Hi Wes,

I think the changes are moving the document in the right direction.

Some comments:


3.1.  Best-practice for zone publishers

I wonder if we can make the requirement even stronger by saying "If NSEC3 must be used, then an iterations count of 0 MUST be used to alleviate computational burdens." (MUST instead of SHOULD).

Or is there a valid reason for zone publishers to set iterations to a non-zero value?


3.2.  Recommendation for validating resolvers

I understand why the new text is here, but I think this now actually gives too little advice for operators and vendors.

I know, this is a vague comment, I need to think about it a bit more.


3.2.  Recommendation for validating resolvers

   Validating resolvers returning an insecure or SERVFAIL answer because
   of unsupported NSEC parameter values SHOULD return an Extended DNS
   Error (EDE) EDNS0 option of value.

I believe this should be NSEC3 parameter values here (instead of NSEC).


4.  Security Considerations

I appreciate that you added the reasoning for lowering the acceptable iteration counts here and in section 3.2 but I miss the argument for not lowering. Suggested text:

   On the other hand, zones that are still using high iteration counts
   may become unreachable on some parts of the network when a resolver
   decides to return SERVFAIL above a higher point. Before lowering the
   acceptable iteration count, resolver operators and resolver software
   vendors are encouraged to monitor the used iteration counts and reach
   out to zone publishers to implement this document by setting the
   iteration count to 0.


Appendix E.  Implementation Notes

Note that BIND 9.16.16 and up will treat DNSSEC responses containing NSEC3 records with iteration counts greater than 150 are now treated as insecure, and the maximum supported number of NSEC3 iterations that can be configured for a zone has been reduced to 150.


Best regards,

Matthijs


On 24-11-2021 18:02, Wes Hardaker wrote:
internet-dra...@ietf.org writes:

         Title           : Guidance for NSEC3 parameter settings
         Authors         : Wes Hardaker
                           Viktor Dukhovni
        Filename        : draft-ietf-dnsop-nsec3-guidance-02.txt
        Pages           : 10
        Date            : 2021-11-24

This version attempts to take into account the discussion from the WG
meeting at IETF 112.  Concrete text proposals appreciated so we can
finish this work and publish it.


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to