Re: [DNSOP] RFC 7477 on Child-to-Parent Synchronization in DNS
Bob Harold <rharolde@umich.edu> Mon, 16 March 2015 15:38 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D2D51A8868 for <dnsop@ietfa.amsl.com>; Mon, 16 Mar 2015 08:38:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGzm9wFEixVl for <dnsop@ietfa.amsl.com>; Mon, 16 Mar 2015 08:37:58 -0700 (PDT)
Received: from mail-la0-f45.google.com (mail-la0-f45.google.com [209.85.215.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD5BB1A8869 for <dnsop@ietf.org>; Mon, 16 Mar 2015 08:37:54 -0700 (PDT)
Received: by labjg1 with SMTP id jg1so43303517lab.2 for <dnsop@ietf.org>; Mon, 16 Mar 2015 08:37:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=DcqB14HKo8H3dzczjdrOyyHgWpklZUz3CU3S/sDKdE0=; b=J88RvKdv4wNfFzVsvTsI4THwTPgEpXJ8TW73BTM7cBXCvRQws4Zze6u1PdPD0qNG+/ bUy92H6KQ+pf85juHvwy3W2y7A9VtQCZxL28nohl4bQyvEO+d2BY4HVoBHS3XILYz+6X sWbnClUqeWWwC8RwM4UJWnTQQoLuzRcQRVV3MMP4wr2TWpX6Fafnvd0TE5udma6AcEKz 4XaxFgWOU5Qc1+UIvrPOOrQvmIRifItKOx6FPYr6018YxVb3HLCgEbO4Wzrp3d8SDn0t tQ1N1a/kzq/pO8f8E3FMBIZiQ6l9l09UKlI/Z0gwdkn50/nl1BCCVaY8LY1CLszXc0sD Eo/Q==
X-Gm-Message-State: ALoCoQkN2zE31tXPJyMi8FiHtqEqM1oBs3+xO0t4P7zE75OqF8sKqbKlcjiQltjQLrfIGFM2/2Oe
MIME-Version: 1.0
X-Received: by 10.112.167.4 with SMTP id zk4mr53850388lbb.74.1426520273028; Mon, 16 Mar 2015 08:37:53 -0700 (PDT)
Received: by 10.112.157.234 with HTTP; Mon, 16 Mar 2015 08:37:52 -0700 (PDT)
Date: Mon, 16 Mar 2015 11:37:52 -0400
Message-ID: <CA+nkc8DbSgQiqA+bqvyC-wViqaiEuT2gsgDf1kM3t_otGkwQJA@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
To: IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c3488c239f62051169a2c2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/7uWB2am5hNx77pfNNe0qDfv4SOY>
Subject: Re: [DNSOP] RFC 7477 on Child-to-Parent Synchronization in DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 15:38:01 -0000
My apologies for not seeing this sooner. In section "5. Security Considerations": To ensure that an older CSYNC record making use of the soaminimum flag cannot be replayed to revert values, the SOA serial number MUST NOT be incremented by more than 2^16 during the lifetime of the signature window of the associated RRSIGs signing the SOA and CSYNC records. Note that this is independent of whether or not the increment causes the 2^32 bit serial number field to wrap. Why 2^16 instead of (2^31)-1, which is all that is required to prevent the Serial Number Arithmetic [RFC1982] from comparing improperly? Are typical signature windows for RRSIG records a year or two? It would seem then that 2^16 (65536) increments would only allow an average rate of less than 8 changes per hour. For a dynamically updated DNS zone this could be too small. -- Bob Harold On Fri, Mar 13, 2015 at 4:11 PM, <rfc-editor@rfc-editor.org> wrote: > A new Request for Comments is now available in online RFC libraries. > > > RFC 7477 > > Title: Child-to-Parent Synchronization in DNS > Author: W. Hardaker > Status: Standards Track > Stream: IETF > Date: March 2015 > Mailbox: ietf@hardakers.net > Pages: 15 > Characters: 34471 > Updates/Obsoletes/SeeAlso: None > > I-D Tag: draft-ietf-dnsop-child-syncronization-07.txt > > URL: https://www.rfc-editor.org/info/rfc7477 > > This document specifies how a child zone in the DNS can publish a > record to indicate to a parental agent that the parental agent may > copy and process certain records from the child zone. The existence > of the record and any change in its value can be monitored by a > parental agent and acted on depending on local policy. > > This document is a product of the Domain Name System Operations Working > Group of the IETF. > > This is now a Proposed Standard. > >