> On 20 Aug 2024, at 20:32, Gunter Van de Velde via Datatracker 
> <nore...@ietf.org> wrote:
> 
> Gunter Van de Velde has entered the following ballot position for
> draft-ietf-dnsop-rfc8109bis-06: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to 
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
> for more information about how to handle DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8109bis/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> # Gunter Van de Velde, RTG AD, comments for draft-ietf-dnsop-rfc8109bis-06
> 
> ## Many thanks for writing this document. I found it an nice read into the
> depths recursive DNS resolvers.
> 
> ## The comments below are of cosmetic nature and mostly suggest alternate
> textblobs
> 
> Please find https://www.ietf.org/blog/handling-iesg-ballot-positions/
> documenting the handling of ballots.
> 
> #DISCUSS items
> #=============
> ##tbc
> 
> #GENERIC COMMENTS
> #================
> ## The text states "undefined" in section 3.:
> 
> "The Recursion Desired (RD) bit MAY be set to 0 or 1, although the meaning of
> it being set to 1 is undefined for priming queries."

Actually it is NOT undefined.  RFC 1034 says exactly what to do.  Sending
recursive queries to authoritative only servers results in RD=1 and RA=0 being
set in the response header and you get the same response as you would if you
had RD=0 in the request.  That is 100% clear in RFC 1034.  Root servers don’t
behave differently to other servers.  The only difference is that they are
configured to serve “."

> I am unsure what 'undefined' means in this context. does it mean that setting
> this to 1 is forbidden? Maybe a line explaining the implications of the
> undefined can be helpfull for iplementors to know what to do if they ever
> receive such RD with a priming query.
> 
> Maybe this statement could be something like:
> 
> "
> The Recursion Desired (RD) bit SHOULD be set to 0. The meaning when RD is set
> to 1 is undefined for priming queries and outside the scope of this document. 
> "
> 
> ## In section 3.2 both IPv4 and IPv6 are handled equally as potential Target
> Selection. Would it not be better for the Internet if there is a bias 
> suggested
> towards IPv6 when all other things being equal?
> 
> #DETAILED COMMENTS
> #=================
> ##classified as [minor] and [major]
> 
> 19         This document, when published, obsoletes RFC 8109.  See Section 1.1
> 20         for the list of changes from RFC 8109.
> 
> [minor]
> Mostly i found that when documents obsolete other documents with a newer
> revision that the changes are in the Appendix. It seems a more logical place
> add these. Not sure it belongs in the main body of the draft.
> 
> 114        *  Changed "man-in-the-middle" to "machine-in-the-middle" to be 
> both
> 115           less sexist and more technically accurate.
> 
> [minor]
> s/less sexist/more inclusive/
> 
> 159        Priming is the act of finding the list of root servers from a
> 160        configuration that lists some or all of the purported IP addresses 
> of
> 161        some or all of those root servers.  In priming, a recursive 
> resolver
> 162        starts with no cached information about the root servers, and
> 163        finishes with a full list of their names and their addresses in its
> 164        cache.
> 
> [minor]
> I found this paragraph difficult to parse. What about the following alternatve
> textblob:
> 
> "
> Priming refers to the process by which a recursive resolver obtains the list 
> of
> root servers from a configuration that includes the purported IP addresses of
> some or all of those root servers. During priming, the recursive resolver
> begins without any cached information regarding the root servers and concludes
> with a complete list of their names and corresponding addresses stored in its
> cache. "
> 
> 173        software.  This list is usually correct and complete when shipped,
> 174        but may become out of date over time.
> 
> [minor]
> small cosmetic rewrite:
> 
> "
> While this list is generally accurate and complete at the time of 
> distribution,
> it may become outdated over time. "
> 
> 176        The domain names for the root servers are called the "root server
> 177        identifiers".  This list has been stable since 1997, but the IPv4 
> and
> 178        IPv6 addresses for the root server identifiers sometimes change.
> 179        Research shows that after those addresses change, some resolvers
> 180        never get the new addresses; for example, see [OLD-J].
> 
> [minor]
> What about following cosmetic alternative textblob:
> 
> "
> The domain names assigned to the root servers are referred to as "root server
> identifiers." Although this list has remained stable since 1997, the 
> associated
> IPv4 and IPv6 addresses for these root server identifiers occasionally change.
> Research indicates that, following such changes, certain resolvers fail to
> update to the new addresses; for further details, refer to [OLD-J]. "
> 
> 182        Therefore, it is important that resolvers be able to cope with
> 183        change, even without relying upon configuration updates to be 
> applied
> 184        by their operator.  Root server identifier and address changes are
> 185        the main reasons that resolvers need to use priming to get a full 
> and
> 186        accurate list of root servers, instead of just using a statically
> 187        configured list.
> 
> [minor]
> cosmetic alternative textblob to consider:
> 
> "
> It is therefore essential that resolvers possess the capability to adapt to
> changes, even in the absence of configuration updates applied by their
> operators. Changes to root server identifiers and their corresponding 
> addresses
> are primary reasons why resolvers must employ the priming process to obtain a
> complete and accurate list of root servers, rather than relying solely on a
> statically configured list. "
> 
> 224        SHOULD be randomly selected (see [RFC5452]).  The Recursion Desired
> 225        (RD) bit MAY be set to 0 or 1, although the meaning of it being set
> 226        to 1 is undefined for priming queries.
> 
> [major]
> I am unsure what 'undefined' means in this context. does it mean that setting
> this to 1 is forbidden? Maybe a line explaining the implications of the
> undefined can be helpfull for iplementors to know what to do if they ever
> receive such RD with a priming query.
> 
> Maybe the statement should be something like:
> 
> "
> The Recursion Desired (RD) bit SHOULD be set to 0. The meaning when RD is set
> to 1 is undefined for priming queries and outside the scope of this document. 
> "
> 
> 255     3.2.  Target Selection
> 
> [major]
> The current text handles IPv4 and IPv6 equally and leaves it entirely up to 
> the
> implementation. Would it not be beneficial that there would be a suggested 
> bias
> in this document to use an IPv6 address instead of a legacy IPv4 address? It
> smels as a missed opportunity in the path towards pervasive IPv6
> 
> 338        At the time this document is published, there are 13 root server
> 339        operators operating a total of more than 1500 root server 
> instances.
> 340        Each has one IPv4 address and one IPv6 address.  The combined size 
> of
> 341        all the A and AAAA RRsets exceeds the original 512-octet payload
> 342        limit from [RFC1035].
> 
> [minor]
> proposed alternate cosmetic textblob:
> 
> "
> As of the publication of this document, there are 13 root server operators
> collectively managing more than 1,500 root server instances. Each instance is
> assigned both an IPv4 address and an IPv6 address. The total size of all the A
> and AAAA resource record sets (RRsets) exceeds the original 512-octet payload
> limit specified in [RFC1035] "
> 
> 371     5.  Post-Priming Strategies
> 372
> 373        When a resolver has a zone's NS RRset in cache, and it gets a query
> 374        for a domain in that zone that cannot be answered from its cache, 
> the
> 375        resolver has to choose which NS to send queries to.  (This 
> statement
> 376        is as true for the root zone as for any other zone in the DNS.)  
> Two
> 377        common strategies for choosing are "determine the fastest name 
> server
> 378        and always use it" and "create buckets of fastness and pick 
> randomly
> 379        in the buckets".  This document gives no preference to any 
> particular
> 380        strategy other than to suggest that resolvers not treat the root 
> zone
> 381        as special for this decision.
> 
> [minor]
> Alternative cosmetic textblob:
> 
> "
> When a resolver has a zone's NS RRset in its cache and receives a query for a
> domain within that zone that cannot be answered from the cache, the resolver
> must select which nameserver to direct the queries to. This process applies
> equally to the root zone as it does to any other zone within the DNS. Two
> commonly employed strategies for making this selection are: "identify the
> fastest nameserver and consistently use it" and "group nameservers based on
> response speed and select randomly within those groups." This document does 
> not
> advocate for any specific strategy, other than suggesting that resolvers 
> should
> not treat the root zone differently when making this decision. "
> 
> 
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-le...@ietf.org

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

Reply via email to