Re: [DNSOP] Comment on section 2 of draft-ietf-dnsop-nxdomain-cut-05.txt
Matthew Pounsett <matt@conundrum.com> Tue, 27 September 2016 22:46 UTC
Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 03A5C12B401
for <dnsop@ietfa.amsl.com>; Tue, 27 Sep 2016 15:46:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 49b1TD04kUvA for <dnsop@ietfa.amsl.com>;
Tue, 27 Sep 2016 15:46:18 -0700 (PDT)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com
[IPv6:2607:f8b0:400d:c09::231])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 991FB12B322
for <dnsop@ietf.org>; Tue, 27 Sep 2016 15:46:18 -0700 (PDT)
Received: by mail-qk0-x231.google.com with SMTP id g67so31762825qkd.0
for <dnsop@ietf.org>; Tue, 27 Sep 2016 15:46:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=conundrum-com.20150623.gappssmtp.com; s=20150623;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=tVCxIwti/q+Os8KfY2ny/Nqdja9tiYTU/EnUHsh+ibQ=;
b=IRM9aRNFGG0BM3FCo02xyMaFbzIdofoFP61hmbCKsWZIEXxXX3CsnWp9Q1Y6cHKdh5
iV5erXLOZM8kwvrsZNo1Z1wEO27zFWjqvNB4uiwGw4R8+vgyBm1sIIJ6OM678tbGIeHD
nwWFjCcEWQt7Q5npowGEXIaK/eMuXBEWNOQHaIbasE3rHs4qJDTgBRCchyqLWgdn0nC0
vnLRUFAqJW6wF6juIBVI3MqYQQo6M6mM4lCyq7Q3hnA5diagWcQCOHzsZ22AvRpsnHLR
mD7ZZAQJISg13V4f4W+JWIG5j2nAytFWcN8nyypVg9YPzFe+Q52SYakEMm0sXUTNUQdr
jgPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=tVCxIwti/q+Os8KfY2ny/Nqdja9tiYTU/EnUHsh+ibQ=;
b=W8/vIQqlZIRWS1lu35mFweD0a8JjlbGstfmzrQcrpww45/wI1FCJQ1qtiMEyRWxvSC
lmacGgwXDXFMtJLYMzEmrp6dU2H6T9qi4SUWl7sbhFaB1808PzS8RKWjZoJ91PISz9EK
nqMcFi0ElvjFGz/IzgaarWlBAOfXlUDJUeTIZoMaAK2D6l5osdorg0TyECJTAbjwRe3P
pJ+Q1j+Z1tXI1PhAuUQtbLhbeP3eLTGmzkzMw7f+q9Oh7zwIJRhESwJugr5eeUITk15O
l0ZDUIVwsKsk7nDvKJm51RLoWn6eu8D9DIX4+LJP0QKQ8lShCoFkpkxCVzaBxPZ7dqTZ
x9Qw==
X-Gm-Message-State: AA6/9RlnASiyb0uVMbaQcTglZ+kHwPAfrnuUclCycg8Vl3ZxSLw7oVbKx7vaoR4VjFktFsXNWyNQJUVyEsPCyA==
X-Received: by 10.55.65.139 with SMTP id o133mr28566567qka.191.1475016377366;
Tue, 27 Sep 2016 15:46:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.237.35.197 with HTTP; Tue, 27 Sep 2016 15:46:16 -0700 (PDT)
X-Originating-IP: [69.64.144.72]
In-Reply-To: <59500ec16f1041558d0b9f6646094ebf@SC58MEXGP032.CORP.CHARTERCOM.com>
References: <29B4A430-80C7-44C8-A6FA-54A1560D3FD7@icann.org>
<20160927004928.22EAE5515C31@rock.dv.isc.org>
<89B42AE2-0377-42A4-B943-E65C52B7CB55@icann.org>
<CAHPuVdVneekn9NL_u72KFk7aFQ8uWLkUDqAaW9c46SG-KDVuMg@mail.gmail.com>
<d1da7014063b4525a25502408d9fbdc1@SC58MEXGP032.CORP.CHARTERCOM.com>
<CAHPuVdVV_fqaiMuLuFKudFaT=FXTKE57+aYuf_HS+x-0OkOk0g@mail.gmail.com>
<59500ec16f1041558d0b9f6646094ebf@SC58MEXGP032.CORP.CHARTERCOM.com>
From: Matthew Pounsett <matt@conundrum.com>
Date: Tue, 27 Sep 2016 15:46:16 -0700
Message-ID: <CAAiTEH-_mefMBTKSu8G0mT7rO=GzQk0Bn1tKYcgCsa2pLhutuw@mail.gmail.com>
To: "White, Andrew" <Andrew.White2@charter.com>
Content-Type: multipart/alternative; boundary=001a114891c03636c1053d8503e4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3mRuOUfWNBY-aANPqdlQROjJIoA>
Cc: Edward Lewis <edward.lewis@icann.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] Comment on section 2 of
draft-ietf-dnsop-nxdomain-cut-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>,
<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
<mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2016 22:46:21 -0000
On 27 September 2016 at 12:28, White, Andrew <Andrew.White2@charter.com> wrote: > Hi Shumon, > > > > True. When a resolver gets an NXDOMAIN for, say x.example.com, would it > better to say the resolver SHOULD drop from cache all descendents of > x.example.com, or MAY? > > > > It may be computationally expensive to search cache to remove cached > NXDOMAIN responses below x.example.com, and I see no harm in letting > those cached entries expire as their TTL runs out. > Would it be better then to leave early expiry as an implementation choice, and instead say that the implementation SHOULD respond with NXDOMAIN for any QNAME at or below a cached NXDOMAIN? # When an iterative caching DNS resolver receives a response with RCODE being # NXDOMAIN, the resolver SHOULD store the response in its (negative) cache. # During the time the response is cached, any query with a QNAME at or # descended from the denied name SHOULD be assumed to result in a name error. # Responses to those queries SHOULD set RCODE=NXDOMAIN (using the DNSSEC # records cached as proof). Any names at or below the name received in the # NXDOMAIN response MAY be flushed from cache at the time the response is # received. If foo.bar.example.org has a cached record, and an nxdomain for bar.example.org is then cached, further queries for foo.bar.example.org would also trigger NXDOMAIN for as long as bar.example.org is in the negative cache. If the negative response for bar.example.org expires before the positive response for foo.bar.example.org, then that name could pop up in positive responses again... if the implementation hasn't chosen to expire it as well. My rationale is that if foo.bar.example.org were still a valid name at the time that the bar.example.org NXDOMAIN response was issued, then NXDOMAIN was not the correct response. It would be inappropriate to answer for foo.bar.example.org out of the cache in that case.
- [DNSOP] Comment on section 2 of draft-ietf-dnsop-… Edward Lewis
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Mark Andrews
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Edward Lewis
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Shumon Huque
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… White, Andrew
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Shumon Huque
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… White, Andrew
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Shumon Huque
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Shumon Huque
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Matthew Pounsett
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Edward Lewis
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Shumon Huque
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Matthew Pounsett
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Ralf Weber
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Shumon Huque
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Shumon Huque
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Matthew Pounsett
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Shumon Huque
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Stephane Bortzmeyer
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Stephane Bortzmeyer
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Stephane Bortzmeyer
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Stephane Bortzmeyer
- Re: [DNSOP] Comment on section 2 of draft-ietf-dn… Stephane Bortzmeyer