On 21-10-2021 13:22, Peter van Dijk wrote:
On Wed, 2021-10-20 at 11:24 -0700, Wes Hardaker wrote:
So, the question: what's the right FINAL value to put in the draft
before LC?

I don't know what the -right- value is, but I know what I want: 0 iterations, 
empty salt, otherwise the NSEC3 gets ignored, presumably leading to SERVFAIL. 
This removes the 'insecure' window completely.

So, I'll support any push to lower the numbers.

Editorial nit, already hinted at above: the text currently has "Validating resolvers MAY 
return SERVFAIL when processing NSEC3 records with iterations larger than 500." - I suggest 
changing this to "validating resolvers MAY ignore NSEC3 records with iterations larger than 
500". That way, zones in the middle of a transition from 1000 to 0 iterations do not get 
punished. Zones at 1000, not in a transition, will still get SERVFAIL by virtue of the NSEC3 proof 
missing (because it is ignored).

In addition, the line just before that says "Validating resolvers SHOULD
return an insecure response when processing NSEC3 records with iterations larger than 100."

And I suggest to change it to "larger than 150", a value that open source DNS vendors have been adopting over the last couple of months:

https://nlnetlabs.nl/news/2021/Aug/12/unbound-1.13.2-released/

https://blog.powerdns.com/2021/06/09/powerdns-recursor-4-4-4-and-4-5-2-released/

https://www.knot-resolver.cz/2021-03-31-knot-resolver-5.3.1.html

https://bind9.readthedocs.io/en/v9_16_21/notes.html#notes-for-bind-9-16-16

(sorry that this is not pushing for lower numbers)

Best regards,

Matthijs

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to