Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback
Doug Barton <dougb@dougbarton.us> Thu, 20 November 2014 19:13 UTC
Return-Path: <dougb@dougbarton.us>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9586A1A87CE for <dnsop@ietfa.amsl.com>; Thu, 20 Nov 2014 11:13:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.596
X-Spam-Level:
X-Spam-Status: No, score=-2.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.594, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4VClrMfn98J for <dnsop@ietfa.amsl.com>; Thu, 20 Nov 2014 11:13:43 -0800 (PST)
Received: from dougbarton.us (dougbarton.us [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5D11A87A8 for <dnsop@ietf.org>; Thu, 20 Nov 2014 11:13:43 -0800 (PST)
Received: from bcn-dbarton.lan (unknown [67.159.169.102]) by dougbarton.us (Postfix) with ESMTPSA id 241BD22B0D for <dnsop@ietf.org>; Thu, 20 Nov 2014 19:13:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1416510823; bh=sVZYMfKHcPP86g/FP/VZWPU/5JAosw6a18RKjqSHZhc=; h=Date:From:To:Subject:References:In-Reply-To; b=XHflplUjQm8bUm/r7ymlwuU7Nr8s/f6GQkd2o5lws1KxFsfyPTAHH55rtWxZ4MRGM Cux7cUSBk2p3a4fH4j3e7kKHfnSPuE9d907s2Aw0YuioUHbtg0XVnjDfbr75JFUGNE /7ia5nkKF3hIdenVm/VFC+U1wkHPxMkIKUzIJThM=
Message-ID: <546E3D66.6090402@dougbarton.us>
Date: Thu, 20 Nov 2014 11:13:42 -0800
From: Doug Barton <dougb@dougbarton.us>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: dnsop@ietf.org
References: <54691B0A.6060508@gmail.com> <54692F7A.6030803@dougbarton.us> <20141117071250.GA55492@isc.org> <546A73B6.2060005@dougbarton.us> <20141117225045.GA35924@isc.org> <546A873F.8060402@dougbarton.us> <546E2287.7080909@dougbarton.us> <DCE8D121-A9D7-40A6-9567-39DF6811A50F@vpnc.org> <CA+nkc8A2nnMWfOt=8w0waG0BDpR=qRBjB098fzDaU31Cv4fJ5Q@mail.gmail.com> <CF7CA3A5-6C2A-459C-8DFB-32DC3807DADE@vpnc.org> <CA+nkc8CpPvtvFqnnoTun5qds7H_nxTft2umFwznaZ2C7_-QQkg@mail.gmail.com>
In-Reply-To: <CA+nkc8CpPvtvFqnnoTun5qds7H_nxTft2umFwznaZ2C7_-QQkg@mail.gmail.com>
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/18bgHxMrSBsETv3a4rra1NJ2xGo
Subject: Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 19:13:45 -0000
What about something like this: When using BIND, or other software that can act as both a recursive and authoritative server in the same instance, there is a tradeoff between using a separate view (or separate instance) for slaving the root zone, versus slaving the zone into the same view (or instance) where the recursion is occurring. Using a separate view/instance has the advantage that when the recursor is also performing DNSSEC validation that the DS records in the slaved zone will also be validated. In BIND this validation does not occur when the zone is slaved into the same view/instance where the recursion/validation is occurring. Slaving the zone into the same view/instance as the recursion has the advantage that when changes happen to the data in the zone the recursive view/instance will be updated as soon as it receives its copy of the zone. When using a separate view for slaving the zone the recursive instance will cache all of the queries it looks up. Currently the TTL for DS and delegation NS records is 2 days. On 11/20/14 10:52 AM, Bob Harold wrote: > Thanks Paul, > I use BIND, but am not an expert. Based on the discussion I will > suggest some words and the experts can correct me: > > Note: By using a separate view, the "recursive" view will do DNSSEC > validation on the responses it receives from the "root" view, which > is necessary for security. It will cache the answers, including the > validation. > > Alternatively, if the root zone was loaded directly in the > "recursive" view, then DNSSEC validation would not be done, as BIND > would trust the zone. Then you would want to do separate validation > on the zone during zone transfers. This might result in less > caching and less time spent validating, but requires a more complex > configuration. > > > > > -- > Bob Harold > hostmaster, UMnet, ITcom > Information and Technology Services (ITS) > rharolde@umich.edu <mailto:rharolde@umich.edu> > 734-647-6524 desk > > On Thu, Nov 20, 2014 at 1:25 PM, Paul Hoffman <paul.hoffman@vpnc.org > <mailto:paul.hoffman@vpnc.org>> wrote: > > On Nov 20, 2014, at 10:20 AM, Bob Harold <rharolde@umich.edu > <mailto:rharolde@umich.edu>> wrote: > > I can see where "validate on zone transfer" would be a feature request. And "validate everything" similarly. > > > > For the draft, could a small paragraph be added explaining the difference between using a separate view for the root zone and just loading it in the same view, so that people like me realize the tradeoffs before we decide to implement the draft with what we might think is a minor simplification, not realizing the impact? > > Yes, we can add this to the BIND example in the appendices. Given > that I kinda suck at BIND, proposed wording would cause less grief > in the next draft... > > --Paul Hoffman > >
- [DNSOP] Call for Adoption draft-wkumari-dnsop-roo… Tim Wicinski
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… John Levine
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Tim Wicinski
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Doug Barton
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Evan Hunt
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Evan Hunt
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Doug Barton
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Paul Vixie
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Doug Barton
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Evan Hunt
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Nicholas Weaver
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… David Conrad
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Paul Hoffman
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Jacques Latour
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Doug Barton
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Bob Harold
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Paul Hoffman
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Doug Barton
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Bob Harold
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Paul Hoffman
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… David Conrad
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Bob Harold
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Doug Barton
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Evan Hunt
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Doug Barton
- [DNSOP] Differences between one view and two in B… Paul Hoffman
- Re: [DNSOP] Differences between one view and two … Doug Barton
- Re: [DNSOP] Differences between one view and two … Doug Barton
- Re: [DNSOP] Differences between one view and two … Paul Hoffman
- Re: [DNSOP] Differences between one view and two … Paul Vixie
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Jiankang Yao
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Paul Hoffman
- Re: [DNSOP] Call for Adoption draft-wkumari-dnsop… Tim Wicinski