IETF Logo Mail Archive

Re: [DNSOP] draft-wkumari-dnsop-dist-root-01.txt

Ralf Weber <dns@fl1ger.de> Sun, 06 July 2014 22:52 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1A951B27B3 for <dnsop@ietfa.amsl.com>; Sun, 6 Jul 2014 15:52:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BMItzyQxj0Tr for <dnsop@ietfa.amsl.com>; Sun, 6 Jul 2014 15:52:47 -0700 (PDT)
Received: from nox.guxx.net (nox.guxx.net [78.46.109.173]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD9C1B27B2 for <dnsop@ietf.org>; Sun, 6 Jul 2014 15:52:47 -0700 (PDT)
Received: by nox.guxx.net (Postfix, from userid 65534) id 48A2DDB8269; Mon, 7 Jul 2014 00:52:44 +0200 (CEST)
Received: from [10.13.75.79] (194-29-15-41.static.cablecom.ch [194.29.15.41]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by nox.guxx.net (Postfix) with ESMTPSA id 48D6DDB8147; Mon, 7 Jul 2014 00:52:43 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Ralf Weber <dns@fl1ger.de>
In-Reply-To: <etPan.53b82396.4353d0cd.38df@walrus.hopcount.ca>
Date: Mon, 07 Jul 2014 00:52:40 +0200
X-Mao-Original-Outgoing-Id: 426379960.840936-767454ffd9b73941a3a83b77e889ca80
Content-Transfer-Encoding: quoted-printable
Message-Id: <EB6D8EA8-A3AD-4740-A202-4ACA656B6A17@fl1ger.de>
References: <20140703211746.18462.44333.idtracker@ietfa.amsl.com> <1C377AE9-2B16-4FCB-9612-48AB0E6EB2B3@vpnc.org> <etPan.53b82396.4353d0cd.38df@walrus.hopcount.ca>
To: Joe Abley <jabley@hopcount.ca>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/2XVv3Zt1OoPm3Cs7e4Lkh0TtldY
Cc: dnsop WG <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] draft-wkumari-dnsop-dist-root-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jul 2014 22:52:50 -0000

Moin!

On 05 Jul 2014, at 18:11, Joe Abley <jabley@hopcount.ca> wrote:
> TL;DR: there are way more cons than pros to this proposal. The pros listed are weak; the cons listed are serious. I don't see a net advantage to the DNS (or to perceived performance of the DNS for any client) here. This proposal, if implemented, would represent non-trivial additional complexity with minimal or no benefit. I am not in favour of it, if that's not obvious.
> 
> As noted previously, I am not against documenting and discussing the merits of slaving the root zone on resolvers (in some fashion). My preference would be for a draft called something like "draft-ietf-dnsop-slaving-root-on-resolvers-harmful", which could borrow much of your section 5.1 and 5.2 to make its argument.
Oh like draft-ietf-dnsop-reflectors-are-evil that became RFC5358, but still hasn't stopped Google and others offering open resolving service to the internet. Granted there are a lot of open DNS proxies out there that should be taken down, but I assume there are some companies offering resolving services that are valuable to Internet users.

> I remain very much *not* in favour of making changes to the DNS specification that don't have a clear benefit to balance their costs.
I think there is a difference between the precise specification and what you can do with your DNS software. While it may not be within the spec you can setup an auth server today that slaves the root zone and use a stub on your resolver to point to that root zone. That's how I run my setup at home because I don't want to my queries to be part of the DITL collection and I know that others do that because they have very bad connectivity to the root servers and in general. 

I think if we think of the resolver having another auth root server at localhost the logic is easier to understand makes much more sense as DNSSEC protections would kick in even if someone managed to inject a bad zone. 

The draft doesn't require every resolver to slave the zone, but merly is an information that this is a possible way to do it and I assume that large resolver operators would benefit from it and the CPEs you mention that even haven't implemented EDNS0 wouldn't matter anyway.

It in the end of course comes down to do we want to document what is out there  anyway or do we want to hide our heads in the sand. Especially for an operational group I would prefer the former.

So long
-Ralf

v2.46.0 | Report a Bug | By Email | System Status