IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt

Paul Wouters <paul.wouters@aiven.io> Wed, 09 March 2022 13:33 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F19C3A1124 for <dnsop@ietfa.amsl.com>; Wed, 9 Mar 2022 05:33:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxuxiL37YFPa for <dnsop@ietfa.amsl.com>; Wed, 9 Mar 2022 05:32:56 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 948A73A0C3D for <dnsop@ietf.org>; Wed, 9 Mar 2022 05:32:56 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id p15so5027721ejc.7 for <dnsop@ietf.org>; Wed, 09 Mar 2022 05:32:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=5WAAVlAJ8VuqxGhaRcGYdD8lcajgf2e9xUwHHFw3InM=; b=gDldD6+/5Xja65+0+6Z3rQvG1z5awUMhnGqz4i2fHnTBrBrHj8GW4jdANoRa2i+Hos Al7PKzxGYr20n4q6CLTDzZjRur7hH1Oxy2Wm073lCOu+oB7lOAPhuPfE8iGl+LmyTV5F VaKp+dHg+woiTb9Zy63hMteCJ3lmm9vHIZWRg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=5WAAVlAJ8VuqxGhaRcGYdD8lcajgf2e9xUwHHFw3InM=; b=Ylxo6WJJ+Zipy/Cjv2Lq89C7wAFRptm+OboIX17JnaVIuUsZhfx0WbaV4/gEpq6JPy WOc60g0m1VIFS370Pr+oyIpgGnSs6+nl0BWXaascgIeRAT7NmOy3clTHxXR0vi1B9+1G /Cjln/Yh08xelJiC03spNvTzPTHUOtA+JGSMRioRt0Nfg24f2fD3CHt+1+Hy67Yi/CxE vpv0fDHCAQR8mdTegRpqNRJqvEXm047IMMH4GzBF6y+wiaLGbrFqaMQ7lM0PJsjwr435 LY3DSAQ96w1wzwZtQJn/8jiA5mCZrxxQMZJ04gsud0/aQo4VuMxi9S+vYUEwVYlErP3I TczA==
X-Gm-Message-State: AOAM5333+5vT0kuDzqGeRb5djRXtJCE6oUrQrYy26SFeSZW8bM+lKxKv C7EkCTPPWcnOsJB+5pOn1dPyDg4X3tpSAsn7DG4=
X-Google-Smtp-Source: ABdhPJwoPxP30+7wgArTSlUrcbe2hF5CUEA4VIOnsIAD66uQV+dGac6QQs9dYvIKOjCCE9sk2+XY4Q==
X-Received: by 2002:a17:906:26da:b0:6d6:da2e:d338 with SMTP id u26-20020a17090626da00b006d6da2ed338mr17482098ejc.700.1646832774314; Wed, 09 Mar 2022 05:32:54 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id bx1-20020a0564020b4100b00410f01a91f0sm844222edb.73.2022.03.09.05.32.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Mar 2022 05:32:53 -0800 (PST)
Date: Wed, 09 Mar 2022 08:32:51 -0500
From: Paul Wouters <paul.wouters@aiven.io>
To: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>
cc: Shumon Huque <shuque@gmail.com>, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
In-Reply-To: <ec259cc9-1252-d3e5-7570-860152525375@redbarn.org>
Message-ID: <99513b94-89e1-b662-4be4-6e6113e454c0@nohats.ca>
References: <164668869128.9050.17922186658317778247@ietfa.amsl.com> <36d847dc-4a1d-a5a-ad25-afb5a73d1122@nohats.ca> <CAHPuVdVpH_H9B487HgBypVQ8xFMXNsOiGopkSO6yM5BTjc-G9w@mail.gmail.com> <ec259cc9-1252-d3e5-7570-860152525375@redbarn.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1858192029-1502498853-1646832773=:81365"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/A5CGyjBVuqRtENyB7FsBvv1Rnys>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2022 13:33:02 -0000

On Wed, 9 Mar 2022, Paul Vixie wrote:

>>  Yeah, this is Paul V's re-worked text regarding revalidation, so I'll
>>  defer to him. Feel free to suggest specific rewording though.
>
> huh. i think the problem is that this paragraph is only one sentence long. my 
> high school english teachers would have berated me, and others are welcome to 
> do so now.

If you like these long sentences, I suggest learning German :)

> <<A delegation under re-validation is called a "re-validation point". To be 
> considered "still valid", the ancestor zone whose authority servers offered 
> the referral response that gave rise to the re-validation point must still 
> offer a compatible referral response if queried again for a name considered 
> to be in-bailiwick (a "re-validation query"). To be considered compatible, 
> the NS RRset of re-validation response must overlap with the previously 
> cached referral response by at least one name server name, and if a DS RRset 
> is given, it must overlap with the previously cached referral response by at 
> least one delegated signer. For avoidance of doubt, this means a change in 
> referral from signed to unsigned or from unsigned to signed signals a 
> delegation change for the purposes of this specification, even if the NS 
> RRset is unchanged.>>
>
> let me know if this isn't an improvement, or if more improvement is needed.

That's much better, thanks.

>>           but to a wholly novel NS RRset or a wholly novel DS RRset
>>
>>      Please use a different word from "novel". Maybe "disjoint NS RRset" ?
>
> ok by me.

Good.

>>      Should the document mention anything for the case of refreshing before
>>      expiration? Eg to keep a hot cache, to requery items that are still
>>      being queried for before their TTL hits? If this feature is supported,
>>      how should it work with the parent/child TTLs?
>>
>>  Pre-fetching? That is worth discussing. Although, it'd be nice if the
>>  details of that mechanism had already been published first. Is anyone
>>  working on reviving/publishing draft-wkumari-dnsop-hammer ? Warren?
> pre-fetching is a degenerate case of re-appearance. sometimes an NS RRset 
> will be transmitted without having been solicited with qtype=NS. these are 
> not delegations and should not reset the re-validation timers. we might want 
> to point that out in the specification being discussed in this thread. 
> (shumon?)

okay.

> if a formal specification for "pre-fetching" some day exists and recognizes 
> that some zones do not answer qtype=NS and that the only way to learn about 
> delegation points from them is to ask a question that solicits a referral, 
> and recommends that this be done when "pre-fetching" NS RRsets otherwise due 
> to expire, then it is that specification's burden to explain how this would 
> relate to re-validation timers from the (earlier) specification we're 
> discussing in this thread.

Agree.


Thanks for addressing my items,

Paul

v2.23.0 | Report a Bug | By Email