IETF Logo Mail Archive

Re: [dnsext] WG opinion on draft : Improvements to DNS Resolvers, for Resiliency, Robustness, and Responsiveness

Andrew Sullivan <ajs@shinkuro.com> Tue, 22 February 2011 14:09 UTC

Return-Path: <ajs@shinkuro.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 08C0B3A68F2 for <dnsext@core3.amsl.com>; Tue, 22 Feb 2011 06:09:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.581
X-Spam-Level:
X-Spam-Status: No, score=-102.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KSFnWrRLeCNR for <dnsext@core3.amsl.com>; Tue, 22 Feb 2011 06:09:34 -0800 (PST)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by core3.amsl.com (Postfix) with ESMTP id 2481F3A68F0 for <dnsext@ietf.org>; Tue, 22 Feb 2011 06:09:34 -0800 (PST)
Received: from crankycanuck.ca (69-196-144-230.dsl.teksavvy.com [69.196.144.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 139711ECB408 for <dnsext@ietf.org>; Tue, 22 Feb 2011 14:10:18 +0000 (UTC)
Date: Tue, 22 Feb 2011 09:10:16 -0500
From: Andrew Sullivan <ajs@shinkuro.com>
To: dnsext@ietf.org
Message-ID: <20110222141016.GC53815@shinkuro.com>
References: <4D622624.90303@ogud.com> <BF79BE89-20B2-4897-B07C-1426745C4AA9@verisign.com> <76781.1298327469@nsa.vix.com> <20110221224349.GT32224@shinkuro.com> <80121.1298330888@nsa.vix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <80121.1298330888@nsa.vix.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [dnsext] WG opinion on draft : Improvements to DNS Resolvers, for Resiliency, Robustness, and Responsiveness
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2011 14:09:35 -0000

No hat.

On Mon, Feb 21, 2011 at 11:28:08PM +0000, Paul Vixie wrote:

> yes. no initiator i know of discards rrsets just due to ttl variance.
> therefore the guideance to initiators is effectively "do what BIND4
> 4.9 did" in other words treat the whole rr set as though it had the
> ttl of the lowest rr therein.  if rfc 2181 does not make this clear
> then it is not providing reasonable and actionable guideance.

Well, here's the section in toto:

5.2. TTLs of RRs in an RRSet

   Resource Records also have a time to live (TTL).  It is possible for
   the RRs in an RRSet to have different TTLs.  No uses for this have
   been found that cannot be better accomplished in other ways.  This
   can, however, cause partial replies (not marked "truncated") from a
   caching server, where the TTLs for some but not all the RRs in the
   RRSet have expired.

   Consequently the use of differing TTLs in an RRSet is hereby
   deprecated, the TTLs of all RRs in an RRSet must be the same.

   Should a client receive a response containing RRs from an RRSet with
   differing TTLs, it should treat this as an error.  If the RRSet
   concerned is from a non-authoritative source for this data, the
   client should simply ignore the RRSet, and if the values were
   required, seek to acquire them from an authoritative source.  Clients
   that are configured to send all queries to one, or more, particular
   servers should treat those servers as authoritative for this purpose.
   Should an authoritative source send such a malformed RRSet, the
   client should treat the RRs for all purposes as if all TTLs in the
   RRSet had been set to the value of the lowest TTL in the RRSet.  In
   no case may a server send an RRSet with TTLs not all equal.

To me, it's pretty clear (1) that having different TTL values on RRs
in the RRset is an error, (2) that you should just ignore such RRsets
if they're not authoritative, (3) that is is a protocol error to send
an RRset with different TTLs on different RRs in the set, and (4) that
any client receiving such a set should use the lowest TTL in the set
for everything.  My own view is that the requirements are crystal
clear, and since RFC 2181 updates all of 1034, 1035, and 1123 I think
it changes the protocol.  According to STD1, it's a Proposed Standard. 

A

-- 
Andrew Sullivan
ajs@shinkuro.com
Shinkuro, Inc.

v2.23.0 | Report a Bug | By Email