IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Peter Thomassen <peter@desec.io> Fri, 19 May 2023 09:18 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26BEBC151543 for <dnsop@ietfa.amsl.com>; Fri, 19 May 2023 02:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQ9yxWERdKvh for <dnsop@ietfa.amsl.com>; Fri, 19 May 2023 02:18:19 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F1E9C151535 for <dnsop@ietf.org>; Fri, 19 May 2023 02:18:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From :References:Cc:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sSx5jCUBgLG7V/HwibHIlgoCPBVZLJPusJY0qvfg2Es=; b=Xnk3k10uRQqOG77bbj4k5xTYLd 5Qq6oT+Eb1lEIHmV6t9eGmK8POGHURlAIUrvYMvxrinxWRZX+zSvEsthzpKi/tvlfk/lv/pFps81w FLiwpOvWBEZ/jcT6BbejL4bbqarYCBiz2y1vKygVg7zztnjdvRMp7iniqrvXXSHRBcG+4M54lwQqV zDcDTY1dG6KxSTdRpJ/abKN2asZZTpXo60S8yC+Mq8SZa4ZbSUKzsj72phDJLWjCFQfMNVodO8uO7 CSgWLNeVh8gOamAmiRawTSA2rryTBb9pnI5Rag6X7vWOHvBTxG9+hgMwzNHliccJ5uH4c55uy6zEY q9R+FBmQ==;
Received: from [2a00:20:4043:4e95:610e:1fe7:6f61:dd97] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1pzwFc-002ZZV-Hz; Fri, 19 May 2023 11:18:16 +0200
Message-ID: <1f406c57-f56d-855e-84a6-edeb8bd05cb7@desec.io>
Date: Fri, 19 May 2023 11:18:15 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: dnsop@ietf.org
References: <CADyWQ+FwRaSdpSWXBDqCG9ZPNPiG4pGUx37PVtExbqVPr5ZfmA@mail.gmail.com> <ZF6rFlfM7LKObUnQ@straasha.imrryr.org> <CADZyTkn21Z4weUYqmWn1B7_8RnKxd08qnRtDb57MZGgYuASgvA@mail.gmail.com> <70c1c218-35dc-b162-48aa-9756298849da@desec.io> <CADZyTknk-yrWsKthp0fLbHseHHwKW7n2eKiyTmP4xVoohbb7kA@mail.gmail.com>
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <CADZyTknk-yrWsKthp0fLbHseHHwKW7n2eKiyTmP4xVoohbb7kA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3EpRUIqTvtJNgcxKCgV-lYXHgPQ>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 09:18:24 -0000

Hi Daniel,

On 5/18/23 02:26, Daniel Migault wrote:
>     On 5/17/23 22:01, Daniel Migault wrote:
>      > I agree but as far as can see the cap of the TTL with a revalidation will only resync the resolver and the zone more often than could be expected otherwise but does not result in the cached RRsets differing from those provided by the zone.
> 
>     These two things are not the responsibility of the resolver. It is precisely the task of the TTL to set the expectation for expiry and, when changes are made, for the convergence time to eventual consistency.
> 
> I agree but if a DRO can implement some mechanism that avoids the cache to remain incoherent,

No, it is almost a defining feature of the DNS that it only gives eventually consistent responses. The DNS is not a real-time database.

> I think that is good - especially in a situation where many different zones are involved. Typically, the DRO remains the one serving responses and if one says: the cache does not reflect what I see on the authoritative side...

Some may find that unfortunate, but capping TTLs at the lowest value in the trust chain harms scalability.

In addition, when resolvers apply various ways of "fixing" the auth's TTls, behavior will end up differing across the Internet. That harms interoperability and makes debugging harder.

> this is seen by many MNOs as an issue.

How can it be an issue if the zone operator declares that this is the TTL they want?

It's completely legit for an auth to set a TTL of (say) 1 day, at the cost of slow updates, but with the benefit of more resiliency against short period of auth unreachability. Why take that flexibility away from them?

> Then, do we have an easy way to implement Viktor's revalidation ? TTL cap is at least a (costly) way to implement it.
> 
> 
>     That said, I still don't understand what it's needed for: it seems that it's just not necessary to do revalidation / refetches (= early expiry) after the minimum of TTL_RRset and all of the TTL_DNSKEY, TTL_DS in the chain; you can achieve the same output reliability by doing it when a change in the trust chain is detected and validation would otherwise fail.
> 
> Then I might be missing how this could be implemented. How do we check that the validation will fail? Does the resolver check the key tags for every response ?

There is no extra check. Imagine the following situation:

Day 1
- DS/DNSKEY TTL 1 hour, records fetched at 10:30am UTC
- MX TTL 24 hrs, record fetched at 10:30am UTC
- cache otherwise empty

Day 2
- DS/DNSKEY not currently in cache (expired 1 hour after the fetch on Day 1)
- MX TTL is still valid! (until 10:30am)

Imagine that some time in the morning of Day 2, the AAAA record is queried, let's say at 06:00am UTC. The DS/DNSKEY records are have long expired from the cache (on Day 1), so they will also be re-fetched in order to validate the AAAA response.

If the DS and DNSKEY records turn out are the same as before, no problem. But let's say that the re-fetched the keys have changed completely since yesterday, for whatever reason. The resolver will then use the new key information to validate the AAAA response.

And it is *now* that the resolver could say "oh, actually, I still have this MX record cached until 10:30am, but I know that the keys I used for its validation are no longer there". The resolver COULD then remove the MX record from the cache.

This is very different from applying the minimum of the various TTLs: when you do that, the MX record would already have expired on Day 1 at 11:10am.

I'm fine with resolvers doing that, but I'm not in favor of a general recommendation. It's primarily the zone maintainer's task to get their zone content in order.

Best,
Peter

-- 
https://desec.io/

v2.23.0 | Report a Bug | By Email