Apologies all for the delay in responding / addressing comments. Things suddenly got crazily busy and I fell behind..
On Sun, Sep 25, 2016 at 1:04 PM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > On Thu, Sep 22, 2016 at 08:19:17AM -0400, > Tim Wicinski <tjw.i...@gmail.com> wrote > a message of 31 lines which said: > >> This starts a Working Group Last Call for: >> "Aggressive use of NSEC/NSEC3" >> draft-ietf-dnsop-nsec-aggressiveuse > > I like the basic idea and I think the document is good Yay! :-) > but I would not like it to be published as it is (-02). Awwww..... . . . :-) > > My biggest concern is that it seems the original idea was to mention > only the synthesis of _negative_ replies (NXDOMAIN), _positive_ > replies (synthesis from a wildcard) were mentioned for a long time in > the draft but never fully integrated. Section 7 mentions this > synthesis of positive answers but, for instance, the abstract, the > section 1, section 3, the first paragraph of section 5.5, and the > first paragraph of section 9 do not mention the positive answers, but > they should (they seem to assume that only negative caching matters). > > Either we need to match the document to put the synthesis of negative > and positive answers on an equal footing, or we should delete the > synthesis of positive answers from wildcards. DONE Yup, my view (as can probably be guessed!) is that doing this for negative answers is the important bit, and that wildcard synthesis was easy to add while we had the hood open (see "shipwright's disease", which I suffer from greatly[0]). Seeing as the large majority of the discussion has been about the negative answers, I'm going to remove the wildcard text. *Please* WG, let me know if you'd rather that we keep it... > Related to this issue is the fact that the proposed updated text for > RFC 4035 is not the same in section 5.1 and in section 7... DONE ... luckily, the above fixed this issues too :-) > > Another concern is section 9 which says "Aggressive use of NSEC / > NSEC3 resource records without DNSSEC validation may cause security > problems. It is highly recommended to apply DNSSEC validation." Not > only it fails to use RFC 2119 but allowing NXDOMAIN synthesis without > DNSSEC validation seems dangerous. Why not a MUST instead of the > current "informal SHOULD"? DONE Thank you, good catch. I was not able to figure out how to better word this, so I rewrote it -- how is this: "Aggressive use of NSEC / NSEC3 resource records without DNSSEC validation may create serious security problems, and so this technique requires DNSSEC validation." > > Details > ******* > > IMHO, it should say from the beginning that this document is only for > validating resolvers. (It is not in section 1, for instance.) DONE. Yeah. I'd been assuming that all of the mention of NSEC/NSEC3 implied that, but it doesn't hurt to be explicit. Fixed. > > Editorial > ********* > > Section 1 says "This document updates RFC 4035 to allow recursive > resolvers to use NSEC/NSEC3 resource records to aggressively cache > negative answers." It would be more descriptive, IMHO, to say "This > document updates RFC 4035 to allow recursive resolvers to use > NSEC/NSEC3 resource records to synthetize negative answers from the > information they have in the cache." (It is an aggressive use of the > cache, not aggressive caching.) DONE. Ooooh, I like it. I used your text.... > > Bikeshedding > ************ > > Section 5.2 says "Implementations SHOULD provide a configuration switch to > disable > aggressive use of NSEC and allow it to be enabled or disabled per > domain." Such as switch (the per-domain one) seems costly and I would > prefer a MAY here. > DONE. I wondered the same thing when writing this. I figured easier to ask for more and dial back if needed. Thank you again for your comments, I have committed them to the version in Github ( https://github.com/wkumari/draft-ietf-dnsop-nsec-aggressiveuse ) and will publish a new draft soon. W [0]: I'm restoring a 1971 Land Rover Series IIA, and a 1980 Ferrari 308GTSi. It is a never-ending task, because I'll start on one thing, and then, seeing as it's open I may as well do this other small things... e.g: I have the dashboard out to replace a lamp, so I might as well replace the ignition switch wiring - it''s slightly tatty. While doing that, it makes sense to replace the choke cable (it's mounted on the same panel), which means I may as well also redo the heater system (the valve is right next to it, and the cables are joined, so...). Seeing as that it out, there is also the radio, and some of the wiring - no point in *not* doing it, I'd simply have to reopen everything again. Oh, the speedometer cable is also back here, and the speedo bounces around. Seeing as I'm replacing that, I'll rebuild the (really cool Jaeger speedometer, and it's attached to the gearbox, so, well, new gearbox oil and diff oil, and then repaint the undercarriage / remove rust and POR-15 the suspension, and then, well, those engine mounts are also attached to the gearbox. It's already up on the lift, so.... Next thing you know it's been months... and I'm much further from finishing than when I started.... > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
