On 26. 11. 21 9:43, Matthijs Mekking wrote:
On 25-11-2021 13:00, Petr Špaček wrote:
On 25. 11. 21 9:33, Matthijs Mekking wrote:
3.2. Recommendation for validating resolvers
I understand why the new text is here, but I think this now actually
gives too little advice for operators and vendors.
I know, this is a vague comment, I need to think about it a bit more.
Honestly I can't see anything more specific which will not get out of
date quickly.
Can we make use of the keyword MAY? This allows I think for text that
will not get out of date:
Validating resolvers MAY return an insecure response when processing
NSEC3 records with iterations larger than 0. Validating resolvers MAY
also return SERVFAIL when processing NSEC3 records with iterations
larger than 0. This significantly decreases the requirements
originally specified in Section 10.3 of [RFC5155]. See the Security
Considerations for arguments on how to handle responses with non-zero
iteration count.
Having text that says "MAY do this at value X" is more quantifiable and
IMO a stronger signal that zone publishers really should not use value X.
Yes, I like this!
Maybe your proposed text can be prepended/appended to the current
content of 3.2. Recommendation for validating resolvers, so we can keep
the "vendors are encouraged to continue evaluating NSEC3 iteration count
deployments" part?
--
Petr Špaček
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop