Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
Tony Finch writes: > The text you wrote is exactly the kind of thing I was thinking of: > > > Operators of secondary services should advertise the parameter caps > > their servers will support. Primaries need to ensure that secondaries > > support the NSEC3 parameters they expect to use in their zones. > > Primaries, after changing parameters, should query their secondaries > > with appropriate known non-existent queries to verify the secondary > > servers are responding as expected. FYI, I did put text in that hopefully will fulfill your requirements. Hope to get a new version out soon. -- Wes Hardaker USC/ISI ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
Benno Overeinder writes: > The chairs will ask the authors to resubmit the document with the name > draft-ietf-dnsop-nsec3-guidance. Excellent, I've submitted a draft and it's now awaiting your approval. Thanks to everyone that has submitted comments so far. We have a bit more work to do in order to get consensus around a few points, but this shouldn't be a long process I don't think to get out the door. Please do drop comments to the list about any changes, or feel free to submit PRs as well. -- Wes Hardaker USC/ISI ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
Wes Hardaker wrote: > > So, what guidance do we want to insert? The text you wrote is exactly the kind of thing I was thinking of: > Operators of secondary services should advertise the parameter caps > their servers will support. Primaries need to ensure that secondaries > support the NSEC3 parameters they expect to use in their zones. > Primaries, after changing parameters, should query their secondaries > with appropriate known non-existent queries to verify the secondary > servers are responding as expected. Tony. -- f.anthony.n.finchhttps://dotat.at/ South Fitzroy: Northerly 4 to 6 in southeast, otherwise variable 2 to 4. Rough, becoming moderate or rough. Fair. Good. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
Dear DNSOP WG, Thank you for your feedback and willingness to contribute text or review the document in the working group. The two weeks for the call for adoption has ended and with good support from the WG, the document is adopted as a WG Internet-Draft. The chairs will ask the authors to resubmit the document with the name draft-ietf-dnsop-nsec3-guidance. Thanks, -- Benno DNSOP co-chair On 23/05/2021 09:54, Loganaden Velvindron wrote: I also support adoption of this document. On Sat, May 22, 2021 at 3:06 AM Puneet Sood wrote: I support adoption of this document to provide guidance for operators to pick sensible NSEC3 parameters and for expected resolver behavior. -Puneet On Mon, May 10, 2021 at 4:56 AM Benno Overeinder wrote: Hi all, As a follow-up to the presentation by Wes Hardaker at the IETF 110 DNSOP meeting, we want to start a call for adoption of draft-hardaker-dnsop-nsec3-guidance on the mailing list. With the presentation at the DNSOP meeting on IETF 110, there was a sufficient general support in the (virtual) room to adopt the draft as a working group document. Now we will start a period of two weeks for the call for adoption of draft-hardaker-dnsop-nsec3-guidance on the mailing list. The draft is available here: https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. Please also indicate if you are willing to contribute text, review, etc. This call for adoption ends: 24 May 2021 Thanks, -- Benno DNSOP co-chair ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
I also support adoption of this document. On Sat, May 22, 2021 at 3:06 AM Puneet Sood wrote: > > I support adoption of this document to provide guidance for operators to pick > sensible NSEC3 parameters and for expected resolver behavior. > > -Puneet > > > On Mon, May 10, 2021 at 4:56 AM Benno Overeinder wrote: >> >> Hi all, >> >> As a follow-up to the presentation by Wes Hardaker at the IETF 110 DNSOP >> meeting, we want to start a call for adoption of >> draft-hardaker-dnsop-nsec3-guidance on the mailing list. >> >> With the presentation at the DNSOP meeting on IETF 110, there was a >> sufficient general support in the (virtual) room to adopt the draft as a >> working group document. >> >> Now we will start a period of two weeks for the call for adoption of >> draft-hardaker-dnsop-nsec3-guidance on the mailing list. >> >> The draft is available here: >> https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. >> >> Please review this draft to see if you think it is suitable for adoption >> by DNSOP, and comments to the list, clearly stating your view. >> >> Please also indicate if you are willing to contribute text, review, etc. >> >> This call for adoption ends: 24 May 2021 >> >> >> Thanks, >> >> -- Benno >> >> DNSOP co-chair >> >> ___ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
I support adoption of this document to provide guidance for operators to pick sensible NSEC3 parameters and for expected resolver behavior. -Puneet On Mon, May 10, 2021 at 4:56 AM Benno Overeinder wrote: > Hi all, > > As a follow-up to the presentation by Wes Hardaker at the IETF 110 DNSOP > meeting, we want to start a call for adoption of > draft-hardaker-dnsop-nsec3-guidance on the mailing list. > > With the presentation at the DNSOP meeting on IETF 110, there was a > sufficient general support in the (virtual) room to adopt the draft as a > working group document. > > Now we will start a period of two weeks for the call for adoption of > draft-hardaker-dnsop-nsec3-guidance on the mailing list. > > The draft is available here: > https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. > > Please review this draft to see if you think it is suitable for adoption > by DNSOP, and comments to the list, clearly stating your view. > > Please also indicate if you are willing to contribute text, review, etc. > > This call for adoption ends: 24 May 2021 > > > Thanks, > > -- Benno > > DNSOP co-chair > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
Tony Finch writes: > The draft is operational advice, so I think the relevant advice here is > that if you are signing your zone with slw NSEC3 parameters, make sure > your secondaries are willing to serve such a zone first. [this is sort of unrelated to the call for adoption, is good discussion about future text] So, what guidance do we want to insert? We have two potential guidance to include: guidance for primaries and guidance for secondaries. Maybe something like (better wordsmithing needed still): Operators of secondary services should advertise the parameter caps their servers will support. Primaries need to ensure that secondaries support the NSEC3 parameters they expect to use in their zones. Primaries, after changing parameters, should query their secondaries with appropriate known non-existent queries to verify the secondary servers are responding as expected. -- Wes Hardaker USC/ISI ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
On 11/05/2021 18.17, Wes Hardaker wrote: I'd also expect something on limits accepted by secondaries. And some details are probably up to further discussion (e.g. particular numbers and SERVFAIL), but I don't think such details would block adoption. That's certainly an interesting thing to think about, but it starts to get in between the relationship of primaries and secondaries. Is that something that should be "standardized"? I'm not really a good person to ask about these relationships. Anyway, if some values were to get standardized to cause SERVFAIL in validators, I would expect also secondaries to refuse them, though perhaps that's more of an advice or setting expectations (contrary to the validator part which I consider an incompatible change in protocol). Naturally, signers should be at least as strict, too, e.g. refuse to go in the range that gets standardized to cause a downgrade. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
Wes Hardaker wrote: > Vladimír Čunát writes: > > > I'd also expect something on limits accepted by secondaries. And some > > details are probably up to further discussion (e.g. particular numbers > > and SERVFAIL), but I don't think such details would block adoption. > > That's certainly an interesting thing to think about, but it starts to > get in between the relationship of primaries and secondaries. Is that > something that should be "standardized"? The draft is operational advice, so I think the relevant advice here is that if you are signing your zone with slw NSEC3 parameters, make sure your secondaries are willing to serve such a zone first. Tony. -- f.anthony.n.finchhttps://dotat.at/ Fair Isle: Cyclonic becoming northeast, 4 to 6. Moderate or rough. Rain, fog patches. Moderate or good, occasionally very poor. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
Vladimír Čunát writes: Hi Vladimír, Thanks for the comments. > I'd also expect something on limits accepted by secondaries. And some > details are probably up to further discussion (e.g. particular numbers > and SERVFAIL), but I don't think such details would block adoption. That's certainly an interesting thing to think about, but it starts to get in between the relationship of primaries and secondaries. Is that something that should be "standardized"? -- Wes Hardaker USC/ISI ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
Olafur Gudmundsson writes: > I guess I support the document but would like it to say > “Please do not use NSEC3 but if you have to use NSEC3 use it use these > settings” Thanks Olafur. I think we originally had some text in there like that, but took it out. It looks like (currently) there may be consensus to put something like that in we'll put that on a todo list for the next version. -- Wes Hardaker USC/ISI ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
I will contribute text, review, etc. It is suitable for adoption by DNSOP. Roy > On 10 May 2021, at 09:55, Benno Overeinder wrote: > > Hi all, > > As a follow-up to the presentation by Wes Hardaker at the IETF 110 DNSOP > meeting, we want to start a call for adoption of > draft-hardaker-dnsop-nsec3-guidance on the mailing list. > > With the presentation at the DNSOP meeting on IETF 110, there was a > sufficient general support in the (virtual) room to adopt the draft as a > working group document. > > Now we will start a period of two weeks for the call for adoption of > draft-hardaker-dnsop-nsec3-guidance on the mailing list. > > The draft is available here: > https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. > > Please review this draft to see if you think it is suitable for adoption by > DNSOP, and comments to the list, clearly stating your view. > > Please also indicate if you are willing to contribute text, review, etc. > > This call for adoption ends: 24 May 2021 > > > Thanks, > > -- Benno > > DNSOP co-chair > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
I support the document to become a working group document, and I am willing to review. Best regards, Matthijs On 10-05-2021 10:55, Benno Overeinder wrote: Hi all, As a follow-up to the presentation by Wes Hardaker at the IETF 110 DNSOP meeting, we want to start a call for adoption of draft-hardaker-dnsop-nsec3-guidance on the mailing list. With the presentation at the DNSOP meeting on IETF 110, there was a sufficient general support in the (virtual) room to adopt the draft as a working group document. Now we will start a period of two weeks for the call for adoption of draft-hardaker-dnsop-nsec3-guidance on the mailing list. The draft is available here: https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. Please also indicate if you are willing to contribute text, review, etc. This call for adoption ends: 24 May 2021 Thanks, -- Benno DNSOP co-chair ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
