Re: [DNSOP] [Ext] Starting a -bis document for RFC 8109: Initializing a DNS Resolver with Priming Queries

George Michaelson <ggm@algebras.org> Thu, 06 August 2020 22:33 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0B1D3A09D9 for <dnsop@ietfa.amsl.com>; Thu, 6 Aug 2020 15:33:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOUFw1BB3MXQ for <dnsop@ietfa.amsl.com>; Thu, 6 Aug 2020 15:33:01 -0700 (PDT)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6A483A09C7 for <dnsop@ietf.org>; Thu, 6 Aug 2020 15:33:01 -0700 (PDT)
Received: by mail-il1-x134.google.com with SMTP id x1so193615ilp.7 for <dnsop@ietf.org>; Thu, 06 Aug 2020 15:33:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=zNSdmPLz8SEyTMV2rYFl4LrlbeoT1zi0CrUQaK+VldI=; b=dphUPlUVSMNQ32fLcjmXXZuK3p+jXU0tTVN2Bd7AohTfBw5pQt9tTAMIsKHgt2PT2Y LgtyASCGsTJGr8UxPMniZwN6RSZW+TIVt8viIA08KwvlxsWY4bLbE+Dd9jGk2cV3E0Ze LKymFkyVRBYwY9XDwK8XlHGdA+WA2AqzCnYA5yoZ+NPwcjBcN1PB+RgAucstoSlxs/hN r03+8LY9fslnUzi2wjaa5d6rLKYFwrd3LtzHB/4kaxzGaaD1EbLvSzy7JAs4JwJNRoKB Ab60QNI5/1E6eWc4DWZ+2kmJv7NMzuT1BwNdT67lny8JHAx9yCbbrxI/kP+6k5fF0QY7 rkhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=zNSdmPLz8SEyTMV2rYFl4LrlbeoT1zi0CrUQaK+VldI=; b=EzHPxq07WnLzizL/JZ4Tpv3kMf+rUEIHolphnvRN4cD2UOadVKY33ShDmkWKG5QEXo /hNjDF9tIqNe/pa7CY1sFvHb5bGeJiCjouniTUIEy3yIouIynde88GSp0LeGnagvA1gs UW7PvfIAVtfGsILC5+Tb8c4UH/IKbvm/5fPSIGpZJRFJ7r7ToFUI6MgQPvpeKBAltgPQ 0Cj07OtUhHBeZcWEGnCMKxlhK9tt60hZBKaC+YE2wPVSBaiczch/PGDujYFn0jRukOTP /77DV0QDTEKbayRHdT6qAQwriFaXZnuO9NwGHTo6oEG+asxzVDUjONQ6P0zMNclgDEwo UoTA==
X-Gm-Message-State: AOAM531tZWlTycPEzjfX29lbp0Rm46rBM8RHbv4TynSxRi5ftVyzLLSy 0Rs8gwSQXAPi9sNI2OvQ3tnU1yCmfs2Co7a+W9KeXKSe
X-Google-Smtp-Source: ABdhPJynMhxENWybEMbUYqufR0CEeM0TjG+d5voYpbK7/0qcvG4zFBaAGwcG05NwNQsEYtbkbSiLF0lH6/DMLQilUV4=
X-Received: by 2002:a92:ad12:: with SMTP id w18mr1161512ilh.218.1596753179966; Thu, 06 Aug 2020 15:32:59 -0700 (PDT)
MIME-Version: 1.0
References: <93EB63F9-458B-4F16-BEDC-5CFF4132D049@icann.org> <C71A0A92-6AC2-43BC-8D04-AE695C1F6C2C@depht.com> <AAB62D09-6395-4AFB-B446-7D58C21E82F5@icann.org>
In-Reply-To: <AAB62D09-6395-4AFB-B446-7D58C21E82F5@icann.org>
From: George Michaelson <ggm@algebras.org>
Date: Fri, 7 Aug 2020 08:32:48 +1000
Message-ID: <CAKr6gn0pRVYxOc=17-WT5185QX-R3RdqDHgVV7D=cD9BP5kR_A@mail.gmail.com>
To: dnsop WG <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0xNx9H-Fkslo7BcpfYQlDjw6c9E>
Subject: Re: [DNSOP] [Ext] Starting a -bis document for RFC 8109: Initializing a DNS Resolver with Priming Queries
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2020 22:33:04 -0000

If I (insanely) ran a totally manual, out of band process to
periodically canvas the space and injected the knowns into the model
of "root" for my resolver, would I be able to say I am primed?

I am trying to get to the point that the "how" part is only exemplary,
explanatory. The requirement is that you have the information, now how
you get it or how it comes into your resolver.

The distinction between shipped states of the root.hints and the
actual live mappings of the domain labels inherent in it, to addresses
(if you like) I can bypass the hints file ,and use SQL to update my
root mapping.

I think the intent of "priming" is that you then populate the
information from 'inside' DNS. But, again, its only advisory, its not
standards enforced is it? I can populate my continuing knowledge of
the state of the DNS at the root, or anywhere else, in any mechanism I
like.

I could periodically FTP the zone files from places, and populate my
resolver cache state from these. I could basically "never" forward DNS
queries high in the tree, if I felt like making my server do that.

Am I "not primed" if I do this?

(this mechanism wouldn't support authenticated denial of arbitrary
labels, as an example)

-G

On Fri, Aug 7, 2020 at 12:42 AM Paul Hoffman <paul.hoffman@icann.org> wrote:
>
> On Aug 6, 2020, at 4:08 AM, Andrew McConachie <andrew@depht.com> wrote:
> >
> > What does it mean for a resolver to be primed, or for a resolver to not be primed? For example, is a resolver considered primed only if it has all root server names and IP addresses? 50%? At least 1?
>
> Excellent questions, two that the WG can certainly consider. Note that it *is* two questions, the root server names and the associated addresses.
>
> From the text you quote:
>
> >   Priming is the act of finding the list of root servers from a
> >   configuration that lists some or all of the purported IP addresses of
> >   some or all of those root servers.  A recursive resolver starts with
> >   no information about the root servers, and ends up with a list of
> >   their names and their addresses.
>
> RFC 8109 indicates that priming means knowing the full set of names and the full set of addresses.
>
> > If that were true it would be impossible for the resolver to find anything. It definitely starts with some information about the root servers. Maybe change "no information" to "this information".
>
> This distinction is important. A resolver starts with no actual information, but only meta-information: where to get the actual names and addresses for the root server. Is there a better way to say this in the -bis document?
>
> --Paul Hoffman_______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop