Proposed resolution of Re: RFC4034 6.2 item 3

[Ólafur Guðmundsson /DNSEXT co-chair <ogud@ogud.com>]

After reading the thread on this issue and researching the history
the paragraph in question, I'm ready to make a recommendation
on how to proceed.
Below is short history and my recommendation of what to do.

At 19:28 13/03/2007, Mark Andrews wrote:

>         RFC 4034 to remove NSEC and RRSIG from the list of records
>         that need to be downcased to bring it back into line with
>         RFC3597.
>
>         Note the -04 draft was in line with RFC3597 and I saw no
>         discussion about changing it between the -04 announcement
>         and the -05 announcement in namedroppers archives.  I also
>         saw no discussion about changing the list in the period
>         leading up to -04 announcement.

I did take a look at the archives of dnssec-editors mailing list
and the CVS archive of the documents to figure out what happened here.
I did not look inside the Ticket system archive as there is no mention
of a ticket being created around this item.

During a real intense editing session around Sept 25'th 2003
following email exchange proceeded the change in the document.

names of editors involved are not important:

Ed1: asks in email:
> Should we add NSEC RRSIG to this list (to be complete) or leave this to
> previous sections (as is now).


Ed2: replies few minutes later:
> We probably better add it, if only for completeness.  Can't hurt.

Ed1: few minutes later:
> added, committed.


This was the end of the discussion.

There was a conference call by the editors and chairs the
day after but as far as I can tell and recollect this issue
was not discussed, most of the time was used to discuss the
NSEC and wild card interaction.

So in my opinion the chairs let the working group down by
not saying stop what are the implications of this change.
The other editors did not say anything, the ED2 above
made a quick judgement call without thinking the issue
through.
It is hard to determine how hard ED1 thought about
the issue but his email does not list issues.
The working group members also share some blame for not questioning 
this change. (Of course if tools.ietf.org wdiff tool
had been available at the time this would have been easier).

To be fair to the people involved, there where number of other
issues handled the same way and this mostly worked well.
Secondly none of us could at the time, imagine an implementation
that blindly down cases <DNAME> inside RDATA based on this list.

Proposed change:
RFC3597 trumps RFC403x

NSEC and RRSIG should be removed from the list of types
to apply DNSSEC canonical down casing name rules to domain
names in RDATA.

Justification:
Only domain names that are candidates for domain compression need
the protection of the canonical name representation, all other
domain names SHOULD/MUST have the expectation to not change during
transition through the DNS system.

As RFC304x are inconsistent by not allowing domain name compression
in the types defined after RFC3597, then listing them is needing
the protection applied to compressible names. It is safe to make this
change.

WG Actions:
DNSSEC-bis-updates will reflect this change as soon a possible
i.e. after chair confirms this proposed change on the mailing
list. The working group will have at least one week to discuss
this issue on the mailing list and at the DNSEXT meeting next week.

Affected implementations:
It looks like the new kids on the block need to change their
behavior.  Lets thank them for identifying the issue.

        Olafur 


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>