[RSSAC Caucus] Specific proposal for NSID in BCP40

Wessels, Duane dwessels at verisign.com
Mon Mar 20 20:43:28 UTC 2023 


> On Mar 17, 2023, at 3:13 PM, Paul Hoffman <paul.hoffman at icann.org> wrote:
> 
> Greetings again. There was a long thread here about adding a MUST-level or SHOULD-level requirement to the update to BCP40 (RFC 7720) for RSOs providing unique NSID identifiers for each instance. (The draft is at <https://datatracker.ietf.org/doc/draft-hardaker-iab-rfc7720-bis/>; the repo for the draft is at <https://github.com/marcblanchet/rfc7720bis>).
> 
> In the repo, I suggested a new section be added for "Protocol Recommendations", to differentiate from "Protocol Requirements" and "Deployment Requirements" because I think that the unique NSID does not need to be a "MUST". It is useful for debugging, but if an RSO messes up and uses duplicate IDs, or somehow forgets to turn NSID on for some instances, the root server system will not be significantly harmed.
> 
> In that spirit, I propose the following for a new "Protocol Recommendations" section:
> 
> - SHOULD respond to queries that include an NSID [RFC5001] EDNS(0) option
> with an identifier that is unique for each instance. At the time this
> document is published, each root server operator deploys multiple instances,
> so the instance identifier for the NSID response SHOULD include a sub-string
> that identifies the root server operator. The identifier is only useful for
> debugging and does not necessarily indicate any attribute of the instance
> that is responding.
> 
> The wording here is a bit stilted because BCP40 does not yet define "instance", does not yet talk about anycast, and doesn't even really define "root server operator". If those are addressed before the document is finalized, the above wording can change as well.
> 
> Thoughts? 

IMO we should probably avoid “instance” here, and maybe “unique” as well.  It will lead to a discussion of instance vs site vs server that won’t be fruitful.  In my proposed text I was careful to avoid that.

I find the second sentence (“At this time…include a sub-string”) somewhat confusing.  Generally I think “at this time” comments aren’t really relevant.  The RFC should just say what the recommendations are.  But I also don’t see what RSOs having multiple instances has to do with the sub-string, and I think you mean root server identity there instead of RSO?

What goes into the NSID payload is less of a protocol recommendation, and more of a policy recommendation/expectation.

DW

More information about the rssac-caucus mailing list