On Wed, Feb 12, 2025 at 7:58 AM Deb Cooley via Datatracker <[email protected]> wrote:
> Deb Cooley has entered the following ballot position for > draft-ietf-dnsop-compact-denial-of-existence-06: No Objection > [...] > Thank you for your review Deb. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks to Warren for the 'Cliff Notes' (they will be missed), and to Brian > Weis > for the early secdir review. > > Section 1, para 1: I did some RFC chasing. RFC4470 has no occurrences of > 'white lies'. RFC7129 does, but it is listed as "NSEC3 White Lies". I'm > guessing there is at least a typo here. I'm not knowledgeable about this to > understand (how entrenched the language is), but I suspect the use of > 'white' > here is unfortunate. [the use of epsilon later in the sentence implies > that > 'small' might be a good substitute.] > Your observation about the terms used in those RFCs is correct. There is no actual typo though. 4470 describes "Minimally Covering NSEC" which is colloquially known by almost everyone in the DNS industry as "White Lies" or "NSEC White Lies". I suspect the term "Minimally Covering NSEC" is far less familiar to most people, hence our choice to describe it as White Lies. But I agree that this document should use terms officially described in prior documents. We can make a small revision to mention "Minimally Covering NSEC", and include NSEC White Lies in parentheses right after it. 7129 could have used "Minimally Covering NSEC3" by extension, but chose to use "NSEC3 White Lies", probably for a similar reason of using a much more familiar term. Section 8, para 4: Is there a reference for the 'so-called Water Torture > attacks'? As a native English speaker, I know what that means, but it > isn't > clear to me that others will understand. > Let me see if I can find one. I did request a reference from the DNSOP colleague who originally suggested that we cite this attack - I don't think he was able to find one. Section 8, in general: No change required: I do think that this section > covers > the security concerns - exposure of private signing keys, denial of service > (both due to computation requirements and due to multiple queries), > transition > issues, and preventing adversaries from DNS mapping (although this is in > the > Intro). > Thanks, Shumon.
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
