IETF Logo Mail Archive

Re: [dnsext] Fwd: New Version Notification for draft-ah-dnsext-rfc1995bis-ixfr-02

Edward Lewis <Ed.Lewis@neustar.biz> Thu, 16 June 2011 19:22 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA67511E8239 for <dnsext@ietfa.amsl.com>; Thu, 16 Jun 2011 12:22:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.168
X-Spam-Level:
X-Spam-Status: No, score=-105.168 tagged_above=-999 required=5 tests=[AWL=-0.265, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LP+rz3UK9abT for <dnsext@ietfa.amsl.com>; Thu, 16 Jun 2011 12:22:09 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 96C2111E8224 for <dnsext@ietf.org>; Thu, 16 Jun 2011 12:22:08 -0700 (PDT)
Received: from Work-Laptop-2.local (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p5GJM555096157; Thu, 16 Jun 2011 15:22:06 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.201.23] by Work-Laptop-2.local (PGP Universal service); Thu, 16 Jun 2011 15:22:06 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Thu, 16 Jun 2011 15:22:06 -0400
Mime-Version: 1.0
Message-Id: <a06240803ca1fd7525c50@[10.31.201.23]>
In-Reply-To: <4DF9B5BD.7010900@nic.cz>
References: <4DB81069.3080404@nic.cz> <4DF9B5BD.7010900@nic.cz>
Date: Thu, 16 Jun 2011 15:22:03 -0400
To: OndÞej Sur˜ <ondrej.sury@nic.cz>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Fwd: New Version Notification for draft-ah-dnsext-rfc1995bis-ixfr-02
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2011 19:22:10 -0000

At 9:50 +0200 6/16/11, OndÞej Sur˜ wrote:
>Hi,
>
>since I didn't receive any comments I guess:
>
>a) it's not exciting
>b) it's so good that it doesn't need any improvement [which I doubt]
  c) was unaware of the document's existence despite thinking "it would be
     about time to tackle this"

;)

I began reading the draft and started listing a 
lot of comments.  It would take me a long time to 
complete, so I thought I'd raise two things here.

1. The document talks a lot about the context of 
an IXFR exchange.  Can this be removed and stick 
to just the actions of an IXFR client and server? 
I mean, it doesn't matter why the IXFR is being 
kicked off.  (BTW, the statement that IXFRs are 
mostly kicked off by NOTIFY isn't really true, we 
oversee a lot of zones that do not change thus do 
not cause NOTIFY's to fly.  This factoid applies 
to different places but in the end, doesn't 
really matter when you are describing the 
protocol.)

2. For the first time I have thought abotu 
IXFR-only and I don't get it at all.  The reason 
is I don't accept that "If this is not possible, 
in the case of bare IXFR, the server falls back 
to AXFR, i.e. it provides the full zone content." 
Yes, there's a AXFR-style IXFR (all in one UDP 
message) but I don't think that is what is meant.

When a server indicates that IXFR can't be used, 
the server can not switch to AXFR.  The switch 
that is observed in operations comes from the 
client deciding to switch.  If the reason for 
IXFR-only is that a client, having failed to IXFR 
from IP address #1 will try AXFR instead of 
trying IXFR from IP address #2, then my response 
is that this is an implementation issue, not a 
protocol issue.

RFC 1995 never specifies that a failed IXFR will 
cause an AXFR to happen.  Maybe that's an 
accident of history, because implementations do 
this that we think that is what is supposed to 
happen.  It's not in the specification that way, 
as far as I can find.

The closest passage is in section 2 of RFC 1995:

    Thus, a client should first make an IXFR query using UDP.  If the
    query type is not recognized by the server, an AXFR (preceded by a
    UDP SOA query) should be tried, ensuring backward compatibility.

Note that this is if the IXFR QTYPE is not 
recognized, not a refusal to use IXFR.  And note 
that this is for backward compatibility.

Thinking in another vein, if a client chooses not 
to ever use AXFR, then what happens when IXFR 
requests can't be satisfied?  Let the zone 
EXPIRE?  Is a dead server better than a server 
that is taking time to sync up?  (This calls out 
the motivation for IXFR-only.)

---

As I mentioned, there is a need to refresh this 
RFC - well, maybe.  I want to suggest specifying 
that a IXFR client will verify the RRSIG of the 
first SOA returned.  This will close one more 
place a forger might be able to insert into or 
remove records from a DNSSEC signed zone without 
detection (assuming there's no VPN, TSIG, TKEY or 
similar protection).

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

I'm overly entertained.

v2.23.0 | Report a Bug | By Email