On Mon, 10 May 2021, Benno Overeinder wrote: Now we will start a period of two weeks for the call for adoption of draft-hardaker-dnsop-nsec3-guidance on the mailing list. The draft is available here: https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. Please adopt. Willing to review and contribute text. I think what is missing is a discussion of online signing with nsec3 white lies - it does make it harder to brute force since you can't grab the full chain of hashed names. Paul ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
On Mon, 10 May 2021, Olafur Gudmundsson wrote: I guess I support the document but would like it to say “Please do not use NSEC3 but if you have to use NSEC3 use it use these settings” The document should point how trivial it is to expose most names in NSEC3 signed zone using Graphics cards and dictionaries. But it should also then say something about opt-out, which might be harder to agree on (imho: "really, we have the RAM/CPU/SSD/DISK now, you should not use opt-out") Paul ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
On Mon, May 10, 2021 at 12:07 PM Peter van Dijk wrote: > On Mon, 2021-05-10 at 10:55 +0200, Benno Overeinder wrote: > > The draft is available here: > > https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. > > > > Please review this draft to see if you think it is suitable for adoption > > by DNSOP, and comments to the list, clearly stating your view. > > > > Please also indicate if you are willing to contribute text, review, etc. > > I support adoption of this draft, and am willing to review and > contribute text (in fact, I have already done so at small scale). > > I think the draft really deserves some text on when not to use NSEC3 at > all (i.e. when to pick NSEC instead) and I would be happy to contribute > that too, if nobody beats me to it. > > I support adoption of this draft, and concur with what Peter says (regarding NSEC). I'm willing to review and as time permits, contribute text. Brian ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
I guess I support the document but would like it to say “Please do not use NSEC3 but if you have to use NSEC3 use it use these settings” The document should point how trivial it is to expose most names in NSEC3 signed zone using Graphics cards and dictionaries. Olafur > On May 10, 2021, at 1:20 PM, Tony Finch wrote: > > Benno Overeinder wrote: >> >> https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. > > Yes, this is a helpful document that should be adopted by dnsop. I'm happy > to review etc. > > Tony. > -- > f.anthony.n.finchhttps://dotat.at/ > Biscay: Southwest 3 to 5 increasing 5 to 7. Rough, occasionally > moderate in east, becoming very rough in west. Thundery showers. Good, > occasionally poor. > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
On Mon, 2021-05-10 at 10:55 +0200, Benno Overeinder wrote: > The draft is available here: > https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. > > Please review this draft to see if you think it is suitable for adoption > by DNSOP, and comments to the list, clearly stating your view. > > Please also indicate if you are willing to contribute text, review, etc. I support adoption of this draft, and am willing to review and contribute text (in fact, I have already done so at small scale). I think the draft really deserves some text on when not to use NSEC3 at all (i.e. when to pick NSEC instead) and I would be happy to contribute that too, if nobody beats me to it. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
I like the document, but the section on validators recommends not to follow requirements from RFC 5155, so I don't expect that best-practice track is sufficient. And I do think we need a similar update to 5155, be it in this document or a separate one. I'd also expect something on limits accepted by secondaries. And some details are probably up to further discussion (e.g. particular numbers and SERVFAIL), but I don't think such details would block adoption. --Vladimir | knot-resolver.cz ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
I support the adoption of the document. Yours, Daniel On Mon, May 10, 2021 at 1:21 PM Tony Finch wrote: > Benno Overeinder wrote: > > > > https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. > > Yes, this is a helpful document that should be adopted by dnsop. I'm happy > to review etc. > > Tony. > -- > f.anthony.n.finchhttps://dotat.at/ > Biscay: Southwest 3 to 5 increasing 5 to 7. Rough, occasionally > moderate in east, becoming very rough in west. Thundery showers. Good, > occasionally poor. > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- Daniel Migault Ericsson ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
Benno Overeinder wrote: > > https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. Yes, this is a helpful document that should be adopted by dnsop. I'm happy to review etc. Tony. -- f.anthony.n.finchhttps://dotat.at/ Biscay: Southwest 3 to 5 increasing 5 to 7. Rough, occasionally moderate in east, becoming very rough in west. Thundery showers. Good, occasionally poor. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] Call for Adoption: draft-hardaker-dnsop-nsec3-guidance
Hi all, As a follow-up to the presentation by Wes Hardaker at the IETF 110 DNSOP meeting, we want to start a call for adoption of draft-hardaker-dnsop-nsec3-guidance on the mailing list. With the presentation at the DNSOP meeting on IETF 110, there was a sufficient general support in the (virtual) room to adopt the draft as a working group document. Now we will start a period of two weeks for the call for adoption of draft-hardaker-dnsop-nsec3-guidance on the mailing list. The draft is available here: https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/. Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. Please also indicate if you are willing to contribute text, review, etc. This call for adoption ends: 24 May 2021 Thanks, -- Benno DNSOP co-chair ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop