Re: [dnsext] DNAME with exceptions - work-around found
Brian Dickson <brian.peter.dickson@gmail.com> Sun, 12 September 2010 22:32 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6C493A688E; Sun, 12 Sep 2010 15:32:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.538
X-Spam-Level:
X-Spam-Status: No, score=0.538 tagged_above=-999 required=5 tests=[AWL=0.536, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WvhXTpQkyf5E; Sun, 12 Sep 2010 15:32:39 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 28BCD3A672F; Sun, 12 Sep 2010 15:32:38 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OuuyI-0007Fu-7X for namedroppers-data0@psg.com; Sun, 12 Sep 2010 22:24:26 +0000
Received: from mail-fx0-f52.google.com ([209.85.161.52]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <brian.peter.dickson@gmail.com>) id 1OuuyD-0007FV-SG for namedroppers@ops.ietf.org; Sun, 12 Sep 2010 22:24:22 +0000
Received: by fxm13 with SMTP id 13so3325436fxm.11 for <namedroppers@ops.ietf.org>; Sun, 12 Sep 2010 15:24:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=IS+P8jO8jylfZyCXAyF3Q7ReTvmmpy7UwmKARwNLcnk=; b=pY2sK3WcVx+X8wQdtLHxA63O7dbIAN2xj3CtZ+qlV+t0M5THjEsPOX5lGU5SRGiGJL sow6GPL1LqERTLr07xDG76Vi/SejIMm0Z5lnACZB6KmIawRN979BSD0YaB3Y91WjArzn oye3/0vHyAPsFFrD1+u3Dcq0AjNbuG9CoJ1r0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=RQDA1o0FMMd1wSk3mLau5/7iOhbmlFaZNl8eMqGvOuNy7ZlblUZ8G2mHnEamYHOuaO WjtZnNmFh6tSyUkACFBxyI+W8y2KuJtE5Xdvs/PRsPelA8qGCybpmQS+C5JJxrG838bI Fi7Av2eSGotuULsrkmzt7L0vx9/bnT+oEvK7A=
MIME-Version: 1.0
Received: by 10.223.111.11 with SMTP id q11mr2811127fap.5.1284330260411; Sun, 12 Sep 2010 15:24:20 -0700 (PDT)
Received: by 10.223.109.13 with HTTP; Sun, 12 Sep 2010 15:24:20 -0700 (PDT)
In-Reply-To: <4C8B3F0E.8050806@nlnetlabs.nl>
References: <AANLkTim8o93AQhj_oUvWMvqNH6DiN_W9mLSznRLu9ePA@mail.gmail.com> <4C8B3F0E.8050806@nlnetlabs.nl>
Date: Sun, 12 Sep 2010 19:24:20 -0300
Message-ID: <AANLkTi=s92ndRdeTGzC16sMNkPkDNbqtkEjRiSCxiW15@mail.gmail.com>
Subject: Re: [dnsext] DNAME with exceptions - work-around found
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Cc: namedroppers@ops.ietf.org
Content-Type: multipart/alternative; boundary="001636c5a4bff237660490177036"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
Hi, Wouter, Good point about the cache issue. It took a day or two to investigate a bit further, but I think I have an even dirtier trick... Set the DNAME TTL to 0. :-) The DNAME only causes a problem in the cache, if it is in the cache before the query for the more-specific exception is made. Not caching the DNAME prevents this. (The best way to win a race is to not have the race at all.) This works, both directly, and through a cache. And it can be made to also validate for DNSSEC, by the following process: Use the same DNSKEYs for all the variants at each level (i.e. one set of key for all the exceptions under one zone), and combining the (mapped) DS keys, gets you the necessary delegation DNSSEC authentication/validation. The DNAME rewrites the QNAME, but the returned values authenticate since they are the same RDATA. (Yes, it's a cute and evil trick.) For the variants (parent zones of the exceptions), each variant consists of the apex RRs plus the DNAME, signed. Their DS records get inserted into the parent zone(s). The server for all the variants is also the server for the exceptions. All of those zones are loaded. The delegation server needs only the variants, and does not need to know about the exceptions (yay!). The delegations inside the variants, for the exceptions, don't actually exist - they occur via the DNAME target zone, and are served up directly (in response to appropriate QNAME/QTYPE/QCLASS matches). This has been verified by trying it out using bind, on a couple of instances talking to each other (recursive resolver and authority server). I *think* it will also work with NSD... it doesn't require anything BIND specific. It just abuses the RFCs. :-) The targets of the DNAMEs get cached as needed, and thus the *only* thing not cached are the DNAMEs themselves (and the synthesized CNAMEs, and their RRSIGs). So, if there were no other work done, and a registrant had need for this, the main impact would be that the DNAME look-ups would not be cached, and every variant look-up would propagate to the authority server(s) for the registrant. This suggests some kind of work, either specifically concerning the overall "sameness" problem, or perhaps specifically to handle DNAMEs with TTL=0 (to do something "special" to handle the scaling, while preserving the ability to implement a work-around like this.) I think that, performance hit on the DNAME aside, it scales pretty okay, but obviously isn't something someone would want to run on a big (high-volume) TLD. It appears, at first blush, to support hierarchies of this kind with exceptions at each level. (It does require using common DNSKEYs among variants, but not among parent/children relations.) Brian On Sat, Sep 11, 2010 at 5:34 AM, W.C.A. Wijngaards <wouter@nlnetlabs.nl>wrote: > >
- [dnsext] DNAME with exceptions - work-around found Brian Dickson
- Re: [dnsext] DNAME with exceptions - work-around … W.C.A. Wijngaards
- Re: [dnsext] DNAME with exceptions - work-around … Brian Dickson
- Re: [dnsext] DNAME with exceptions - work-around … W.C.A. Wijngaards
- Re: [dnsext] DNAME with exceptions - work-around … Niall O'Reilly
- Re: [dnsext] DNAME with exceptions - work-around … Andrew Sullivan
- Re: [dnsext] DNAME with exceptions - work-around … Brian Dickson