Re: [dnsext] WG opinion on draft : Improvements to DNS Resolvers, for Resiliency, Robustness, and Responsiveness
Brian Dickson <brian.peter.dickson@gmail.com> Mon, 21 February 2011 19:52 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECA503A716D for <dnsext@core3.amsl.com>; Mon, 21 Feb 2011 11:52:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gsGzx-3xKCD5 for <dnsext@core3.amsl.com>; Mon, 21 Feb 2011 11:52:09 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 2B2D03A6E67 for <dnsext@ietf.org>; Mon, 21 Feb 2011 11:52:09 -0800 (PST)
Received: by fxm15 with SMTP id 15so2859501fxm.31 for <dnsext@ietf.org>; Mon, 21 Feb 2011 11:52:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bAmKdKGFwvDG98+6hpbK43Q7Deq7jV7udXRYwJFkX5M=; b=lwxZEADD74FKrb1czjKG2n8EDp2D3z2nuwd0Tz2j0dQYYKfmFvWBAw48p349mS3zry 63L4ZSdhAmzCbCl8P+HN7IejL9pVAfrCQRk9Wy/6XUVK2755YbZEisyLIAM7FtehrQhh WbMSCwq6Orettx6QtO2DoKHlXLGYDQgF+Y1Ok=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=c4P3OsqtzKF+qM/yXM/iCALlGLVUaCNa/TJje0QsmBhkijhKb39ovpiu0EuWLS0XGA L7VNGjH5orl7IEEmHg8vKhA7aNqeacU6z3n/fLZNaWKyW5HZNbQMtup1iZSkD39Io6rM BHE32MIsfEvOQD+YynXf6HFWr0HWyzFT+PZ8c=
MIME-Version: 1.0
Received: by 10.223.73.202 with SMTP id r10mr2465729faj.133.1298317880845; Mon, 21 Feb 2011 11:51:20 -0800 (PST)
Received: by 10.223.107.132 with HTTP; Mon, 21 Feb 2011 11:51:20 -0800 (PST)
In-Reply-To: <BF79BE89-20B2-4897-B07C-1426745C4AA9@verisign.com>
References: <4D622624.90303@ogud.com> <BF79BE89-20B2-4897-B07C-1426745C4AA9@verisign.com>
Date: Mon, 21 Feb 2011 15:51:20 -0400
Message-ID: <AANLkTinQig=e7wv-3GsXi73p3AKQOsbjE6EzDNMbWWRw@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: David Blacka <davidb@verisign.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: dnsext@ietf.org, Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: [dnsext] WG opinion on draft : Improvements to DNS Resolvers, for Resiliency, Robustness, and Responsiveness
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Feb 2011 19:52:12 -0000
I have read the draft, and also David's comments, and have comments of my own in-line below. Briefly, however, I'd say: - the things in the draft are all good ideas - the draft is good, should be adopted, requires only a small amount of work, and once that is done, is probably fine for WGLC. - s few clarifications will go a long way to addressing both David's issues, and making the document useful - all of the above are "IMIHO" See below for in-line comments. Brian On Mon, Feb 21, 2011 at 2:58 PM, David Blacka <davidb@verisign.com> wrote: > > On Feb 21, 2011, at 3:45 AM, Olafur Gudmundsson wrote: > >> >> The chairs have received a request to Last call this draft. >> http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00 >> >> This draft is clearly in scope of the Working Group. >> >> As there has not been much discussion on this draft the chairs are >> not ready at this point to start a Last Call but would like to get a sense of the working group participants' feelings on the draft. > > I was not aware of this draft's existence until now, but I just read it. > >> >> The draft is aimed at BCP status; thus there is no RFC2119 language in the draft. >> >> Background: The draft contains three recommendation on how resolvers operate, >> A. Re-validating a delegation when a parent NS RRset TTL expires. >> B. Stopping a downward cache search when an NXDOMAIN is encountered. >> C. Upgrading the credibility of NS RRsets upon delegation event. >> >> All of these have been suggested in various forms over the years. >> >> Following opinions are sought: >> 1. Are the suggestions in the draft something people think is a good >> idea? > > I'm unsure, although I'm leaning toward thinking that they are not good ideas. > > (A) is (I think) trying to solve issues caused by "cache pinning" when moving a zone from one set of nameservers to another. Actually, it goes further than that (if I understand the draft correctly, which I very well may not) by effectively removing entire delegation chains when the ancestor NS RRset expires. So, e.g., every time the com NS RRset expires, all delegations below it effectively expire. I have no idea what problem this overall behavior solves, although I suspect that it defeats a great deal of the value of a cache. My read on the draft, and I'm reasonably confident it's what the author intended, is that "stale" delegations be "refreshed" (or have a "refresh" attempted) before they are used. It is analogous to the "refresh" between master and slave authority servers for a given zone, e.g. verifying the SOA SN if the "refresh" timer fires off. And, basically, the "refresh" is to make sure the delegation (non-authoritative) NS records are "reasonably consistent" with what was already cached, and if so, re-establishes the validity, re-sets the TTL, and re-populates the NS set if some changes have occurred. No expiration occurs, unless both (a) the TTL expires, and (b) the new delegation NS RRSET has nothing in common with the cached RRset - in which case, the child side and all descendants MUST be discarded. It actually is better than blindly discarding the children, which I think might have to happen currently. Only if the delegation points elsewhere, when the TTL expires, do the children need to be discarded. > > (B) is about having resolvers actually believe NXDOMAIN responses. While I think it might be nice if we could trust that NXDOMAIN actually meant that the name didn't exist, I don't see how this improves the "resiliency" or "robustness" of the *resolver*. This is one place where I think some updates to the ID need to be done. Basically, we need a reference (i.e. to RFCs in standard I-D style) to the changes to the standard(s) that differentiate 1034's "Name Error" from the two cases we now know about, "NXDOMAIN", and "empty non-terminal" (a node with no RRs itself, which has descendants, inside a zone). If I understand it, things should now work as follows: - if an empty non-terminal matches a QNAME, the *answer* should be empty, but there should *not* be any error code. - if no domain exists (and that means neither the domain nor any children exist), there *should* be an error code of NXDOMAIN And, given the logic immediate above, this means that NXDOMAIN can and should be cached (if and only if the above applies), and when an NXDOMAIN is cached, children of that node get discarded, and subsequent queries to the *resolver* below that NXDOMAIN can themselves be guaranteed to be NXDOMAINed, and there is no need to send the query to the authority server for the given zone. But, this should be clarified in the text of the draft. I agree that it is a suitable optimization, and as I understand it, correct behavior. > > (C) is about working around delegation scenarios that favor parent-side delegation information by instructing the resolver to directly query the child nameservers for NS records. I don't know what actual problem this is attempting to solve. I *believe* it is working around situations where different implementations of authority server have interpreted existing RFCs differently, and arguably both interpretations are technically correct. And, that it is also always preferable to have the most authoritative (correct) NS data in the cache, even if it wasn't returned in the authority section of the authority server. I believe this is particularly relevant in order to also do (A) above. It would be helpful, perhaps, to differentiate the behavior of a resolver, when it does have, and when it does not have, the apex NS RRSET, and when that might trigger different behavior to a client of the resolver. (E.g. when the resolver path includes things like: "client -> recursive resolver -> bigger recursive resolver -> authority server(s)".) >> 2. Is the draft clear in its message? If not, please suggest improvements. > > It is entirely unclear to me what problems the various proposals are actually trying to solve. > >> 3. After (if any) editing fixes is this draft ready for WG Last Call? > > Not in my opinion. I don't think the ideas are clearly BCPs. > >> >> Olafur and Andrew >> _______________________________________________ >> dnsext mailing list >> dnsext@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsext > > -- > David Blacka <davidb@verisign.com> > Principal Engineer Verisign Platform Product Development > > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext >
- Re: [dnsext] WG opinion on draft : Improvements t… David Blacka
- [dnsext] WG opinion on draft : Improvements to DN… Olafur Gudmundsson
- Re: [dnsext] WG opinion on draft : Improvements t… Brian Dickson
- Re: [dnsext] WG opinion on draft : Improvements t… Tony Finch
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Andrew Sullivan
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… W.C.A. Wijngaards
- Re: [dnsext] WG opinion on draft : Improvements t… Andrew Sullivan
- Re: [dnsext] WG opinion on draft : Improvements t… Doug Barton
- Re: [dnsext] WG opinion on draft : Improvements t… Florian Weimer
- Re: [dnsext] WG opinion on draft : Improvements t… Florian Weimer
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Florian Weimer
- Re: [dnsext] WG opinion on draft : Improvements t… Florian Weimer
- Re: [dnsext] WG opinion on draft : Improvements t… Brian Dickson
- Re: [dnsext] WG opinion on draft : Improvements t… Edward Lewis
- Re: [dnsext] WG opinion on draft : Improvements t… Mark Andrews
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Brian Dickson
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Tony Finch
- Re: [dnsext] WG opinion on draft : Improvements t… Florian Weimer