Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-00.txt

Tom Pusateri <> Sun, 26 August 2018 17:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A6AE4130DC8 for <>; Sun, 26 Aug 2018 10:58:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id myaIMeTwjvoe for <>; Sun, 26 Aug 2018 10:58:23 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B27FB12426A for <>; Sun, 26 Aug 2018 10:58:23 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 67A8F26B1; Sun, 26 Aug 2018 13:54:01 -0400 (EDT)
From: Tom Pusateri <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_92FF2388-FB30-488F-8C2D-6A5DEE0A76AD"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Sun, 26 Aug 2018 13:58:22 -0400
In-Reply-To: <>
Cc: dnsop WG <>
To: Ted Lemon <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-00.txt
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 26 Aug 2018 17:58:26 -0000

> On Aug 26, 2018, at 1:47 PM, Tom Pusateri <> wrote:
>> On Aug 26, 2018, at 12:58 PM, Ted Lemon < <>> wrote:
>> On Sat, Aug 25, 2018 at 3:09 PM Tom Pusateri < <>> wrote:
>> I think I already agreed with you here.
>> My main point was that the primary needs a database and it already has one and probably doesn’t want another one. Because of the added benefit that Paul points out with promoting a secondary to primary after an extended outage, and the points that Joe makes about treating all records the same, it seems logical to store the lease lifetime information as actual resource records and transfer them to the secondary.
>> FWIW, I think the database storage argument is actually the best argument for this proposal: we need a way to represent  the data structure on disk, and what we know how to store are RRs.
>> That said, I think that it's worth asking the question of what the right format is, and not just assuming that it's a hash.
> Nice properties of the hash:
> 1. the length of the output value is consistent across varying input lengths of any RR type (128 bits in the case of the algorithm specified in the draft) making it easy to sequence through.
> 2. it’s independently verifiable between servers and across time on the same server
> 3. it’s independent of position of the RR it covers
> 4. it works the same for all existing RR’s as well as RR’s yet to be defined
> Other methods may share some of these properties but I’m just listing all of the ones I can think of.

Also, remember the hash is only needed if there are multiple records types with the same owner name / class having different timeouts (including no timeout).

So in the case of a unique name being added for a delegated address, the NO HASH value can be used and no hash needs to be calculated. In the case of both an IPv4 and IPv6 address being delegated and subsequently sending an UPDATE with the same owner name, as long as the lease time is the same, again, there is no need for the hash.

If, however, an RRSIG is dynamically generated for the owner name, then the hash will be needed. (You won’t want to timeout RRSIGs but instead timeout the A/AAAA and then recalculate the RRSIG/NSEC/NSEC3/NSEC5 records.)