IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming

神明達哉 <jinmei@wide.ad.jp> Wed, 17 August 2016 16:46 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6183C12DBD2 for <dnsop@ietfa.amsl.com>; Wed, 17 Aug 2016 09:46:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uf-NA1qmE84q for <dnsop@ietfa.amsl.com>; Wed, 17 Aug 2016 09:46:01 -0700 (PDT)
Received: from mail-qk0-x242.google.com (mail-qk0-x242.google.com [IPv6:2607:f8b0:400d:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 644E712D899 for <dnsop@ietf.org>; Wed, 17 Aug 2016 09:46:01 -0700 (PDT)
Received: by mail-qk0-x242.google.com with SMTP id x189so10485972qkd.0 for <dnsop@ietf.org>; Wed, 17 Aug 2016 09:46:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:cc; bh=UqeK+XY5Q1FdI6aD3+AZ+2GtccBElj0kYgGa6cLMULs=; b=uWke4RzR6IEJ2ANGgcddYoNwj5Rc3ZMAS73Bm3eIYxmyJwD243sTmKYwtn8dBjMSJV BlEcfoty/f1Tggl60PXYql+5fPJVt2KxhM13JYwDXhNbtJXbwALEUtUHEvarjRnmi7Y/ cNcOpTGhdu1WdkkbnYYpyenuoT1GtELeB4wj774RuXobu2FVUabT9U2+EnR1ptU+4L/8 yoYGmwkj07GaURMchmehAzuVMnhiBzFliO4YjyKOjumX8pfYdoVuxXAoet0DY/hLLfVA I1KUdiP8o2kz1K4uCsglOHeaO511glpWOszg0ZdQcIX0qgXt1b7Knwfhf8waxQndKaXH u9Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:cc; bh=UqeK+XY5Q1FdI6aD3+AZ+2GtccBElj0kYgGa6cLMULs=; b=eWPJAP48ecFuiOGah+upuwzxRQbSKBEoNguNaDtZeQqUnCit8vjFxbYnj8hzcnF8nW OhkJDERMpJNHGeb1dv0cvh+9Oy82LIvLy4jjqgjChiF5EVuw7BJSNleH/qEBNKhZ9c/n kcDrpGsy8WDMwv9n4heMLrdA71h9tTqtl6FKDLfGeFdl/JrKn6yyjxJcqhDLhFqn4V0W o+KkWTAlXkr1QemBBrFiG1GGRoSm5TxICr3od+6Aobnv2yPeBObIFNZmUUNHZ4fGB9At 90kkRW0MBaWweTPtXR5rDnmGTdU1jRfLjrUijqkFHvWhc7hn+S8IRycupbwtzINid6aK qWBA==
X-Gm-Message-State: AEkooutAL69zhZ9pEztCqdob+AU/npEzRuuCa4KBr4zt9g5VWrMnDqimChh2eOcgSaatOk74L9H6KxVWUTRY8Q==
X-Received: by 10.55.104.139 with SMTP id d133mr44306683qkc.126.1471452360338; Wed, 17 Aug 2016 09:46:00 -0700 (PDT)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.33.154 with HTTP; Wed, 17 Aug 2016 09:45:59 -0700 (PDT)
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Wed, 17 Aug 2016 09:45:59 -0700
X-Google-Sender-Auth: rmrwdR6LCOlCsDQDmyrIyxkPRHE
Message-ID: <CAJE_bqeLrf_tV+FZo4vk3YPbhTAnzMgPJH7KwzV6MXm_LGC04Q@mail.gmail.com>
To: Tim Wicinski <tjw.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7uPWdcYDyGGJkoSOuvK0LZ1LLIk>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 16:46:03 -0000

At Thu, 4 Aug 2016 20:03:35 -0400,
Tim Wicinski <tjw.ietf@gmail.com> wrote:

> This starts a Working Group Last Call  for draft-ietf-dnsop-resolver-priming
>
> Current versions of the draft is available here:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-resolver-priming/
>
> Please review the draft and offer relevant comments. Also, if someone
> feels the document is *not* ready for publication, please speak out with
> your reasons.
>
> This starts a two week Working Group Last Call process, and ends on 19
> August, 2016

I've read draft-ietf-dnsop-resolver-priming-07.  I think this is a
useful document and is almost ready for publication.  But there seem
to be a few non-trivial issues that may need to be addressed.

Specific comments:

- Section 2

   Therefore, it is important that resolvers be able to cope with
   change, even without relying upon configuration updates to be applied
   by their operator.

  If we really want to make it work "even without relying upon
  configuration updates", we may need to consider some extreme cases
  where all of the ./NS data (and/or all of their glue AAAA/A records)
  change while a resolver keeps running for a very long period.  If
  this happens, once the cached priming data expires, even the next
  priming would fail, since at that point the resolver needs to use
  the configured data but none of the configured data is usable.  If
  we want to make it work even in such cases, we may have to encourage
  some specific techniques more strongly, e.g., query prefetch or
  auto-update the configured "root hint" with the result of priming
  query, etc.  Or, if this sentence doesn't intend to cover such
  extreme cases, it may probably have to be reworded to avoid
  misunderstanding.

- Section 3.1

   The recursive
   resolver SHOULD expire the NS records of the root servers according
   to the TTL values given in the priming response.

  Isn't this (= expiring cached data according to TTL) obvious and
  non-specific to priming responses?  I don't see why we bother to say
  the obvious, and if we want to say that I don't see why it's not
  even a MUST.

- Section 3.2

   If a priming query does not get a response within 2 seconds, the
   recursive resolver SHOULD retry with a different target address from
   the configuration.

  This sentence doesn't seem to be necessary (and may even cause an
  unnecessary confusion), so I'd primarily suggest just removing it
  (see my other message on this specific point).

- Section 3.3 (DNSSEC with Priming Queries)

  I remember I commented on this section before and we had discussions
  about how to address it.  I don't remember the conclusion at that
  time, but is this a result of that discussion?  I'm asking this
  because the current text still seems to have some explanation gap to
  me.

- Section 4.1

   [...]  There may be an Additional section with A
   and/or AAAA RRSets for the root name servers pointed at by the NS
   RRSet.

  At least in principle, I suspect the additional A and/or AAAA RRsets
  is critical information for priming to work correctly.  If the
  priming response completely replaces ./NS in the cache populated
  from the local configuration but the response lacks the additional
  address RRsets, then no further recursive resolution will be
  successful.  I don't know what's the best way to address this, but
  one easy tweak is to say "there should be an Additional section..."
  instead of "may".

- Section 4.2

   Said another way: in an EDNS
   response, if the additional section only has an A RRSet for a server,
   the resolver SHOULD assume that no AAAA RRSet exists.

  It's not clear to me why we need to say this, especially with an
  RFC2119 keyword.  What's wrong, for example, if a resolver tries to
  resolve a "missing" AAAA via a separate direct query?

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email