Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
Bob Harold <rharolde@umich.edu> Wed, 17 August 2016 17:03 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E131B12B026 for <dnsop@ietfa.amsl.com>; Wed, 17 Aug 2016 10:03:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kqoUbMFoqQRA for <dnsop@ietfa.amsl.com>; Wed, 17 Aug 2016 10:03:33 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08EB412D1CB for <dnsop@ietf.org>; Wed, 17 Aug 2016 10:03:32 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id j12so63608338ywb.2 for <dnsop@ietf.org>; Wed, 17 Aug 2016 10:03:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=78UADyPcQg8HgtXnM+G2AEuB+sBx7OHjFrcEzPFWpA8=; b=mkvYmRE4vcnNEiagb4t2ee7VPzVwAn8TSC2LW+9/KOa9/QV3/aPK3gOHII2ZJnB01W FHuRzEC/tku3WxMS4usODBfxqZb7LMJqlg2mYtGczwvkpTSOgluQeQ6X3MmspuE6l0iW NIqKbequ2TpNICm8Zic1q8umMyldO3+gXVdrLFnyAra9feMjgLToWdfhd0LlYvVXawE1 WnDVtceM2bTGsWSOZTfiyUMKTz071f7Xfd8A+X8bdWuZ7IX3h/4HvZsNw7woVTePKYi5 BG9hR4jNucbZftavKV7FPlZEK672AxYQgUzb3joWJiM1Qsw/FlGgDYLyY25uQnbT8UN1 pQiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=78UADyPcQg8HgtXnM+G2AEuB+sBx7OHjFrcEzPFWpA8=; b=WM8XxLbWj6Cv2BZodgan6KLTuN3qpifXHZSkQNmLpv2Kc48cfSvAkkq1jf96uzH48x JDuWNBk4XIZY0ctRBCtrOV0q/1by12SxWdu+LNZJOWn7GrP6RD1M30bhGt6S2S1fwhtm jjT8GmrGghlWDlI+dGFy+6CsegtjV8aPY4SUPYlGR+YVDWRR4C+kyHqA7G6sDXP3FiRe 66oWqI3eRinwdFQKbJkc9FBnPWwWxe82fW7/cjvBIqv9dXn05MLh73Cx5wePrK/HB91v b4nYlXcH3Ua9ls045ktU6rQ0mFkNMSxuBfEyyThLoWU7ruppCdvwofl33X2/u7xfQNCM ZMDw==
X-Gm-Message-State: AEkoousY1RbOuKMJIUC9oia4CMp4pB4fD6XFkh4BGRh9j+elWym52X8BAQpFOL7XAWP/IRUzwbWABKfMp4Z6le3i
X-Received: by 10.13.217.20 with SMTP id b20mr30987446ywe.44.1471453412065; Wed, 17 Aug 2016 10:03:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.255.3 with HTTP; Wed, 17 Aug 2016 10:03:31 -0700 (PDT)
In-Reply-To: <CAJE_bqeLrf_tV+FZo4vk3YPbhTAnzMgPJH7KwzV6MXm_LGC04Q@mail.gmail.com>
References: <CAJE_bqeLrf_tV+FZo4vk3YPbhTAnzMgPJH7KwzV6MXm_LGC04Q@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
Date: Wed, 17 Aug 2016 13:03:31 -0400
Message-ID: <CA+nkc8DO40hUZrorB+jCoOx8Zy75qw9JGS1FNofpXVj3c21aCg@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a114fbe74ee32c6053a4771ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0by-nuybKrYH60fy2sKOhdVCH0U>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 17:03:36 -0000
On Wed, Aug 17, 2016 at 12:45 PM, 神明達哉 <jinmei@wide.ad.jp> wrote: > At Thu, 4 Aug 2016 20:03:35 -0400, > Tim Wicinski <tjw.ietf@gmail.com> wrote: > > > This starts a Working Group Last Call for draft-ietf-dnsop-resolver- > priming > > > > Current versions of the draft is available here: > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-resolver-priming/ > > > > Please review the draft and offer relevant comments. Also, if someone > > feels the document is *not* ready for publication, please speak out with > > your reasons. > > > > This starts a two week Working Group Last Call process, and ends on 19 > > August, 2016 > > I've read draft-ietf-dnsop-resolver-priming-07. I think this is a > useful document and is almost ready for publication. But there seem > to be a few non-trivial issues that may need to be addressed. > > Specific comments: > > - Section 2 > > Therefore, it is important that resolvers be able to cope with > change, even without relying upon configuration updates to be applied > by their operator. > > If we really want to make it work "even without relying upon > configuration updates", we may need to consider some extreme cases > where all of the ./NS data (and/or all of their glue AAAA/A records) > change while a resolver keeps running for a very long period. If > this happens, once the cached priming data expires, even the next > priming would fail, since at that point the resolver needs to use > the configured data but none of the configured data is usable. If > we want to make it work even in such cases, we may have to encourage > some specific techniques more strongly, e.g., query prefetch or > auto-update the configured "root hint" with the result of priming > query, etc. Or, if this sentence doesn't intend to cover such > extreme cases, it may probably have to be reworded to avoid > misunderstanding. > > I think we could clarify the sentence by adding some thing like "as long as at least one of the configured addresses (for each address type, IPv4 and IPv6) responds with the correct list." Even if all the IP's change, we just need one of the IP's to respond with the new list. > - Section 3.1 > > The recursive > resolver SHOULD expire the NS records of the root servers according > to the TTL values given in the priming response. > > Isn't this (= expiring cached data according to TTL) obvious and > non-specific to priming responses? I don't see why we bother to say > the obvious, and if we want to say that I don't see why it's not > even a MUST. > > - Section 3.2 > > If a priming query does not get a response within 2 seconds, the > recursive resolver SHOULD retry with a different target address from > the configuration. > > This sentence doesn't seem to be necessary (and may even cause an > unnecessary confusion), so I'd primarily suggest just removing it > (see my other message on this specific point). > > - Section 3.3 (DNSSEC with Priming Queries) > > I remember I commented on this section before and we had discussions > about how to address it. I don't remember the conclusion at that > time, but is this a result of that discussion? I'm asking this > because the current text still seems to have some explanation gap to > me. > > - Section 4.1 > > [...] There may be an Additional section with A > and/or AAAA RRSets for the root name servers pointed at by the NS > RRSet. > > At least in principle, I suspect the additional A and/or AAAA RRsets > is critical information for priming to work correctly. If the > priming response completely replaces ./NS in the cache populated > from the local configuration but the response lacks the additional > address RRsets, then no further recursive resolution will be > successful. I don't know what's the best way to address this, but > one easy tweak is to say "there should be an Additional section..." > instead of "may". > > - Section 4.2 > > Said another way: in an EDNS > response, if the additional section only has an A RRSet for a server, > the resolver SHOULD assume that no AAAA RRSet exists. > > It's not clear to me why we need to say this, especially with an > RFC2119 keyword. What's wrong, for example, if a resolver tries to > resolve a "missing" AAAA via a separate direct query? > > -- > JINMEI, Tatuya > >
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Paul Hoffman
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… 神明達哉
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Bob Harold
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… 神明達哉
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Paul Hoffman
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… william manning
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… 神明達哉