Re: [DNSOP] A new version of mixfr
Frederico A C Neves <fneves@registro.br> Wed, 28 March 2018 16:52 UTC
Return-Path: <fneves@registro.br>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9A43126C19 for <dnsop@ietfa.amsl.com>; Wed, 28 Mar 2018 09:52:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yGtEtP-RucYY for <dnsop@ietfa.amsl.com>; Wed, 28 Mar 2018 09:52:14 -0700 (PDT)
Received: from clone.registro.br (clone.registro.br [IPv6:2001:12ff:0:2::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4F0A1243F6 for <dnsop@ietf.org>; Wed, 28 Mar 2018 09:52:13 -0700 (PDT)
Received: by clone.registro.br (Postfix, from userid 1000) id 3DEAE2A362F; Wed, 28 Mar 2018 13:52:11 -0300 (BRT)
Date: Wed, 28 Mar 2018 13:52:11 -0300
From: Frederico A C Neves <fneves@registro.br>
To: Matthijs Mekking <matthijs@pletterpet.nl>
Cc: dnsop@ietf.org
Message-ID: <20180328165211.GR62218@registro.br>
References: <d7c4fc25-9d4b-d934-bad3-61e7b8364ca2@pletterpet.nl> <20180328150651.GQ62218@registro.br> <da942f70-c822-81c3-3355-d6f453b8ee6c@pletterpet.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <da942f70-c822-81c3-3355-d6f453b8ee6c@pletterpet.nl>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/88pxZHanrnlNtihpWQMDksuNkmo>
Subject: Re: [DNSOP] A new version of mixfr
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 16:52:16 -0000
On Wed, Mar 28, 2018 at 05:43:15PM +0200, Matthijs Mekking wrote: ... > > One comment, > > > > [3.1] As section 3 states that MIXFR is DNSSEC aware we need text > > regarding NSEC3PARAM update as well. > > > > For that I suggest to change 3.1 section name and include an extra > > paragraph. > > > > 3.1 Implicit DNSSEC deletions > > > > When an NSEC3PARAM is modified, the MIXFR client MUST also remove all > > existing NSEC3 records on the zone. > > I agree that with the current syntax NSEC3 resalting is still a hassle. > But I am not sure if this implicit NSEC3 deletion is the right solution: > One can have multiple chains in the zone, the NSEC3PARAM just signals > that the chain is complete. Signers may have incomplete chains as an > intermediate step of NSEC3 resalting. > > I shall add a GitHub issue for this. Thanks for bringing it up! Yes this needs to be further discussed. But I guess a partial resalting the way you describe could be done today using IXFR with no decrease on transfer size, so it defeats the purpose of MIXFR in this case. Today, let me emphasize for large zones, the only practical way of resalting is a full zone resign and transfer using AXFR. Partial resalting results after the very last "part", before you will be ready to updated the NSEC3PARAM and start to delete the old chain, a doubling in the size of the nsec3 records. I guess the argument regarding memory consumption is only relevant on the time that it will be used, less during an AXFR/MIXFR more on the partial/IXFR case. MIXFR the way I described will reduce the need to remove the old chain records making a resalting viable without the need of an AXFR. Fred
- [DNSOP] A new version of mixfr Matthijs Mekking
- Re: [DNSOP] A new version of mixfr Tony Finch
- Re: [DNSOP] A new version of mixfr Pieter Lexis
- Re: [DNSOP] A new version of mixfr tjw ietf
- Re: [DNSOP] A new version of mixfr Frederico A C Neves
- Re: [DNSOP] A new version of mixfr Richard Gibson
- Re: [DNSOP] A new version of mixfr Frederico A C Neves
- Re: [DNSOP] A new version of mixfr Matthijs Mekking
- Re: [DNSOP] A new version of mixfr Matthijs Mekking
- Re: [DNSOP] A new version of mixfr Matthijs Mekking
- Re: [DNSOP] A new version of mixfr Matthijs Mekking
- Re: [DNSOP] A new version of mixfr Ray Bellis
- Re: [DNSOP] A new version of mixfr Frederico A C Neves
- Re: [DNSOP] A new version of mixfr Mark Andrews
- Re: [DNSOP] A new version of mixfr Paul Vixie
- Re: [DNSOP] A new version of mixfr Frederico A C Neves
- Re: [DNSOP] A new version of mixfr Frederico A C Neves
- Re: [DNSOP] A new version of mixfr Mark Andrews
- Re: [DNSOP] A new version of mixfr Frederico A C Neves
- Re: [DNSOP] A new version of mixfr Frederico A C Neves