Re: [dnsext] caches, validating resolvers, CD and DO
Paul Vixie <vixie@isc.org> Wed, 30 March 2011 07:01 UTC
Return-Path: <vixie@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 11C2C28C0DD for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 00:01:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.95
X-Spam-Level:
X-Spam-Status: No, score=-1.95 tagged_above=-999 required=5 tests=[AWL=-0.525, BAYES_00=-2.599, FB_NO_MORE_ADS=1.174]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FPW6-SawP3xu for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 00:01:17 -0700 (PDT)
Received: from nsa.vix.com (unknown [IPv6:2001:4f8:3:bb:230:48ff:fe5a:2f38]) by core3.amsl.com (Postfix) with ESMTP id 1DC9028C0F0 for <dnsext@ietf.org>; Wed, 30 Mar 2011 00:01:16 -0700 (PDT)
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 01260A1031 for <dnsext@ietf.org>; Wed, 30 Mar 2011 07:02:52 +0000 (UTC) (envelope-from vixie@isc.org)
From: Paul Vixie <vixie@isc.org>
To: dnsext@ietf.org
In-Reply-To: Your message of "Wed, 30 Mar 2011 17:23:35 +1100." <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org>
References: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org>
X-Mailer: MH-E 8.2; nmh 1.3; XEmacs 21.4 (patch 22)
Date: Wed, 30 Mar 2011 07:02:51 +0000
Message-ID: <46219.1301468571@nsa.vix.com>
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 07:01:18 -0000
> From: Mark Andrews <marka@isc.org> > Date: Wed, 30 Mar 2011 17:23:35 +1100 > ... > When these do not validate or SERVFAIL is returned, the validating > resolver should then re-issue the query with CD set and a EDNS option > indicating which upstream servers have been tried. This option is > initially empty. The cache will then behave as a proxy for this query > (excluding the EDNS option) adding the responding server's address to > the EDNS option. If there are no more addresses to try, SERVFAIL (new > rcode?) is returned along with the EDNS option from the query. objection. this assumes that the reason for servfail is upstream (which it may not be), assumes that the upstream server identities are unambiguous from the client's point of view (which in the case of nat may not be true), and assumes that the client knows better than the server how to avoid failure. since your proposal assumes new protocol elements to be implemented in all servers and some clients, i think it would be better to add something that solves the actual problem. the server in this case should consider using michael graff's hybrid blast protocol, send the query to the first upstream, and if it fails then resend it to all upstreams in parallel. this would get the upstream transaction timeout down into the downstream client's timeout window. the wire change i would like is wholly different. since clients should not need to add caches when they add validation, i'd like the chain of rrsig and dnskey to be sent from the recursive server to the stub, everything it takes to validate the answer. to do this, a new EDNS option would allow the client to express its closest trust point. so if the client already knows (in a current-transaction cache that is not shared with other applications or transactions on the client host) it has a valid dnskey for google.com and it's asking for www.google.com then the only RRSIGs or DS/DNSKEY's it needs are for www.google.com and www.l.google.com. > If the cache is using another cache the entire query/response is > proxied. The intent is for the validating client to talk through > intermediate caches to the cache talk directly to the authoritative > servers. The EDNS option maintains a list of authoritative server > addresses for the zone that have been tried. This list is passed > back and forth between the validating resolver and the cache talking > to the authoritative server. again, if we're going to change the servers by adding support for some new wire element, let's just make the server do the right kind of failure avoidance. and if we're going to add a new wire element let's have it be one that lets cacheless stub validation work.
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- [dnsext] caches, validating resolvers, CD and DO Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Alex Bligh
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Michael Richardson
- Re: [dnsext] caches, validating resolvers, CD and… Alex Bligh
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Paul Vixie
- Re: [dnsext] caches, validating resolvers, CD and… Tony Finch
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Jelte Jansen
- Re: [dnsext] caches, validating resolvers, CD and… Marc Lampo
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Edward Lewis
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… Mark Andrews
- Re: [dnsext] caches, validating resolvers, CD and… Marc Lampo
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… Derek Atkins
- Re: [dnsext] caches, validating resolvers, CD and… Nicholas Weaver
- Re: [dnsext] caches, validating resolvers, CD and… bmanning