IETF Logo Mail Archive

Re: [DNSOP] Fracturing the protocol - was Re: Updated cheese-shop.

Evan Hunt <each@isc.org> Wed, 02 March 2016 06:49 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5E081A1B20 for <dnsop@ietfa.amsl.com>; Tue, 1 Mar 2016 22:49:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id evkUGrUTpzAC for <dnsop@ietfa.amsl.com>; Tue, 1 Mar 2016 22:49:56 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFCE61A1B1F for <dnsop@ietf.org>; Tue, 1 Mar 2016 22:49:47 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 2EADF1FCAB3; Wed, 2 Mar 2016 06:49:44 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 0DB88216C1C; Wed, 2 Mar 2016 06:49:43 +0000 (UTC)
Date: Wed, 02 Mar 2016 06:49:43 +0000
From: Evan Hunt <each@isc.org>
To: Mark Andrews <marka@isc.org>
Message-ID: <20160302064942.GA97305@isc.org>
References: <D2F9A5BA.13FE2%edward.lewis@icann.org> <20160229151220.7d7e9643@pallas.home.time-travellers.org> <D2F9BED8.13FF9%edward.lewis@icann.org> <20160229160357.2ef4fd29@pallas.home.time-travellers.org> <CAHw9_iKJwJh0AELts8Vy+K+qtNwo+rtuLa36ukGcty7CxnvOMg@mail.gmail.com> <CAN6NTqzHmADWnm10Y9Ap4UqSSk_h9zeru=vUeRHUdU_w7Nr=vw@mail.gmail.com> <56D5B830.80109@bellis.me.uk> <20160301210639.64A47438D02A@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20160301210639.64A47438D02A@rock.dv.isc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/7WiUlvI8xtSuSR0pFHOhWAApI2Y>
Cc: dnsop@ietf.org, Ray Bellis <ray@bellis.me.uk>
Subject: Re: [DNSOP] Fracturing the protocol - was Re: Updated cheese-shop.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2016 06:49:57 -0000

On Wed, Mar 02, 2016 at 08:06:39AM +1100, Mark Andrews wrote:
> ANC does not work for zones using OPTOUT.  This is just about all
> TLDs and similar zones.

To be pedantic, it doesn't work for optout ranges. I don't actually know
offhand of any zones that mix optout and non-optout, though, so it's a
fairly pointless quibble.

> That then leaves leaf zones.  Here sites will not want ANC for their
> own zones internally.  Externally there is only real benefit if you
> are under a random prefix DoS attack.

Random prefix DoS attacks are prevalent enough nowadays to make
this seem like a rather significant exception.

The downsides should be manageable. We can implement ANC so that it's
separately enabled or disabled for different namespaces, and put a TTL
cap on NSEC/NSEC3 records in zones that have ANC enabled.

I agree with the suggestion upthread that we address the general case
instead of the root-only solution.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.23.0 | Report a Bug | By Email