Hi Wes,
I think the changes are moving the document in the right direction.
Some comments:
3.1. Best-practice for zone publishers
I wonder if we can make the requirement even stronger by saying "If
NSEC3 must be used, then an iterations count of 0 MUST be used to
alleviate computational burdens." (MUST instead of SHOULD).
Or is there a valid reason for zone publishers to set iterations to a
non-zero value?
3.2. Recommendation for validating resolvers
I understand why the new text is here, but I think this now actually
gives too little advice for operators and vendors.
I know, this is a vague comment, I need to think about it a bit more.
3.2. Recommendation for validating resolvers
Validating resolvers returning an insecure or SERVFAIL answer because
of unsupported NSEC parameter values SHOULD return an Extended DNS
Error (EDE) EDNS0 option of value.
I believe this should be NSEC3 parameter values here (instead of NSEC).
4. Security Considerations
I appreciate that you added the reasoning for lowering the acceptable
iteration counts here and in section 3.2 but I miss the argument for not
lowering. Suggested text:
On the other hand, zones that are still using high iteration counts
may become unreachable on some parts of the network when a resolver
decides to return SERVFAIL above a higher point. Before lowering the
acceptable iteration count, resolver operators and resolver software
vendors are encouraged to monitor the used iteration counts and reach
out to zone publishers to implement this document by setting the
iteration count to 0.
Appendix E. Implementation Notes
Note that BIND 9.16.16 and up will treat DNSSEC responses containing
NSEC3 records with iteration counts greater than 150 are now treated as
insecure, and the maximum supported number of NSEC3 iterations that can
be configured for a zone has been reduced to 150.
Best regards,
Matthijs
On 24-11-2021 18:02, Wes Hardaker wrote:
internet-dra...@ietf.org writes:
Title : Guidance for NSEC3 parameter settings
Authors : Wes Hardaker
Viktor Dukhovni
Filename : draft-ietf-dnsop-nsec3-guidance-02.txt
Pages : 10
Date : 2021-11-24
This version attempts to take into account the discussion from the WG
meeting at IETF 112. Concrete text proposals appreciated so we can
finish this work and publish it.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop