Re: [DNSOP] New draft on delegation revalidation
Gavin McCullagh <gmccullagh@gmail.com> Sat, 30 May 2020 17:13 UTC
Return-Path: <gmccullagh@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC8043A0893 for <dnsop@ietfa.amsl.com>; Sat, 30 May 2020 10:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qnnmM_ZxpddB for <dnsop@ietfa.amsl.com>; Sat, 30 May 2020 10:13:22 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03B5B3A0891 for <dnsop@ietf.org>; Sat, 30 May 2020 10:13:22 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id h10so2675885iob.10 for <dnsop@ietf.org>; Sat, 30 May 2020 10:13:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KKF5tsQOUhYaJh5rELD6s5G++b94qicwlvXaJezyCnI=; b=hBL3HddpGELfXWC12lE4KLyjUwW0LP4rGs8W+yhztxQ1FY+iyNoHGCMT6DFs+Y5Q2b e4yqpUyAWkv4LczDK+doCkuL2/8FTrVXpjQ/Okodi4ARKJwiYluRfK6X8+GNlwgH3CTq Um0EWknGetbFMEQGOhIbfMqno4uHH9VgaV8WGITTbZIejyySFYwxN0tqOsBLQTQ0heEc Umr5J6RONEFuiAHbp9/+bugybWAkvjyvHG8reKJsMKJ7wtvu4EE+EPZJAYYPXDs6TqrX PcmpiafUvKsrpqPpjls2Nj28M/2l7wacMdZ27f3Qgg7M2RVAH8v4wXHl5rFrxV943JvL Ibzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KKF5tsQOUhYaJh5rELD6s5G++b94qicwlvXaJezyCnI=; b=qGM0ceFO9NXKFe6mvBFMdpS+ysUnbuk7a/3G9rok//mYOri03PB2Pk6jLIJdZ8FlGL 1/UrsHMU9WtFCPoRwlDHgfJhgKtOEvd46WaVr0wGK3hS49R+HH0MCu9rV7jGXilPNI5C YVIMQL0F1q2QW9552CttNYKS2CIt/l0064XqsPbau9qUFgttEOkMOQnNh9RI3Jj24q0C 1mNMAFSxLZKDFVvlarb+YJY4g5xcafRPB6ZaSqWOguWIr1ZUfVzpmWvTqPOzStoquhiP wG9zeqqXvdQvVCZISmJaXJlTBySdydRb0t3vnLoIwYjdNszn7HEEdEUGnclYABCZU6PK wVbA==
X-Gm-Message-State: AOAM530bwmIEPO0DP3wqqgGViODanZlfpFpSv5gyyARck4EDdoUS9Dtm Y25wlK/dnY7/8Bk1BB6yREMBHc+j1Rs6Q3p7UnM=
X-Google-Smtp-Source: ABdhPJzyCcQgOvqxt2kxKXHVnW2T649h3EWXls566tqXRyqC5TSyNJwFGYszD9CAjfFhDDEilYo5y8Ms0jgSEk5wO3E=
X-Received: by 2002:a02:2c6:: with SMTP id 189mr13478342jau.115.1590858801277; Sat, 30 May 2020 10:13:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CAHPuVdX29yLG4VFMLq8ad7wgq2N-L=FfG=f-eBd2F6aP_q6CCg@mail.gmail.com> <0f92991e-991a-f497-9b75-cf924512b0ba@nic.cz> <33141878.RIuage5OGR@linux-9daj>
In-Reply-To: <33141878.RIuage5OGR@linux-9daj>
From: Gavin McCullagh <gmccullagh@gmail.com>
Date: Sat, 30 May 2020 10:13:10 -0700
Message-ID: <CAHQ5LGrmE0ErSe1dNW1HJptc37izfdhpvU+gT_egZ6P1v4+ksg@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Shumon Huque <shuque@gmail.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bcf0e205a6e0ad1a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/H9RxUwzd5vZ4Kj_rFJ_xbqGMNgg>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 May 2020 17:13:25 -0000
Hi, On Thu, May 28, 2020 at 8:56 AM Paul Vixie <paul@redbarn.org> wrote: > On Thursday, 28 May 2020 14:38:11 UTC Petr Špaček wrote: > > On 25. 05. 20 5:23, Shumon Huque wrote: > > > ... > > > Most importantly: > > > - Does the NS affect maximum TTL of _other_ data in the zone? > > > > > > I think there are probably different views on what should happen here. > > > Folks who want very prompt takedown of "bad" domains, will probably > > > prefer a complete pruning of the cache at the delegation point at the > > > revalidation interval, if the NS set has changed or disappeared. ... > Those last few words seem very critical. "If the NS set has changed or disappeared". > > E.g. if NS TTL was short (say 30 s) and it was used as cap on TTL of all > > other records in the zone, then each resolver instance would clear zone > > from its cache each 30 seconds. That might cause interesting behavior > when > > NS TTL is shortened e.g. before NS set change etc. > > > > I do not know if there really is a problem, I'm just trying to explain > why > > potential for thundering herd needs to be be seriously analyzed. > I think Petr's point might be that someone could interpret the draft (perhaps especially the simple mechanism) to mean that the NS TTL becomes an effective cap on the TTL of all records below the zone cut even where the NS set has not changed. If lowering a delegating NS TTL to 300 for a very large zone (or one high up the tree) meant a lot of resolvers might expire every record below the zone cut every 300 seconds (even unsynchronized), then it seems like lowering that TTL could produce a thundering herd. I think the intent of the draft and Shumon's quote above are that a resolver should only expire cached subdomain records when the delegating NS changes. Would it be useful to be explicit about that? I imagine even the NS revalidation means that if an operator lowers a delegating NS TTL to e.g. 300 in advance of a change in order to "make that change visible to resolvers reasonably quickly", they might well see a 300 second long period of thunder immediately after the change while every resolver's cache expires that part of the tree and then fills it back up. One minor other question: To revalidate a delegation, the iterative caching DNS resolver will forward the query that triggered revalidation to the nameservers at the closest enclosing zone cut above the revalidation point. Does "the query that triggered revalidation" refer to the original client query which had RD=1? If so, does this fit with qname minimization? Gavin
- Re: [DNSOP] New draft on delegation revalidation Mark Andrews
- [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Tim Wicinski
- Re: [DNSOP] New draft on delegation revalidation Brian Dickson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John Levine
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Puneet Sood
- Re: [DNSOP] New draft on delegation revalidation Ólafur Guðmundsson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John R Levine
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Vladimír Čunát
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Vladimír Čunát
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Masataka Ohta
- Re: [DNSOP] Privacy and DNSSEC Vittorio Bertola
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- [DNSOP] Client Validation - filtering validation? Brian Dickson
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Mark Andrews
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] Client Validation - filtering validat… Vittorio Bertola
- Re: [DNSOP] Client Validation - filtering validat… Paul Wouters
- Re: [DNSOP] Client Validation - filtering validat… S Moonesamy
- Re: [DNSOP] Client Validation - filtering validat… John Levine
- Re: [DNSOP] Client Validation - filtering validat… Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Wouters
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie