| < draft-ietf-dnsop-nsec-ttl-01.txt | draft-ietf-dnsop-nsec-ttl-02.txt > | |||
|---|---|---|---|---|
| dnsop P. van Dijk | dnsop P. van Dijk | |||
| Internet-Draft PowerDNS | Internet-Draft PowerDNS | |||
| Updates: 4034, 4035, 5155 (if approved) 24 January 2021 | Updates: 4034, 4035, 5155 (if approved) 29 January 2021 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 28 July 2021 | Expires: 2 August 2021 | |||
| NSEC(3) TTLs and NSEC Aggressive Use | NSEC(3) TTLs and NSEC Aggressive Use | |||
| draft-ietf-dnsop-nsec-ttl-01 | draft-ietf-dnsop-nsec-ttl-02 | |||
| Abstract | Abstract | |||
| Due to a combination of unfortunate wording in earlier documents, | Due to a combination of unfortunate wording in earlier documents, | |||
| aggressive use of NSEC(3) records may deny names far beyond the | aggressive use of NSEC(3) records may deny names far beyond the | |||
| intended lifetime of a denial. This document changes the definition | intended lifetime of a denial. This document changes the definition | |||
| of the NSEC(3) TTL to correct that situation. This document updates | of the NSEC(3) TTL to correct that situation. This document updates | |||
| RFC 4034, RFC 4035, and RFC 5155. | RFC 4034, RFC 4035, and RFC 5155. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 28 July 2021. | This Internet-Draft will expire on 2 August 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 | 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 | |||
| 3. NSEC(3) TTL changes . . . . . . . . . . . . . . . . . . . . . 4 | 3. NSEC(3) TTL changes . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Updates to RFC4034 . . . . . . . . . . . . . . . . . . . 4 | 3.1. Updates to RFC4034 . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. Updates to RFC4035 . . . . . . . . . . . . . . . . . . . 4 | 3.2. Updates to RFC4035 . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. Updates to RFC5155 . . . . . . . . . . . . . . . . . . . 4 | 3.3. Updates to RFC5155 . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.4. No updates to RFC8198 . . . . . . . . . . . . . . . . . . 5 | 3.4. No updates to RFC8198 . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Zone Operator Considerations . . . . . . . . . . . . . . . . 5 | 4. Zone Operator Considerations . . . . . . . . . . . . . . . . 5 | |||
| 4.1. A Note On Wildcards . . . . . . . . . . . . . . . . . . . 5 | 4.1. A Note On Wildcards . . . . . . . . . . . . . . . . . . . 6 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Normative References . . . . . . . . . . . . . . . . . . . . 6 | 7. Normative References . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. Informative References . . . . . . . . . . . . . . . . . . . 6 | 8. Informative References . . . . . . . . . . . . . . . . . . . 7 | |||
| Appendix A. Implementation Status . . . . . . . . . . . . . . . 6 | Appendix A. Implementation Status . . . . . . . . . . . . . . . 7 | |||
| Appendix B. Document history . . . . . . . . . . . . . . . . . . 7 | Appendix B. Document history . . . . . . . . . . . . . . . . . . 7 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 8 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1. Introduction | 1. Introduction | |||
| [RFC editor: please remove this block before publication. | [RFC editor: please remove this block before publication. | |||
| Earlier notes on this: | Earlier notes on this: | |||
| skipping to change at page 5, line 10 ¶ | skipping to change at page 5, line 10 ¶ | |||
| | The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL | | The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL | |||
| | field. This is in the spirit of negative caching [RFC2308]. | | field. This is in the spirit of negative caching [RFC2308]. | |||
| This is updated to say: | This is updated to say: | |||
| | The NSEC3 RR SHOULD have the same TTL value as the lesser of the | | The NSEC3 RR SHOULD have the same TTL value as the lesser of the | |||
