Compact Denial of Existence in DNSSEC
draft-ietf-dnsop-compact-denial-of-existence-07
Yes
(Warren Kumari)
No Objection
Erik Kline
Jim Guichard
Mahesh Jethanandani
Orie Steele
(Francesca Palombini)
(John Scudder)
(Zaheduzzaman Sarker)
Note: This ballot was opened for revision 06 and is now closed.
Paul Wouters
Yes
Comment
(2025-02-19 for -06)
Sent
Just a few comments:
Since NODATA responses are generated for non-existent names
Should this not also say "not covered by a wildcard" ? I guess it depends on whether you consider "non-existent names" to mean "not covered by a wildcard". I think it wouldn't hurt to make this explicit in the text.
proves the delegation is unsigned by the absense of the DS bit.
The absence is of the DS RRtype, signified by a bit in the Type Bitmaps field. This brings the writing more in line with earlier mentions of the Type Bitmaps content. (also absense -> absence ?)
Last, the Appendix A and B look very similar to what we normally call Implementation Status (RFC 7942). Those sections are usually removed from the document before publication (to avoid them being used sort of as advertisement, and for quickly becoming outdated). I'm a bit on the fence here on whether it would align more with RFC 7942 to remove these from the final document.
Éric Vyncke
Yes
Comment
(2025-02-14 for -06)
Sent
# Éric Vyncke, INT AD, comments for draft-ietf-dnsop-compact-denial-of-existence-06 CC @evyncke Thank you for the work put into this document. Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education). Special thanks to Suzanne Woolf for the shepherd's detailed write-up including the WG consensus *and* the justification of the intended status. Other thanks to Antoine Fressancourt, the Internet directorate reviewer (at my request), and I have read Shumon's reply: https://datatracker.ietf.org/doc/review-ietf-dnsop-compact-denial-of-existence-06-intdir-telechat-fressancourt-2025-02-10/ Other thanks to Patrick Mevzek , the DNS directorate reviewer, and I have read Shumon's reply: https://datatracker.ietf.org/doc/review-ietf-dnsop-compact-denial-of-existence-06-dnsdir-telechat-mevzek-2025-02-02/ I hope that this review helps to improve the document, Regards, -éric ## COMMENTS (non-blocking) ### Section 3.5 Please expand `EDE` at first use. ### Section 4 Should there be a normative reference to base32 ? ### Section 5.1 A nice and smart trick ;-) ### Section 6 This section is about the drawback of the proposed system... While the section is clear and the technique appears to work fine in real life, I cannot refrain from wondering what will happen when DNSSEC is more widespread and with HAPPY WG probably requesting first SVCB, then AAAA, and finally A (i.e., 3 RR in a row). ### Section 8 Section 1 includes `The use of minimally covering NSEC or NSEC3 records also prevents adversaries from enumerating the entire contents of DNS zones by walking the NSEC chain,`, this is really important in IPv6 world as enumerating DNS is faster than enumerating a /64. I.e., suggest adding this positive consideration in the security section. ### Appendix B While this appendix helps the reader to assert the feasibility, it lacks references, i.e., how can the authors/WG/IETF assert this statement?
Deb Cooley
No Objection
Comment
(2025-02-12 for -06)
Sent
Thanks to Warren for the 'Cliff Notes' (they will be missed), and to Brian Weis for the early secdir review. Section 1, para 1: I did some RFC chasing. RFC4470 has no occurrences of 'white lies'. RFC7129 does, but it is listed as "NSEC3 White Lies". I'm guessing there is at least a typo here. I'm not knowledgeable about this to understand (how entrenched the language is), but I suspect the use of 'white' here is unfortunate. [the use of epsilon later in the sentence implies that 'small' might be a good substitute.] Section 8, para 4: Is there a reference for the 'so-called Water Torture attacks'? As a native English speaker, I know what that means, but it isn't clear to me that others will understand. Section 8, in general: No change required: I do think that this section covers the security concerns - exposure of private signing keys, denial of service (both due to computation requirements and due to multiple queries), transition issues, and preventing adversaries from DNS mapping (although this is in the Intro).
Erik Kline
No Objection
Gunter Van de Velde
(was Discuss)
No Objection
Comment
(2025-02-13 for -06)
Sent for earlier
Thank you for addressing my DISCUSS and considering all other comments
Jim Guichard
No Objection
Mahesh Jethanandani
No Objection
Orie Steele
No Objection
Roman Danyliw
No Objection
Comment
(2025-02-15 for -06)
Sent
Thank you to Elwyn Davies for the GENART review. ** Section 10. Be more precise with the registry names (i.e., using their actual names) OLD Allocate a new DNS Resource Record type code for NXNAME in the DNS parameters registry, from the meta type range. NEW Allocate a new DNS Resource Record type code for NXNAME from the "Resource Record (RR) TYPEs" registry in the "DNS parameters" registry group, from the meta type range. OLD Allocate the "Compact Answers OK" flag in the EDNS header, as described in Section 5.1. NEW Allocate the "Compact Answers OK" flag in the "EDNS Header Flags (16 bits) registry in the "Domain Name System (DNS) Parameters" registry group. Set the Flag field to "CO". OLD Allocate a code point for the "Invalid Query Type" Extended DNS Error in the DNS parameters registry, as described in Section 3.5. NEW Allocate a code point for the "Invalid Query Type" in the "Extended DNS Error Codes" registry in the "Domain Name System (DNS) Parameters" registry group, as described in Section 3.5.
Warren Kumari Former IESG member
Yes
Yes
(for -06)
Unknown
Francesca Palombini Former IESG member
No Objection
No Objection
(for -06)
Not sent
John Scudder Former IESG member
No Objection
No Objection
(for -06)
Not sent
Murray Kucherawy Former IESG member
(was Discuss)
No Objection
No Objection
(2025-02-27)
Sent for earlier
Thanks for dealing with my DISCUSS position. == [original comments for posterity] == Why the "SHOULD" in Section 3.1? What is the impact if I don't do that? Why might I legitimately choose not to do that? "SHOULD" implies there are answers to these questions. Some nits: * Section 1 varies between single and double quotes; is this intentional? * In Section 3.1, s/immedidate/immediate/ * Not at all necessary, but I suggest breaking Section 10 into a subsection for each action.
Zaheduzzaman Sarker Former IESG member
No Objection
No Objection
(for -06)
Not sent