IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt

Paul Wouters <paul.wouters@aiven.io> Tue, 08 March 2022 17:20 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B01C3A112A for <dnsop@ietfa.amsl.com>; Tue, 8 Mar 2022 09:20:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pdg-OvPQIcL0 for <dnsop@ietfa.amsl.com>; Tue, 8 Mar 2022 09:20:16 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2C823A175F for <dnsop@ietf.org>; Tue, 8 Mar 2022 09:20:01 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id b24so2790989edu.10 for <dnsop@ietf.org>; Tue, 08 Mar 2022 09:20:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:subject:in-reply-to:message-id:references:mime-version; bh=HZ62pKzIvnAjEMm8oLbTV5EU7GIOKrmSysrNqCADeYs=; b=osxty0UBGk/omlCmoo3evzW69k5/Jl+2glQn/aniz/nT41MyFJmHRlUYC6AcZGurzU IFzBXCmCRnrW5pCWg7BY43cx9rFvz9xk9T6TCooAaMf/atRG2G0lxuJSVC3NjeMZyd5R Lv1x+QbIFbf2GG6EtPzmHf0TuyGurYshU41Qo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:subject:in-reply-to:message-id :references:mime-version; bh=HZ62pKzIvnAjEMm8oLbTV5EU7GIOKrmSysrNqCADeYs=; b=WkBi5LIdOdf/7SPkEvBpF0wnnxuTqrrNPPGyGQpMzE/F7U9mtk2ap0akQAuYpSxK0k RgwdtbQ6xNFkKfor7Ox4ciArSrNtzsXHchloPNO0Q+TmZScQQtDVdfGv9E6MMzsrs6JN wyErPMUO8rEvRcJlTqp0EKhV06aTPKlVdTYUkako7tF8QrFKNsVBd9blZkkFUXkAS9u+ O7IgivdA0slYRbJC6yCLaKMXUvol0LWgXghpmaJyQG7wQpMkKZ9SypHoJ/TUFHqn9jq6 I1ESBJcFJNZMyh1iKxLoHvG7anU6UVq+PVLXBdAvKLjzE11LIqF2B1NXK5opAOM2bP01 G6xQ==
X-Gm-Message-State: AOAM532yPDXMCo3I5pxe6tCVOft8BuSLDe0WmVNJZpSu+fO8d7JjcDS/ RJilckWrnB1DQXiGeXlF1CyoeyWXQ94AJtAkshAaxQWv9dsVxLlkJfh67OYrL4F/snd7mAUgdJW qA2J8diM4TD2Ow9KhPSg0IVTBlD5oLgZCTwbO6dHTes0//wRH2vIqmwfVfO9m2qCOykM=
X-Google-Smtp-Source: ABdhPJyMvImTQbBZqk8E/Dy0ep0pZ+pmRFgPje9Q2c+uhSWSUUd5WUFRMX0K2NZK810qF1EazB7UNQ==
X-Received: by 2002:a05:6402:79a:b0:415:fb66:fb5e with SMTP id d26-20020a056402079a00b00415fb66fb5emr17380787edy.386.1646759999498; Tue, 08 Mar 2022 09:19:59 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id r19-20020a17090638d300b006d6e4fc047bsm6201588ejd.11.2022.03.08.09.19.58 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Mar 2022 09:19:59 -0800 (PST)
Date: Tue, 08 Mar 2022 12:19:56 -0500
From: Paul Wouters <paul.wouters@aiven.io>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <164668869128.9050.17922186658317778247@ietfa.amsl.com>
Message-ID: <36d847dc-4a1d-a5a-ad25-afb5a73d1122@nohats.ca>
References: <164668869128.9050.17922186658317778247@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FlFSDzfuX5NADJvoR7AQgHpxKCk>
X-Mailman-Approved-At: Tue, 08 Mar 2022 10:03:58 -0800
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2022 17:20:21 -0000

On Mon, 7 Mar 2022, internet-drafts@ietf.org wrote:

> Subject: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt

This document looks good. Some comments:

    In fact, the Extensible Provisioning
    Protocol (EPP) [RFC5731], that is often used by TLDs to configure
    delegation parameters has no provision to set the TTL.  This inhibits
    a child zone owner's ability to make more rapid changes

This is somewhat misleading. Even if EPP had the functionality, the
parent zone would still want to set their own TTL to reasonable values
for _their_ dpeloyment considerations. So the implication of the problem
of "EPP cannot set TTL" is not really right. I would remove this text.

    Resolvers should record the TTL of the
    parent's delegating NS RRset, and use it to trigger a revalidation
    action.

Should that "should" be a SHOULD ?

    When a delegation response is received during iteration, a
    validation query should be sent in parallel with the resolution of
    the triggering query

Same here?

    Some resolvers may choose to delay the response

And here for the MAY ?

    In practice, we expect many implementations
    may answer the triggering query in advance of the validation query
    for performance reasons.

This deserves a mention of being incorrect/unsafe for bypassing DNSSEC
security on the NS RRset. In fact, above it is reasoned that iterator
has to wait on the DNSKEY RRset anyway, so there is no "performance
reason" unless there is no DS record at the parent.

    A delegation under re-validation is called a "re-validation point"
    and is "still valid" if its parent zone's servers still respond to an
    in-zone question with a referral to the re-validation point, and if
    that referral overlaps with the previously cached referral by at
    least one name server name, and the DS RRset (if seen) overlaps the
    previously cached DS RRset (if also seen) by at least one delegated
    signer.

This paragraph, from an implemeter's point of view, is super dense. It
might be worth splitting this one sentence into multiple ones.


    If the response is not a referral or refers to a different zone than
    before

What is "different zone" here? Does it mean to say "different NS RRset"
or "new NS RRset with zero overlap of the cached version" ? I am not
sure what from a nameserver point of view it can tell "a different
zone".

    but to a wholly novel NS RRset or a wholly novel DS RRset

Please use a different word from "novel". Maybe "disjoint NS RRset" ?


    If the corresponding child zone's apex NS RRset TTL is
    smaller than the delegating NS RRset TTL, revalidation should happen
    at that interval instead.

Doesn't this conflict earlier text that stated to remember the parental
NS glue TTL and only requery the parental NS RRset when its TTL is up?
What is the reason for this sentence? It seems logical to me to stick
with requerying the child zone for its NS RRset orthogonally from the
parent NS RRset requery TTL.



Should the document mention anything for the case of refreshing before
expiration? Eg to keep a hot cache, to requery items that are still
being queried for before their TTL hits? If this feature is supported,
how should it work with the parent/child TTLs?

Paul

v2.23.0 | Report a Bug | By Email