Re: [DNSOP] Reminder: WGLC for draft-ietf-dnsop-nsec-aggressiveuse ends Tonight

"John Levine" <johnl@taugh.com> Mon, 10 October 2016 18:11 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F148A129588 for <dnsop@ietfa.amsl.com>; Mon, 10 Oct 2016 11:11:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YX4H7P10h4J2 for <dnsop@ietfa.amsl.com>; Mon, 10 Oct 2016 11:11:06 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35C37129571 for <dnsop@ietf.org>; Mon, 10 Oct 2016 11:11:06 -0700 (PDT)
Received: (qmail 36057 invoked from network); 10 Oct 2016 18:11:04 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 10 Oct 2016 18:11:04 -0000
Date: 10 Oct 2016 18:10:43 -0000
Message-ID: <20161010181043.38506.qmail@ary.lan>
From: "John Levine" <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <alpine.DEB.2.11.1610101317510.31786@grey.csi.cam.ac.uk>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HGBLTtrQLczabc38ts7dnW8kbmY>
Cc: dot@dotat.at
Subject: Re: [DNSOP] Reminder: WGLC for draft-ietf-dnsop-nsec-aggressiveuse ends Tonight
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 18:11:08 -0000

>Should we treat synthesis as if the cache is pretending to be an
>authoritative server?
>
>e.g. for wildcards and NSEC3, something like,
>
>	When synthesizing a wildcard response from its cache, the
>	validating resolver MUST include all the records specified in
>	RFC 5155 section 7.2.5 (for negative responses) or section 7.2.6
>	(for positive responses). That is, it MUST generate a response
>	that matches what an authoritative server would send. If the
>	required records are not present in the cache, the resolver SHALL
>	query upstream instead of synthesizing the response.

Yes, although it's kind of subtle.  For example, I query for a.h.g.iana.fail:

;; QUESTION SECTION:
;a.h.g.iana.fail.		IN	A

;; ANSWER SECTION:
a.h.g.iana.fail.	3510	IN	A	2.2.2.2
a.h.g.iana.fail.	3510	IN	RRSIG	A 8 4 3600 20161211000000 20161010180056 31806 iana.fail. fe7QsinhJnyAk6Zz52OO676KXryp3GDMdez38CwyiwNeEiaEzzu83h6c XHum/xbt7uYA7B5EmI/W0x6LMkpe9oAZgzj/LcbXv/BLqvUY4+iCcoW6 6UAoyPeWmSRaheRuBG5jvr/kIFqN+VGBo5Kt6pzGt+NIuIemjRcfPkz4 rIk=

;; AUTHORITY SECTION:
*.h.g.iana.fail.	7110	IN	NSEC	b.h.g.iana.fail. A RRSIG NSEC
*.h.g.iana.fail.	7110	IN	RRSIG	NSEC 8 4 7200 20161211000000 20161010180056 31806 iana.fail. iQF8nmONvtzkvDy+8QRjlRRI12+XyJ0XZG8jig/o7EJ21P/VShfE3I9W 3E+JVnkKuYg3Wg3R4tSUSLVZKxVaL/yGSTDvI0+S4RfjNaTWoeuqb+qo vAw78j2TMjevWJPA+NhYjHqc6daB3b38kn5cN3vCYmAO1OR5pn+whdqN d94=
iana.fail.		3510	IN	NS	sdn.iecc.com.
iana.fail.		3510	IN	NS	osdn.iecc.com.
iana.fail.		3510	IN	NS	light.lightlink.com.
iana.fail.		3510	IN	RRSIG	NS 8 2 3600 20161211000000 20161010180056 31806 iana.fail. I2mKwv75mSfgKf6MBkVWaXg4By9Bs8reUmnTHiBrHcY6O1hMA9XBE8Nq puyXgNured/cHlD8TcApu9FXKWw/L6gjE72eEvZ0WF5ciMGSHrPkW7va XPEXKgD0n9kVHITdFcXGSm5DfQ7j1bYb/j76GSzlxiX1cTss+V2uAXU+ wl0=

You can see that the wildcard is *.h.g.iana.fail.

