23 Sep 2009 14:05:07 +0000 (UTC)
Date: Wed, 23 Sep 2009 10:05:05 -0400
From: Andrew Sullivan <>
To: Kurt Zeilenga <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc:,, The IESG <>, Security Area Directorate <>
Subject: Re: [secdir] SECDIR review: draft-ietf-dnsext-dnssec-rsasha256
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Sep 2009 14:04:02 -0000


Thanks for your review.  I apologise for not having responded sooner.
I was travelling on other business last week, and it meant that I
couldn't concentrate on this topic.  One note of explanation:

On Wed, Sep 16, 2009 at 10:12:25AM +0100, Kurt Zeilenga wrote:

> I do note that the document appears to place an additional  
> recommendation upon implementors of DNSSEC (in Section 5.1) yet does not 
> "update" any DNSSEC specification.   It may be appropriate for this I-D 
> to "update" (upon approval/publication) DNSSEC specifications.

We have been loathe to make this document the mechanism by which we
update the DNSSEC specifications effectively to make NSEC3 an overall
part of the DNSSEC specification.  The reason I (especially) have been
so reluctant is that we already have, in the DNS community, a long
history of complaints about apparently minor, tangential drafts making
major conceptual changes to the DNS specifications.  The idea is to
ensure that the change making NSEC3 a basic part of DNSSEC appears in
a document that is obviously about DNSSEC as such, and not just the
identifier of an algorithm that may or may not get implemented.

We in fact have a draft in process that is to contain this change.
It's draft-ietf-dnsext-dnssec-bis-updates.  It has been moving
somewhat slowly through the WG, but I believe it is on track to be
published soon.  The current text in that document is this:

2.1.  NSEC3 Support

   [RFC5155] describes the use and behavior of the NSEC3 and NSEC3PARAM
   records for hashed denial of existence.  Validator implementations
   are strongly encouraged to include support for NSEC3 because a number
   of highly visible zones are expected to use it.  Validators that do
   not support validation of responses using NSEC3 will likely be
   hampered in validating large portions of the DNS space.

   [RFC5155] should be considered part of the DNS Security Document
   Family as described by [RFC4033], Section 10.

All of that said, if you feel strongly that, in the absence of
publication of dnssec-bis-updates, the sha-2 draft ought to update
RFC4033, we can relucantly make the change.  In that case, we will
plan to leave the above text in dnssec-bis-updates anyway, in an
effort to make this point plain to a potentially wider audience.

Best regards,

Andrew (shepherd)

Andrew Sullivan
Shinkuro, Inc.