IETF Logo Mail Archive

Re: [DNSOP] New draft on delegation revalidation

Gavin McCullagh <gmccullagh@gmail.com> Sat, 30 May 2020 17:13 UTC

Return-Path: <gmccullagh@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC8043A0893 for <dnsop@ietfa.amsl.com>; Sat, 30 May 2020 10:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qnnmM_ZxpddB for <dnsop@ietfa.amsl.com>; Sat, 30 May 2020 10:13:22 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03B5B3A0891 for <dnsop@ietf.org>; Sat, 30 May 2020 10:13:22 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id h10so2675885iob.10 for <dnsop@ietf.org>; Sat, 30 May 2020 10:13:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KKF5tsQOUhYaJh5rELD6s5G++b94qicwlvXaJezyCnI=; b=hBL3HddpGELfXWC12lE4KLyjUwW0LP4rGs8W+yhztxQ1FY+iyNoHGCMT6DFs+Y5Q2b e4yqpUyAWkv4LczDK+doCkuL2/8FTrVXpjQ/Okodi4ARKJwiYluRfK6X8+GNlwgH3CTq Um0EWknGetbFMEQGOhIbfMqno4uHH9VgaV8WGITTbZIejyySFYwxN0tqOsBLQTQ0heEc Umr5J6RONEFuiAHbp9/+bugybWAkvjyvHG8reKJsMKJ7wtvu4EE+EPZJAYYPXDs6TqrX PcmpiafUvKsrpqPpjls2Nj28M/2l7wacMdZ27f3Qgg7M2RVAH8v4wXHl5rFrxV943JvL Ibzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KKF5tsQOUhYaJh5rELD6s5G++b94qicwlvXaJezyCnI=; b=qGM0ceFO9NXKFe6mvBFMdpS+ysUnbuk7a/3G9rok//mYOri03PB2Pk6jLIJdZ8FlGL 1/UrsHMU9WtFCPoRwlDHgfJhgKtOEvd46WaVr0wGK3hS49R+HH0MCu9rV7jGXilPNI5C YVIMQL0F1q2QW9552CttNYKS2CIt/l0064XqsPbau9qUFgttEOkMOQnNh9RI3Jj24q0C 1mNMAFSxLZKDFVvlarb+YJY4g5xcafRPB6ZaSqWOguWIr1ZUfVzpmWvTqPOzStoquhiP wG9zeqqXvdQvVCZISmJaXJlTBySdydRb0t3vnLoIwYjdNszn7HEEdEUGnclYABCZU6PK wVbA==
X-Gm-Message-State: AOAM530bwmIEPO0DP3wqqgGViODanZlfpFpSv5gyyARck4EDdoUS9Dtm Y25wlK/dnY7/8Bk1BB6yREMBHc+j1Rs6Q3p7UnM=
X-Google-Smtp-Source: ABdhPJzyCcQgOvqxt2kxKXHVnW2T649h3EWXls566tqXRyqC5TSyNJwFGYszD9CAjfFhDDEilYo5y8Ms0jgSEk5wO3E=
X-Received: by 2002:a02:2c6:: with SMTP id 189mr13478342jau.115.1590858801277; Sat, 30 May 2020 10:13:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CAHPuVdX29yLG4VFMLq8ad7wgq2N-L=FfG=f-eBd2F6aP_q6CCg@mail.gmail.com> <0f92991e-991a-f497-9b75-cf924512b0ba@nic.cz> <33141878.RIuage5OGR@linux-9daj>
In-Reply-To: <33141878.RIuage5OGR@linux-9daj>
From: Gavin McCullagh <gmccullagh@gmail.com>
Date: Sat, 30 May 2020 10:13:10 -0700
Message-ID: <CAHQ5LGrmE0ErSe1dNW1HJptc37izfdhpvU+gT_egZ6P1v4+ksg@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Shumon Huque <shuque@gmail.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bcf0e205a6e0ad1a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/H9RxUwzd5vZ4Kj_rFJ_xbqGMNgg>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 May 2020 17:13:25 -0000

Hi,

On Thu, May 28, 2020 at 8:56 AM Paul Vixie <paul@redbarn.org> wrote:

> On Thursday, 28 May 2020 14:38:11 UTC Petr Špaček wrote:
> > On 25. 05. 20 5:23, Shumon Huque wrote:
> > > ...
> > >     Most importantly:
> > >     - Does the NS affect maximum TTL of _other_ data in the zone?
> > >
> > > I think there are probably different views on what should happen here.
> > > Folks who want very prompt takedown of "bad" domains, will probably
> > > prefer a complete pruning of the cache at the delegation point at the
> > > revalidation interval, if the NS set has changed or disappeared. ...
>

Those last few words seem very critical.  "If the NS set has changed or
disappeared".


> > E.g. if NS TTL was short (say 30 s) and it was used as cap on TTL of all
> > other records in the zone, then each resolver instance would clear zone
> > from its cache each 30 seconds. That might cause interesting behavior
> when
> > NS TTL is shortened e.g. before NS set change etc.
> >
> > I do not know if there really is a problem, I'm just trying to explain
> why
> > potential for thundering herd needs to be be seriously analyzed.
>

I think Petr's point might be that someone could interpret the draft
(perhaps especially the simple mechanism) to mean that the NS TTL becomes
an effective cap on the TTL of all records below the zone cut even where
the NS set has not changed.

If lowering a delegating NS TTL to 300 for a very large zone (or one high
up the tree) meant a lot of resolvers might expire every record below the
zone cut every 300 seconds (even unsynchronized), then it seems like
lowering that TTL could produce a thundering herd.   I think the intent of
the draft and Shumon's quote above are that a resolver should only expire
cached subdomain records when the delegating NS changes.   Would it be
useful to be explicit about that?

I imagine even the NS revalidation means that if an operator lowers a
delegating NS TTL to e.g. 300 in advance of a change in order to "make that
change visible to resolvers reasonably quickly", they might well see a 300
second long period of thunder immediately after the change while every
resolver's cache expires that part of the tree and then fills it back up.

One minor other question:

      To revalidate a delegation, the iterative caching DNS resolver
      will forward the query that triggered revalidation to the
      nameservers at the closest enclosing zone cut above the
      revalidation point.

Does "the query that triggered revalidation" refer to the original client
query which had RD=1?  If so, does this fit with qname minimization?

Gavin

v2.23.0 | Report a Bug | By Email