Re: [dnsext] Fwd: New Version Notification for draft-ah-dnsext-rfc1995bis-ixfr-02
Edward Lewis <Ed.Lewis@neustar.biz> Thu, 16 June 2011 19:22 UTC
Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA67511E8239 for <dnsext@ietfa.amsl.com>; Thu, 16 Jun 2011 12:22:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.168
X-Spam-Level:
X-Spam-Status: No, score=-105.168 tagged_above=-999 required=5 tests=[AWL=-0.265, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LP+rz3UK9abT for <dnsext@ietfa.amsl.com>; Thu, 16 Jun 2011 12:22:09 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 96C2111E8224 for <dnsext@ietf.org>; Thu, 16 Jun 2011 12:22:08 -0700 (PDT)
Received: from Work-Laptop-2.local (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p5GJM555096157; Thu, 16 Jun 2011 15:22:06 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.201.23] by Work-Laptop-2.local (PGP Universal service); Thu, 16 Jun 2011 15:22:06 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Thu, 16 Jun 2011 15:22:06 -0400
Mime-Version: 1.0
Message-Id: <a06240803ca1fd7525c50@[10.31.201.23]>
In-Reply-To: <4DF9B5BD.7010900@nic.cz>
References: <4DB81069.3080404@nic.cz> <4DF9B5BD.7010900@nic.cz>
Date: Thu, 16 Jun 2011 15:22:03 -0400
To: OndÞej Sur <ondrej.sury@nic.cz>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Fwd: New Version Notification for draft-ah-dnsext-rfc1995bis-ixfr-02
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2011 19:22:10 -0000
At 9:50 +0200 6/16/11, OndÞej Sur wrote: >Hi, > >since I didn't receive any comments I guess: > >a) it's not exciting >b) it's so good that it doesn't need any improvement [which I doubt] c) was unaware of the document's existence despite thinking "it would be about time to tackle this" ;) I began reading the draft and started listing a lot of comments. It would take me a long time to complete, so I thought I'd raise two things here. 1. The document talks a lot about the context of an IXFR exchange. Can this be removed and stick to just the actions of an IXFR client and server? I mean, it doesn't matter why the IXFR is being kicked off. (BTW, the statement that IXFRs are mostly kicked off by NOTIFY isn't really true, we oversee a lot of zones that do not change thus do not cause NOTIFY's to fly. This factoid applies to different places but in the end, doesn't really matter when you are describing the protocol.) 2. For the first time I have thought abotu IXFR-only and I don't get it at all. The reason is I don't accept that "If this is not possible, in the case of bare IXFR, the server falls back to AXFR, i.e. it provides the full zone content." Yes, there's a AXFR-style IXFR (all in one UDP message) but I don't think that is what is meant. When a server indicates that IXFR can't be used, the server can not switch to AXFR. The switch that is observed in operations comes from the client deciding to switch. If the reason for IXFR-only is that a client, having failed to IXFR from IP address #1 will try AXFR instead of trying IXFR from IP address #2, then my response is that this is an implementation issue, not a protocol issue. RFC 1995 never specifies that a failed IXFR will cause an AXFR to happen. Maybe that's an accident of history, because implementations do this that we think that is what is supposed to happen. It's not in the specification that way, as far as I can find. The closest passage is in section 2 of RFC 1995: Thus, a client should first make an IXFR query using UDP. If the query type is not recognized by the server, an AXFR (preceded by a UDP SOA query) should be tried, ensuring backward compatibility. Note that this is if the IXFR QTYPE is not recognized, not a refusal to use IXFR. And note that this is for backward compatibility. Thinking in another vein, if a client chooses not to ever use AXFR, then what happens when IXFR requests can't be satisfied? Let the zone EXPIRE? Is a dead server better than a server that is taking time to sync up? (This calls out the motivation for IXFR-only.) --- As I mentioned, there is a need to refresh this RFC - well, maybe. I want to suggest specifying that a IXFR client will verify the RRSIG of the first SOA returned. This will close one more place a forger might be able to insert into or remove records from a DNSSEC signed zone without detection (assuming there's no VPN, TSIG, TKEY or similar protection). -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 I'm overly entertained.
- [dnsext] Fwd: New Version Notification for draft-… Ondřej Surý
- Re: [dnsext] Fwd: New Version Notification for dr… Ondřej Surý
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Brian Dickson
- Re: [dnsext] Fwd: New Version Notification for dr… Mark Andrews
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Fwd: New Version Notification for dr… Mark Andrews
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Ondřej Surý
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Brian Dickson
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Brian Dickson
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Fwd: New Version Notification for dr… Brian Dickson
- Re: [dnsext] Fwd: New Version Notification for dr… W.C.A. Wijngaards
- [dnsext] Use case for IXFR-only, was Re: Fwd: New… Shane Kerr
- [dnsext] Slamming the TCP door, was Re: Fwd: New … Shane Kerr
- Re: [dnsext] Use case for IXFR-only, was Re: Fwd:… Edward Lewis
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Edward Lewis
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Mark Andrews
- Re: [dnsext] Use case for IXFR-only, was Re: Fwd:… Mark Andrews
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Edward Lewis
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … W.C.A. Wijngaards
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Josh Littlefield
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Josh Littlefield
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Paul Vixie
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Masataka Ohta
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Florian Weimer
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Ondřej Surý
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Ondřej Surý
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Ondřej Surý
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Mark Andrews
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Shane Kerr
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Mark Andrews
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta