IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt

Shumon Huque <shuque@gmail.com> Wed, 09 March 2022 05:12 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B83583A172B for <dnsop@ietfa.amsl.com>; Tue, 8 Mar 2022 21:12:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWTxvFbq_XVR for <dnsop@ietfa.amsl.com>; Tue, 8 Mar 2022 21:12:27 -0800 (PST)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DC303A0DCE for <dnsop@ietf.org>; Tue, 8 Mar 2022 21:12:27 -0800 (PST)
Received: by mail-pf1-x42f.google.com with SMTP id a5so1290954pfv.2 for <dnsop@ietf.org>; Tue, 08 Mar 2022 21:12:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3ztW5zz/gm37ytNNW4m+B0DcYLUQE2HeMlhP1Cd7YIc=; b=eZOpyaz8ouH25/BhGNtpduANA9JAw52pdzn/fFmHAXviuJicxKw2KcPhZ/NL7wGYl+ acAW2tDFhHAOmb1UBjBx4oAnWe9O9V09YlMmCfNK3tSK+N25P9pIGl/mctSWJvwQ5gGe i+rY3tdJYGg3WTLf3uQRDiEkdWv9XtrmQJTLe+dEYjGfSLSuwV++lrh5SGwq7y2ROhSp ddiUcSgXPWvdmEyYgllA3f8+Gf49zJioPKY7Ox1Vn6XWeQ2sWvzavZhYmgC5U3G/ekK4 edsO2HAnOG3h1MafcjuqQohEWBqYxQeM8WgD/W4EI3U4FJ8pQty+KoK2irVhSQAQqi/W wgJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3ztW5zz/gm37ytNNW4m+B0DcYLUQE2HeMlhP1Cd7YIc=; b=UIXgaCvtbxgTf6nryAQDzfyLCy4I9+SB+7XgZ175FBHkKr7G7Xf+JVF1FXeuXp4Yw5 4rAjWfVF82yaD2laOnxNJK8ed76slezktAT0dxWa7HYjSZvjiBd724DD2UHhEl4AXJwD rKjiKXOizdBJZjLddKqn1Sx6HiXLpzddXmgOcFomOLFrGHIQyHcygMCCNBvDAd4iruXa wxDo7mCzAoa4k854uZwxiGUZxwuG6Cg2/+hWJXHXlIhjAavEd2q8mpJ3zKrOV3rqC26a nMDObQlUp4mNna+Epz8VlCc75oCKqBitzRtSgmpJNNhnbyfoXQAI6MCBkMh9g6F051IM QmWg==
X-Gm-Message-State: AOAM531mHyCChqlBb3o4axNz7XVEx1Iu1XWtvo22RQK4ZJkrAXQJh3LI tGrJxko00gJLEo6+tEyRbk+JE++TkRXvoa2XY582vJzp17aNvg==
X-Google-Smtp-Source: ABdhPJwvwblCipQBF5XeWcZdQaguAGsZWRovYkKSX6JSpmFOGT2JJo1yPei0nmhCzVdtfImPevLm8824sA2aSKL/V58=
X-Received: by 2002:aa7:88ce:0:b0:4f7:3d67:b09f with SMTP id k14-20020aa788ce000000b004f73d67b09fmr4630335pff.41.1646802746259; Tue, 08 Mar 2022 21:12:26 -0800 (PST)
MIME-Version: 1.0
References: <164668869128.9050.17922186658317778247@ietfa.amsl.com> <36d847dc-4a1d-a5a-ad25-afb5a73d1122@nohats.ca>
In-Reply-To: <36d847dc-4a1d-a5a-ad25-afb5a73d1122@nohats.ca>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 09 Mar 2022 00:12:14 -0500
Message-ID: <CAHPuVdVpH_H9B487HgBypVQ8xFMXNsOiGopkSO6yM5BTjc-G9w@mail.gmail.com>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b4be5105d9c22402"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/92YSq3nihxA26dypnorJgDvpWVI>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2022 05:12:32 -0000

On Tue, Mar 8, 2022 at 1:04 PM Paul Wouters <paul.wouters=
40aiven.io@dmarc.ietf.org> wrote:

> On Mon, 7 Mar 2022, internet-drafts@ietf.org wrote:
>
> > Subject: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt
>
> This document looks good. Some comments:
>
>     In fact, the Extensible Provisioning
>     Protocol (EPP) [RFC5731], that is often used by TLDs to configure
>     delegation parameters has no provision to set the TTL.  This inhibits
>     a child zone owner's ability to make more rapid changes
>
> This is somewhat misleading. Even if EPP had the functionality, the
> parent zone would still want to set their own TTL to reasonable values
> for _their_ dpeloyment considerations. So the implication of the problem
> of "EPP cannot set TTL" is not really right. I would remove this text.
>

The first sentence is fact. I agree, the 2nd sentence here is probably a
bit misleading. A hypothetical EPP TTL extension alone would not suffice;
we'd need some cooperation from the TLD operator. I think our point was that
TLD policies willing, it could have allowed registrants to configure values
more reasonable for their operations as compared to the inflexibly
large and unchangeable 1 to 2 day TTLs currently on offer at many TLDs.
Let me ponder and see if I can reword this a bit.


>     Resolvers should record the TTL of the
>     parent's delegating NS RRset, and use it to trigger a revalidation
>     action.
>
> Should that "should" be a SHOULD ?
>

Yeah, I think we probably need to make another pass through
the doc and use RFC 2119 keywords throughout.

>
>     When a delegation response is received during iteration, a
>     validation query should be sent in parallel with the resolution of
>     the triggering query
>
> Same here?
>
>     Some resolvers may choose to delay the response
>
> And here for the MAY ?
>

Ditto.


>     In practice, we expect many implementations
>     may answer the triggering query in advance of the validation query
>     for performance reasons.
>
> This deserves a mention of being incorrect/unsafe for bypassing DNSSEC
> security on the NS RRset. In fact, above it is reasoned that iterator
> has to wait on the DNSKEY RRset anyway, so there is no "performance
> reason" unless there is no DS record at the parent.
>

Well, we could mention that caveat, but this would be at least no
worse than before NS Revalidation. Eventually, the resolver will get
the signed NS RRset, so I think it's tolerable. The other reason is to
deal with zones that don't respond to NS queries (it's possible that
no such zones exist that are signed, but I wouldn't be surprised if
there are).

    A delegation under re-validation is called a "re-validation point"
>     and is "still valid" if its parent zone's servers still respond to an
>     in-zone question with a referral to the re-validation point, and if
>     that referral overlaps with the previously cached referral by at
>     least one name server name, and the DS RRset (if seen) overlaps the
>     previously cached DS RRset (if also seen) by at least one delegated
>     signer.
>
> This paragraph, from an implemeter's point of view, is super dense. It
> might be worth splitting this one sentence into multiple ones.
>

Yeah, this is Paul V's re-worked text regarding revalidation, so I'll
defer to him. Feel free to suggest specific rewording though.


>     If the response is not a referral or refers to a different zone than
>     before
>
> What is "different zone" here? Does it mean to say "different NS RRset"
> or "new NS RRset with zero overlap of the cached version" ? I am not
> sure what from a nameserver point of view it can tell "a different
> zone".
>

I think a referral to a different zone (the owner of the NS rrset) from the
same parent along the same path, e.g. c.b.a.com vs b.a.com.


>     but to a wholly novel NS RRset or a wholly novel DS RRset
>
> Please use a different word from "novel". Maybe "disjoint NS RRset" ?
>
>
>     If the corresponding child zone's apex NS RRset TTL is
>     smaller than the delegating NS RRset TTL, revalidation should happen
>     at that interval instead.
>
> Doesn't this conflict earlier text that stated to remember the parental
> NS glue TTL and only requery the parental NS RRset when its TTL is up?
> What is the reason for this sentence? It seems logical to me to stick
> with requerying the child zone for its NS RRset orthogonally from the
> parent NS RRset requery TTL.
>

See the detailed rationale in section 2.

This is to satisfy the 2nd goal of the draft. In addition to making sure
revalidation happens no longer than the delegating TTL to facilitate
timely detection of re-delegation and takedown, we want the child
zone operator to be able to dictate a smaller TTL if they need to, to
allow them to make nameserver configuration changes more rapidly
visible to resolvers.

Should the document mention anything for the case of refreshing before
> expiration? Eg to keep a hot cache, to requery items that are still
> being queried for before their TTL hits? If this feature is supported,
> how should it work with the parent/child TTLs?
>

Pre-fetching? That is worth discussing. Although, it'd be nice if the
details of that mechanism had already been published first. Is anyone
working on reviving/publishing draft-wkumari-dnsop-hammer ? Warren?

Shumon.

v2.23.0 | Report a Bug | By Email