But query for e.h.g.iana.fail:

;; QUESTION SECTION:
;e.h.g.iana.fail.		IN	A

;; ANSWER SECTION:
e.h.g.iana.fail.	3600	IN	A	2.2.2.2
e.h.g.iana.fail.	3600	IN	RRSIG	A 8 4 3600 20161211000000 20161010180056 31806 iana.fail. fe7QsinhJnyAk6Zz52OO676KXryp3GDMdez38CwyiwNeEiaEzzu83h6c XHum/xbt7uYA7B5EmI/W0x6LMkpe9oAZgzj/LcbXv/BLqvUY4+iCcoW6 6UAoyPeWmSRaheRuBG5jvr/kIFqN+VGBo5Kt6pzGt+NIuIemjRcfPkz4 rIk=

;; AUTHORITY SECTION:
b.h.g.iana.fail.	7061	IN	NSEC	mx.iana.fail. A RRSIG NSEC
b.h.g.iana.fail.	7061	IN	RRSIG	NSEC 8 5 7200 20161211000000 20161010180056 31806 iana.fail. hjxpHIt1tzpXePloM08h1wwzY48kBSSH+okPmkglDod2QG2oqtZaEHlt 7rNhjrdwCKcnfoj7QawpneApAciM6jpLevjg8VqCpvHHRNBwgMKPwYq1 ABiFdoMpEdc2D2+7SZ1RMCeIN+NFZtuBMBuYVWMDqvIwxAEapP9PPVXS vC8=
iana.fail.		3403	IN	NS	sdn.iecc.com.
iana.fail.		3403	IN	NS	osdn.iecc.com.
iana.fail.		3403	IN	NS	light.lightlink.com.
iana.fail.		3403	IN	RRSIG	NS 8 2 3600 20161211000000 20161010180056 31806 iana.fail. I2mKwv75mSfgKf6MBkVWaXg4By9Bs8reUmnTHiBrHcY6O1hMA9XBE8Nq puyXgNured/cHlD8TcApu9FXKWw/L6gjE72eEvZ0WF5ciMGSHrPkW7va XPEXKgD0n9kVHITdFcXGSm5DfQ7j1bYb/j76GSzlxiX1cTss+V2uAXU+ wl0=

You can see that it's synthesized from a wildcard, but you can't tell whether the wildcard was
*.iana.fail or *.g.iana.fail or *.h.g.iana.fail.

And if I query for i.g.iana.fail:

;i.g.iana.fail.			IN	A

;; ANSWER SECTION:
i.g.iana.fail.		3600	IN	A	1.1.1.1
i.g.iana.fail.		3600	IN	RRSIG	A 8 3 3600 20161211000000 20161010180056 31806 iana.fail. u3icLxUEeJ2RMuhUufrhvze8hUAEkNCKPAfVHXYlQq7D1don0l4opjI2 Sd6fxEPKcF8ah1vtCvIewFctbXQ/HH6gviKslrJekzJcX6PQccsMtygG SzAr3HyWf2HfcMfDJqW2PjP5v9teB/uR7KCWGbxYogFt+sEXu77xHhqi Kug=

;; AUTHORITY SECTION:
b.h.g.iana.fail.	6796	IN	NSEC	mx.iana.fail. A RRSIG NSEC
b.h.g.iana.fail.	6796	IN	RRSIG	NSEC 8 5 7200 20161211000000 20161010180056 31806 iana.fail. hjxpHIt1tzpXePloM08h1wwzY48kBSSH+okPmkglDod2QG2oqtZaEHlt 7rNhjrdwCKcnfoj7QawpneApAciM6jpLevjg8VqCpvHHRNBwgMKPwYq1 ABiFdoMpEdc2D2+7SZ1RMCeIN+NFZtuBMBuYVWMDqvIwxAEapP9PPVXS vC8=
iana.fail.		3138	IN	NS	sdn.iecc.com.
iana.fail.		3138	IN	NS	osdn.iecc.com.
iana.fail.		3138	IN	NS	light.lightlink.com.
iana.fail.		3138	IN	RRSIG	NS 8 2 3600 20161211000000 20161010180056 31806 iana.fail. I2mKwv75mSfgKf6MBkVWaXg4By9Bs8reUmnTHiBrHcY6O1hMA9XBE8Nq puyXgNured/cHlD8TcApu9FXKWw/L6gjE72eEvZ0WF5ciMGSHrPkW7va XPEXKgD0n9kVHITdFcXGSm5DfQ7j1bYb/j76GSzlxiX1cTss+V2uAXU+ wl0=

I get a different synthesized answer because in this case, there's one
wildcard for *.g.iana.fail and another one for *.b.g.iana.fail.

That's OK, and I believe it is straightforward for a cache to tell
what names it can synthesize and what names it can't, but it means
it'd probably be a good idea to make it clear that if there are other
names in the wildcard's range, the cache often can't synthesize
results.

R's,
John

PS: These names are real, feel free to poke at them.