IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Roy Arends <roy@dnss.ec> Thu, 12 July 2018 18:08 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B61D131186 for <dnsop@ietfa.amsl.com>; Thu, 12 Jul 2018 11:08:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_ABOUTYOU=0.5, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N2SxozgdUJfr for <dnsop@ietfa.amsl.com>; Thu, 12 Jul 2018 11:08:11 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C829F130F34 for <dnsop@ietf.org>; Thu, 12 Jul 2018 11:08:10 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id v22-v6so22574096edq.4 for <dnsop@ietf.org>; Thu, 12 Jul 2018 11:08:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tr2Dr9TTjnfXMlpg9/syFuPboQUIt77kdAqG1SEA5Ws=; b=hcGXn0a20Gf+0QsOO1JXEl5vF/33bZjZBw1C2tyH7cxwkUJ2EfqaWpdHQLTiWrPVM1 kJQTviPevBy4giEz3RUhh0Ma1tFnd9KiuHqJZFwL14w3cNYml8mkh3d2OJFkpMwhHnw0 cY01uFU9Dk5sob96EdlTEZe83QfyxJ/H89oZM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tr2Dr9TTjnfXMlpg9/syFuPboQUIt77kdAqG1SEA5Ws=; b=NoZCoSx2E5WkfmYcHGKJF4jGiO2bshKzHVIEgYJsWnR6o1ZSRk0Us77loy4f6LWuW7 QWfLBcRoI8FschhJLKPJRVvUipj9JX+J4eHJAoLnVsY9rfxjM9ABRaCj/E5hbVNemtV3 szOGUXWYAV+bUSJvXqQI37InBEveE1oCbMRXWr26yBzA0qxLrMDvvRjnCEWiuYrdaX1k XwgvjbuuuR209+Cb+5LXNDBieeb7VmLMji3NruN9O7WaNYLQ60Xud0WsVhJ3+iRxxIJf Xe3bvy2XPfr7EQWLbdmzQ1rhUDQMTSfaM53jISNwC2/jUwOacgA3M16lFHcfyPJ2JaM4 EpVQ==
X-Gm-Message-State: AOUpUlEI0nMcIh8hmwxBlTlAoRhsUtfmudgYmcEKUieaALDaUYR3vftr 38H92n+0Vh5vDrqaYGkqAPJnSQ==
X-Google-Smtp-Source: AAOMgpcXS5m8RA6mklWQ3j20jRmzZafpBVEYZLAC7IryIW3yrZHZZvBOPRF4lv8m8CzeV5fIXlpnkw==
X-Received: by 2002:a50:8f05:: with SMTP id 5-v6mr3616969edy.192.1531418889128; Thu, 12 Jul 2018 11:08:09 -0700 (PDT)
Received: from [172.16.134.13] ([207.115.96.130]) by smtp.gmail.com with ESMTPSA id w2-v6sm3420420edb.33.2018.07.12.11.08.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Jul 2018 11:08:08 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <CAHw9_iKN7N+poGYqCVvRDwqXx9WjbZmF5ZMKDd3XkfsLifm=Ng@mail.gmail.com>
Date: Thu, 12 Jul 2018 19:08:03 +0100
Cc: hsalgado@nic.cl, Shane Kerr <shane@time-travellers.org>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F530EEE4-35E3-4308-85D5-25A0FC2BD87B@dnss.ec>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <CAJE_bqcELQbQeHPvvEBHOxpRyWYL76BmT_-G4jW4pTnUUXFMUw@mail.gmail.com> <27C44216-581A-4991-A739-ECE8B7F8AA35@verisign.com> <884c2d11-9db0-7668-59c9-baa8574a03f7@time-travellers.org> <37873808-8354-b26b-34f4-880ea7a5f0da@nic.cz> <e9f99fce-c240-7f23-c580-1fb8bd0a0687@time-travellers.org> <20180621203116.a7kv4ysotfe7kw5k@nic.cl> <CAHw9_iKN7N+poGYqCVvRDwqXx9WjbZmF5ZMKDd3XkfsLifm=Ng@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-NOYs2oJWMZiTeDq7GLrAoql4a0>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 18:08:19 -0000

> On 12 Jul 2018, at 18:55, Warren Kumari <warren@kumari.net> wrote:
> 
> On Thu, Jun 21, 2018 at 4:31 PM Hugo Salgado-Hernández <hsalgado@nic.cl> wrote:
>> 
>> On 22:09 21/06, Shane Kerr wrote:
>>>> Dne 1.6.2018 v 12:51 Shane Kerr napsal(a):
>>>> 
>>>> Hmm, can you share some details about your experience?
>>>> Did you find out when the data corruption took place?
>>>> a) network transfer
>>>> b) implementation bugs (e.g. incorrectly received IXFR)
>>>> c) on disk
>>>> d) some other option?
>>> 
>>> I don't know. I have seen incorrectly transferred zone files both in
>>> BIND
>>> and NSD slaves. IIRC our solution was to include sentinel records in
>>> the
>>> zone files to spot problems, take the node out of service, and force a
>>> re-transfer. This of course won't work if you are slaving zones that
>>> you do
>>> not control, and it doesn't prevent a small window of time when the
>>> servers
>>> are operating with broken zones. TSIG was being used.
>> 
>> We have also seen broken transfers between secondaries. Our solution
>> is to dump the zone after transfer, calculate a hash and compare. We
>> would benefit from having a ZONEMD record inside the zone.
> 
> i *seem* to remember something happening with .de a few years back --
> IIRC, slaves did a zone transfer, ran out of disk and truncated the
> file, and so only had a partial zone file to serve - something like
> 2/3ds of the .de zone "disappeared". A zone checksum would allow the
> nameserver to know that they do not have a full zone file.

https://www.denic.de/en/whats-new/press-releases/article/partial-disturbance-of-the-dns-service-for-de-domains/

> 
> My memory is hazy, because I would have expected the AXFR to fail and
> the nameserver to just continue using the old zone. Perhaps there was
> some other transfer mechanism and it involves restaring the
> nameserver? I'm sure someone must remember more detail on this event.
> 
> W
> 
>> 
>> Hugo
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>   ---maf
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email