[ Apologies for delay in getting to these. The draft-cutoff is a wonderful motivator! ]
On Tue, Dec 16, 2014 at 12:57 PM, Evan Hunt <e...@isc.org> wrote: > On Tue, Dec 16, 2014 at 10:47:33AM +0000, Tony Finch wrote: >> That is a good point. Happily I think the draft already makes it hard for >> operators to do that, since an NTA will be automatically removed if its >> zone validates (section 10). > > Thank you for pointing this out, Tony; I'd missed it when I read the draft, > and it would have been embarrassing if I'd gone ahead and posted my planned > comment to the effect that there ought to be text like this. :) > > > I will revise my planned comments to say there ought to be MORE text > like this. Mwah, weasel words :-) DONE. > > First, some clarification of of "attempt to validate the zone" is probably > called for. A resolver can't validate the entire zone; it can only spot- > check. BIND's method, for the record, is to send a periodic query for type > SOA at the NTA node; if it gets a response that it can validate (whether > the response was an actual SOA answer or a NOERROR/NODATA with appropriate > NSEC/NSEC3 records, which would imply that the NTA was placed at a node > which was not a zone cut [1]), the NTA is presumed no longer to be necessary > and is removed. (Note that under some circumstances, this is undesirable > behavior -- for example, if www.example.com had a bad signature, but > example.com/SOA was fine -- so we also provide a "force" option to set an > NTA which is *not* subject to this periodic spot-check.) DONE. Thanks for the text, I stole much of it, while making it clear that this is one way of implementing this. > > Second, I would upgrade the recommendation from "optimally this is > automatic" to at least a SHOULD, and maybe a MUST. DONE. > > Third, it's implied in section 8, but I would add to section 10 that > NTAs MUST expire automatically when their configured lifetime ends, and > that this lifetime MUST NOT exceed a week. DONE. I did this as a SHOULD, but could be convinced to change it to a MUST. I think that the operator running the recursive server has the final say, and so am uncomfortable forcing with a MUST, but am very much on the fence here. > My biggest fear with NTAs is > that someone will configure one and then forget about it forever. There > should be an expiry date associated with every NTA, and it should be > enforced by code. DONE. Oh, ok, I've been convinced and have changed the above SHOULD to a MUST :-) > > One final comment: in appendix A.2, the "rndc nta" description is > outdated and should now read: > > nta -dump > List all negative trust anchors. > nta [-lifetime duration] [-force] domain [view] > Set a negative trust anchor, disabling DNSSEC validation > for the given domain. > Using -lifetime specifies the duration of the NTA, up > to one week. The default is one hour. > Using -force prevents the NTA from expiring before its > full lifetime, even if the domain can validate sooner. > nta -remove domain [view] > Remove a negative trust anchor, re-enabling validation > for the given domain. DONE. Excellent, thank you for the text. W > > [1] ... which we presume to be legal, but maybe ought to be clarified > in the draft. Trust anchors are always at a zone apex; negative trust > anchors don't strictly need to be. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
