DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format
draft-ietf-dnsext-nsec-rdata-06

[Ballot comment]
There was a quite clear WG consensus determination on NXT's/NSEC's privacy issues years
ago with European regulations and the DNS design in mind then.  Perhaps the problem
was lack of community-wide Last Call at that time.  Hmm.

[Ballot comment]
The WG revisiting NO and the privacy issue on NSEC strikes me as an IETF discipline
problem.  There was a quite clear WG consensus determination on this some years
back, with European regulations and the DNS design in mind then.  Perhaps the problem
was lack of community-wide Last Call at that time.  Hmm.

[Ballot comment]
Reviewed by Mark Allman, Gen-ART
Minor things ...

  + old boilerplate

  + look for "must" and think about whether it should be "MUST"

  + the citation to "RFC TCR" since it's an i-d

The document seems fine to me.

[Ballot comment]
Front page (top left) has: Updates: RFC 2535, RFC TCR (if approved)

- We normally want the "Updates xxx..." also in the abstract.

I wonder if the security considerations section should have some
text about the privacy-concerns that have apparantly been discussed.

[Ballot comment]
Front page (top left) has: Updates: RFC 2535, RFC TCR (if approved)

- We normally want the "Updates xxx..." also in the abstract.

[Ballot comment]
I'm very concerned by reports that some European sites can't/won't deploy NSEC because they feel it conflicts with European privacy law.  I have sympathy for this position -- I wrote my own draft addressing the issue 2.5 years ago.  But we have an installed base that uses a similar technique (NXT records), which leaves us with the problem of running code that may not be deployable.

[Ballot comment]
The graphic in section 2.1 should note that the fields are of variable length as described in later text.  The length appears to be fixed at 32 units, but no units are specified and there's nothing to note that the fields can be shorter or longer unless one assumes that the "/" characters imply variability.

From: Jakob Schlyter
To: Thomas Narten
Cc: Olaf Kolkman , Margaret Wasserman ,
  Olafur Gudmundsson
Date: Thu, 6 May 2004 22:05:19 +0200
Subject: Re: AD review of draft-ietf-dnsext-nsec-rdata-05.txt

> So IETF LC is ending  for this document, and I didn't see any comments
> (did anyone else)? So am I correct in assuming that this document
> needs a revision and then I can send it to the IESG?
>
> Please confirm (and that the authors agree and understand what changes
> are needed).

yes, I will make the changes discussed early next week.


j

From: Thomas Narten
To: Olafur Gudmundsson , Olaf Kolkman ,
    jakob@schlyter.se
cc: Margaret Wasserman
Date: Tue, 20 Apr 2004 14:56:44 -0400
Subject: AD review of draft-ietf-dnsext-nsec-rdata-05.txt

I have what I assume are just minor editorial questions/suggestions
(see below). If we can get a revised ID out relatively quickly, I'd
like to delay the IETF LC until then. But I'm also willing to going
forward now with the current draft if revising the document is
problematical. Please let me know how you want to proceed.

Thomas

abstract doesn't satisfy ID nits. neither does title.

>    This document updates RFC 2535 [3] and RFC TCR [6].

Does this document really update 2535? Seems to me, in _only_ updates
[6], since  these changes do not apply to NXT.

>    the name and typecode. The RDATA format for the NXT RR had a
>    limitation in that, without using a yet undefined extension
>    mechanism, the the RDATA could only carry information about the
>    existence of the first 127 types.


awkward. Possible replacement:

  The RDATA format for the NXT RR has the limitation in that the
  RDATA could only carry information about the existence of the first
  127 types. RFC 2535 did reserve a bit to specify an extension
  mechanism, but the mechanism was never actually defined.

>    To prevent the introduction of an extension mechanism into a deployed
>    base of DNSSEC aware servers and resolvers, once the first 127 type
>    codes are allocated, this document redefines the wire format of the
>    "Type Bit Map" field in the NSEC RDATA to cover the full RR type
>    space.

better(?):

  In order to avoid the need to develop an extension mechanism into a
  deployed base of DNSSEC aware servers and resolvers once the first
  127 type codes are allocated, this document redefines the wire
  format of the "Type Bit Map" field in the NSEC RDATA to cover the
  full RR type space.

>    possible range of typecodes, that it is relatively economic in the

s/economic/econmical/

>    A sender MUST NOT use DNS name compression on the Next Domain Name
>    field when transmitting an NSEC RR.  A receiver which receives an
>    NSEC RR containing a compressed Next Domain Name field SHOULD
>    decompress the field value.

seems odd that a new RR (not ancient) suggests uncompressing them,
when it is clearly a protocol violation to compress them. Seems the
last sentence is not appropriate (for NSEC).

>    Owner names of RRsets not authoritative for the given zone (such as
>    glue records) MUST NOT be listed in the Next Domain Name unless at
>    least one authoritative RRset exists at the same owner name.

Presumably non-authoritative RRsets have types. Are they included in
the type map? In particular, is this question covered by the following
text (that occurs later):

>    Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929 [4]
>    (section 3.1) or within the range reserved for assignment only to
>    QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
>    zone data.  If encountered, they must be ignored upon reading.

>    Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +

what does the  "+" denote here? Oh. 1 or more, I guess.

>    [2]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC
>        2308, March 1998.

IMO, this  reference is not normative. It just explains a SHOULD.

From: "Olaf M. Kolkman"
To: "Thomas Narten" ,
  "Margaret Wasserman"
Cc: namedroppers@ops.ietf.org, jakob@schlyter.se
Date: Wed, 24 Mar 2004 09:16:56 +0100
Subject: Advance: draft-ietf-dnsext-nsec-rdata-05.txt




Thomas, Margaret,

Hereby the advancement questionnaire
(www.mip4.org/2004/draft-writeup-items.html) for
"DNSSEC NSEC RDATA Format" draft-ietf-dnsext-nsec-rdata-05.txt.

The questionaire serves as a request to advance the document
to proposed standard.


1. Chairs review.

The chair responsible for tracking this document has read it and
considers it ready for IESG review.


2. Working Group member review.

The proposed format has been discussed on the list as well as during
the IETF 58 meeting. The content of the comments received during last
call indicate that a number of people have closely reviewed the document.

3. Is more review from a particular perspective needed.

In the chairs opinion not.

4. Specific Issues and concerns the AD/IESG should be aware of.

The document _only_ changes a format. The security section therefore
does not go into the details of NSEC security. Note however that the
text describing this format will be directly 'cut-n-pasted' into the
dnssec-bis document set. The dnssec-bis intro document set covers the
security considerations, e.g. NSEC cain walking, in more detail.

5. How solid is the WG consensus.

The format was chosen during IETF58. The document itself got explicit
consensus from only a few individuals. On the other hand this is has
not been contentious issue.

6. Thread for appeal.

None.

7. _all_ ID nits addressed.

All are addressed.

8. References

There is a normative reference to an I-D that has been advanced.  Also
not that this document will be merged and obsoleted by the dnssec-bis
document set.


9. Writeup.

Technical Summary

  To prevent the introduction of an extension mechanism once DNSSEC
  has a deployed base this document redefines the wire format of the
  "Type Bit Map" field in the NSEC resource record RDATA format to
  cover the full RR type space.

  The new format of the type bitmap is easy to implement, can cover
  the full range of type codes, is economical in the common case and
  has a maximum size of approximately 8.5 kilobytes. Efficient searching
  of the type bitmap for presence of a type had a lower priority.

Working Group Summary

  The format was chosen from 6 different candidates that were
  presented to the working group. There is consensus on the chosen
  representation.
 

Protocol Quality

  There are 3 independent implementations of this format. 1 implementation
  provides both a server and a client, 1 implementation only a server and
  1 implementation only a client. These interoperate.





-- Olaf Kolkman
  Olafur Gudmundsson