Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt
Paul Wouters <paul.wouters@aiven.io> Tue, 08 March 2022 17:20 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B01C3A112A for <dnsop@ietfa.amsl.com>; Tue, 8 Mar 2022 09:20:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pdg-OvPQIcL0 for <dnsop@ietfa.amsl.com>; Tue, 8 Mar 2022 09:20:16 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2C823A175F for <dnsop@ietf.org>; Tue, 8 Mar 2022 09:20:01 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id b24so2790989edu.10 for <dnsop@ietf.org>; Tue, 08 Mar 2022 09:20:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:subject:in-reply-to:message-id:references:mime-version; bh=HZ62pKzIvnAjEMm8oLbTV5EU7GIOKrmSysrNqCADeYs=; b=osxty0UBGk/omlCmoo3evzW69k5/Jl+2glQn/aniz/nT41MyFJmHRlUYC6AcZGurzU IFzBXCmCRnrW5pCWg7BY43cx9rFvz9xk9T6TCooAaMf/atRG2G0lxuJSVC3NjeMZyd5R Lv1x+QbIFbf2GG6EtPzmHf0TuyGurYshU41Qo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:subject:in-reply-to:message-id :references:mime-version; bh=HZ62pKzIvnAjEMm8oLbTV5EU7GIOKrmSysrNqCADeYs=; b=WkBi5LIdOdf/7SPkEvBpF0wnnxuTqrrNPPGyGQpMzE/F7U9mtk2ap0akQAuYpSxK0k RgwdtbQ6xNFkKfor7Ox4ciArSrNtzsXHchloPNO0Q+TmZScQQtDVdfGv9E6MMzsrs6JN wyErPMUO8rEvRcJlTqp0EKhV06aTPKlVdTYUkako7tF8QrFKNsVBd9blZkkFUXkAS9u+ O7IgivdA0slYRbJC6yCLaKMXUvol0LWgXghpmaJyQG7wQpMkKZ9SypHoJ/TUFHqn9jq6 I1ESBJcFJNZMyh1iKxLoHvG7anU6UVq+PVLXBdAvKLjzE11LIqF2B1NXK5opAOM2bP01 G6xQ==
X-Gm-Message-State: AOAM532yPDXMCo3I5pxe6tCVOft8BuSLDe0WmVNJZpSu+fO8d7JjcDS/ RJilckWrnB1DQXiGeXlF1CyoeyWXQ94AJtAkshAaxQWv9dsVxLlkJfh67OYrL4F/snd7mAUgdJW qA2J8diM4TD2Ow9KhPSg0IVTBlD5oLgZCTwbO6dHTes0//wRH2vIqmwfVfO9m2qCOykM=
X-Google-Smtp-Source: ABdhPJyMvImTQbBZqk8E/Dy0ep0pZ+pmRFgPje9Q2c+uhSWSUUd5WUFRMX0K2NZK810qF1EazB7UNQ==
X-Received: by 2002:a05:6402:79a:b0:415:fb66:fb5e with SMTP id d26-20020a056402079a00b00415fb66fb5emr17380787edy.386.1646759999498; Tue, 08 Mar 2022 09:19:59 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id r19-20020a17090638d300b006d6e4fc047bsm6201588ejd.11.2022.03.08.09.19.58 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Mar 2022 09:19:59 -0800 (PST)
Date: Tue, 08 Mar 2022 12:19:56 -0500
From: Paul Wouters <paul.wouters@aiven.io>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <164668869128.9050.17922186658317778247@ietfa.amsl.com>
Message-ID: <36d847dc-4a1d-a5a-ad25-afb5a73d1122@nohats.ca>
References: <164668869128.9050.17922186658317778247@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FlFSDzfuX5NADJvoR7AQgHpxKCk>
X-Mailman-Approved-At: Tue, 08 Mar 2022 10:03:58 -0800
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2022 17:20:21 -0000
On Mon, 7 Mar 2022, internet-drafts@ietf.org wrote: > Subject: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt This document looks good. Some comments: In fact, the Extensible Provisioning Protocol (EPP) [RFC5731], that is often used by TLDs to configure delegation parameters has no provision to set the TTL. This inhibits a child zone owner's ability to make more rapid changes This is somewhat misleading. Even if EPP had the functionality, the parent zone would still want to set their own TTL to reasonable values for _their_ dpeloyment considerations. So the implication of the problem of "EPP cannot set TTL" is not really right. I would remove this text. Resolvers should record the TTL of the parent's delegating NS RRset, and use it to trigger a revalidation action. Should that "should" be a SHOULD ? When a delegation response is received during iteration, a validation query should be sent in parallel with the resolution of the triggering query Same here? Some resolvers may choose to delay the response And here for the MAY ? In practice, we expect many implementations may answer the triggering query in advance of the validation query for performance reasons. This deserves a mention of being incorrect/unsafe for bypassing DNSSEC security on the NS RRset. In fact, above it is reasoned that iterator has to wait on the DNSKEY RRset anyway, so there is no "performance reason" unless there is no DS record at the parent. A delegation under re-validation is called a "re-validation point" and is "still valid" if its parent zone's servers still respond to an in-zone question with a referral to the re-validation point, and if that referral overlaps with the previously cached referral by at least one name server name, and the DS RRset (if seen) overlaps the previously cached DS RRset (if also seen) by at least one delegated signer. This paragraph, from an implemeter's point of view, is super dense. It might be worth splitting this one sentence into multiple ones. If the response is not a referral or refers to a different zone than before What is "different zone" here? Does it mean to say "different NS RRset" or "new NS RRset with zero overlap of the cached version" ? I am not sure what from a nameserver point of view it can tell "a different zone". but to a wholly novel NS RRset or a wholly novel DS RRset Please use a different word from "novel". Maybe "disjoint NS RRset" ? If the corresponding child zone's apex NS RRset TTL is smaller than the delegating NS RRset TTL, revalidation should happen at that interval instead. Doesn't this conflict earlier text that stated to remember the parental NS glue TTL and only requery the parental NS RRset when its TTL is up? What is the reason for this sentence? It seems logical to me to stick with requerying the child zone for its NS RRset orthogonally from the parent NS RRset requery TTL. Should the document mention anything for the case of refreshing before expiration? Eg to keep a hot cache, to requery items that are still being queried for before their TTL hits? If this feature is supported, how should it work with the parent/child TTLs? Paul
- [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidat… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Joe Abley
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Hugo Salgado
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Hugo Salgado