| | MINIMUM field of the SOA record and the TTL of the SOA itself. | | MINIMUM field of the SOA record and the TTL of the SOA itself. | |||
| | This matches the definition of the TTL for negative responses in | | This matches the definition of the TTL for negative responses in | |||
| | [RFC2308]. | | [RFC2308]. | |||
| Where [RFC5155] says: | ||||
| | o The TTL value for any NSEC3 RR SHOULD be the same as the minimum | ||||
| | TTL value field in the zone SOA RR. | ||||
| This is updated to say: | ||||
| | o The TTL value for any NSEC3 RR SHOULD be the same as the lesser | ||||
| | of the MINIMUM field of the zone SOA RR and the TTL of the zone | ||||
| | SOA RR itself. | ||||
| 3.4. No updates to RFC8198 | 3.4. No updates to RFC8198 | |||
| Instead of updating three documents, it would have been preferable to | Instead of updating three documents, it would have been preferable to | |||
| update one. [RFC8198] says: | update one. [RFC8198] says: | |||
| | With DNSSEC and aggressive use of DNSSEC-validated cache, the TTL | | With DNSSEC and aggressive use of DNSSEC-validated cache, the TTL | |||
| | of the NSEC/NSEC3 record and the SOA.MINIMUM field are the | | of the NSEC/NSEC3 record and the SOA.MINIMUM field are the | |||
| | authoritative statement of how quickly a name can start working | | authoritative statement of how quickly a name can start working | |||
| | within a zone. | | within a zone. | |||
| skipping to change at page 6, line 39 ¶ | skipping to change at page 7, line 7 ¶ | |||
| RFC 4034, DOI 10.17487/RFC4034, March 2005, | RFC 4034, DOI 10.17487/RFC4034, March 2005, | |||
| <https://www.rfc-editor.org/info/rfc4034>. | <https://www.rfc-editor.org/info/rfc4034>. | |||
| [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | |||
| Security (DNSSEC) Hashed Authenticated Denial of | Security (DNSSEC) Hashed Authenticated Denial of | |||
| Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | |||
| <https://www.rfc-editor.org/info/rfc5155>. | <https://www.rfc-editor.org/info/rfc5155>. | |||
| 8. Informative References | 8. Informative References | |||
| [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of | ||||
| DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198, | ||||
| July 2017, <https://www.rfc-editor.org/info/rfc8198>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of | ||||
| DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198, | ||||
| July 2017, <https://www.rfc-editor.org/info/rfc8198>. | ||||
| Appendix A. Implementation Status | Appendix A. Implementation Status | |||
| [RFC Editor: please remove this section before publication] | [RFC Editor: please remove this section before publication] | |||
| Implemented in PowerDNS Authoritative Server 4.3.0 | Implemented in PowerDNS Authoritative Server 4.3.0 | |||
| https://doc.powerdns.com/authoritative/dnssec/ | https://doc.powerdns.com/authoritative/dnssec/ | |||
| operational.html?highlight=ttl#some-notes-on-ttl-usage | operational.html?highlight=ttl#some-notes-on-ttl-usage | |||
| (https://doc.powerdns.com/authoritative/dnssec/ | (https://doc.powerdns.com/authoritative/dnssec/ | |||
| operational.html?highlight=ttl#some-notes-on-ttl-usage) . | operational.html?highlight=ttl#some-notes-on-ttl-usage) . | |||
| Implemented in BIND 9.16 and up, to be released early 2021 | Implemented in BIND 9.16 and up, to be released early 2021 | |||
| https://mailarchive.ietf.org/arch/msg/dnsop/ga41J2PPUbmc21-- | https://mailarchive.ietf.org/arch/msg/dnsop/ga41J2PPUbmc21-- | |||
| dqf3i7_IY6M (https://mailarchive.ietf.org/arch/msg/dnsop/ | dqf3i7_IY6M (https://mailarchive.ietf.org/arch/msg/dnsop/ | |||
| ga41J2PPUbmc21--dqf3i7_IY6M) https://gitlab.isc.org/isc-projects/ | ga41J2PPUbmc21--dqf3i7_IY6M) https://gitlab.isc.org/isc-projects/ | |||
| End of changes. 10 change blocks. | ||||
| 12 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||