On Mon, Feb 29, 2016 at 9:12 AM Shane Kerr <[email protected]> wrote:
> Ed, > > At 2016-02-29 12:51:16 +0000 > Edward Lewis <[email protected]> wrote: > > > On 2/25/16, 17:58, "DNSOP on behalf of Warren Kumari" > > <[email protected] on behalf of [email protected]> wrote: > > > > >We have recently updated "Believing NSEC records in the DNS root" > > >(https://tools.ietf.org/html/draft-wkumari-dnsop-cheese-shop-01). > > > > My objection to this document is based on the draft's proposal to specify > > a change to the protocol based on the data being carried in one > particular > > deployment of the protocol. > > Interesting concern, although I don't see how it can be otherwise. We > don't know what the properties of future protocols will be, so I don't > know how we can specify the behavior of resolvers using such protocols > would be. > > > If the DNS is built to assume that the root zone is DNSSEC signed with > > NSEC records and this is then "burned into software" the other > > inter-networks will be given the choice of having to turn on DNSSEC and > > NSEC for their root zone or developing other software. (Or...other > > inconvenient mitigations.) > > Can't a couple sentences address this concern? > > "If the root zone is not DNSSEC signed with NSEC records then the > Cheese Shop is closed and this document does not apply. Resolvers MUST > continue to work in such an environment." > I *think* that the document / proposal implicitly handles this case already. If the root (of whatever tree / name resolution system you have) is not DNSSEC signed, you do not get back valid NSEC records. If you do not get back valid NSEC records, there is no work to do. I guess I could sprinkle "DNS" all over: "The scope of this document is limited to the special case of recursive DNSSEC validating resolvers querying the root zone.", e.g "The scope of this document is limited to the special case of recursive DNSSEC validating resolvers querying the IANA administered DNS root zone." I'm (as always) happy to accept text - I've tossed Shane's in to make it clearer (?) - editor copy: https://github.com/wkumari/draft-wkumari-dnsop-cheese-shop I also have some comments from Jinmei (thanks!) to incorporate, hopefully later this afternoon. W > > Cheers, > > -- > Shane > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
