IETF Logo Mail Archive

Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest

Joe Abley <jabley@hopcount.ca> Tue, 31 July 2018 13:38 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35C66127148 for <dnsop@ietfa.amsl.com>; Tue, 31 Jul 2018 06:38:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvNjnWeAkH21 for <dnsop@ietfa.amsl.com>; Tue, 31 Jul 2018 06:38:15 -0700 (PDT)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79FCA12777C for <dnsop@ietf.org>; Tue, 31 Jul 2018 06:38:15 -0700 (PDT)
Received: by mail-io0-x229.google.com with SMTP id w11-v6so13041826iob.2 for <dnsop@ietf.org>; Tue, 31 Jul 2018 06:38:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yPSwLnujgGDVbFOWi5eleolSpmbArKv+Ia6G0RVMugA=; b=Dk+jNVEih15PO1PTqALifClkWkrOzvSrhcvPfPu3q3Vx8Jhaws4FeLLjYg7A57kVkc 3HhBWtbMmczRV8Y8wTUhoSREaYAP9z+mRkZTaDYPxmD3KZz+3O0UhTKvY5ZRXegHHX5t Mh5D7NH+mPFt63DWbqnL3lMYhVvk6bSzXg+uw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yPSwLnujgGDVbFOWi5eleolSpmbArKv+Ia6G0RVMugA=; b=shKRh0QJGJ7cLc12Xgjeh6sB0zswyz4XXhcE9Go51ekzB+5Dra+ynZQYvjLH6ps3PL l12J86CdpEhaoyyRgPvOFISujpGGDi0utuY3JMbVYVskMgf/0vCTdD4C2QuRVBuETax4 upev9sabl4sXCmRr/nq56h97PsnbfJE29yNup67pf2U8q1szmAf19ORJHX9R7I/nRI2Z ZdjfpRHpW8/mFK+J3r6vcHWfexzz3qPt0/ObfbIDOwUq0ULDZtzsI8ZofBO8OBfJIrHh EZwIADLAFNSTj8fVybwzVf6YOmeMjKUtyYJB5Ymyqem+yN/dqUDzQdI6GApSToPh/R++ AoBA==
X-Gm-Message-State: AOUpUlFqiA1Kly4aKnFgzxGpdJGWBKJ4cUJQSPo00MmBZ2mjWI+SsG21 Hd066WMPoj4phHMMjDiQeAaLWZjy2Ko=
X-Google-Smtp-Source: AAOMgpcVcdvEXOdkmsoOqur2QyXIwEC2cbSbKI1eP07K7hse8XhxR30GFYIqe2RsRhyR9H3AOqdmAg==
X-Received: by 2002:a6b:1c07:: with SMTP id c7-v6mr18268255ioc.298.1533044294257; Tue, 31 Jul 2018 06:38:14 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:101:3:6d81:e02f:e86f:3b17? ([2607:f2c0:101:3:6d81:e02f:e86f:3b17]) by smtp.gmail.com with ESMTPSA id n24-v6sm4357377iop.1.2018.07.31.06.38.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Jul 2018 06:38:12 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Joe Abley <jabley@hopcount.ca>
X-Mailer: iPad Mail (15G77)
In-Reply-To: <m1fkRCk-0000GTC@stereo.hq.phicoh.net>
Date: Tue, 31 Jul 2018 09:38:11 -0400
Cc: dnsop@ietf.org, Wes Hardaker <wjhns1@hardakers.net>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2766BDE0-41C3-4C45-B5E0-445472C56956@hopcount.ca>
References: <CADyWQ+HizOJsE9EZ=VEvrbnnyPwaG_yBRg7fP5VvUNTdnidXZA@mail.gmail.com> <ybl4lgg6ztm.fsf@w7.hardakers.net> <m1fkRCk-0000GTC@stereo.hq.phicoh.net>
To: Philip Homburg <pch-dnsop-3@u-1.phicoh.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HLnvitnQP2JEI-S7iJf5cbte2ec>
Subject: Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jul 2018 13:38:17 -0000

Hi Philip,

Are you suggesting that web servers can't be massively scaleable? I'm not sure I understand your examples.

You cite overprovisionoing in the root server system as a reason not to try and supplement it, but I think it makes sense to look at it the other way round -- if there were ways to distribute the root zone reliably and accurately without presenting the attack targets that the root server system does, the need for continued investment in the infrastructure could be reduced (or the effective benefit to end-users from that investment could be increased).

The bandwidth available at the consumer edge, where a lot of the attack sources now live, continues to grow far faster than the bandwidth that can be provisioned at the root server edge. The observation that "there's enough bandwidth that we're safe" doesn't seem future-proof (it doesn't even seem present-proof, really).

For "root server system" also read "publishing system for any zone that people care about" -- the root server system is just a handy example.


Joe

On Jul 31, 2018, at 05:44, Philip Homburg <pch-dnsop-3@u-1.phicoh.com> wrote:

>>> The draft states in the Motivation section:
>>> 
>>>    "The motivation and design of this protocol enhancement is tied to the 
>> DNS root zone [InterNIC]."
>> 
>> That may be a motivation, but as a prospective user I want to use
>> it for much more.  My LocalRoot server is already going to be
>> serving 3 zones, and I have plans for many more.  It would be
>> helpful to know that on the distribution side of things that I had
>> indeed grabbed an authentic source before sending it off to all
>> the resolvers that want to pre-cache a random zone X.
>> 
>> Be careful that we don't collectively interpret the sentence you
>> quote as meaning 'this is only useful for the root zone' just
>> because that was the original motivation.
> 
> I think there is a big difference between distributing the root zone and
> distributing a few 'local' zones.
> 
> In the first case you need something that is massively scalable.
> 
> In the second case, just create a tar file with a zone file and a hash, put
> it up on a web server and the problem is solved. Verifying the contents of a
> file is not exactly a new problem. 
> 
> I wonder if there still is a use case for distributing the root zone. With
> QNAME minimization and NXDOMAIN based on NSEC records, the major use cases
> seem to be gone. Compared to other zones, the root is massively over
> provisioned. So if (from an availability point of view) there is need to have
> a local copy of the root, then you would need a local copy of .com as well.
> 
> Though I'm sure that are people who want to reinvent DNSSEC.
> 
> One final remark, maybe it is worth investigating a 'NSDEL' record type,
> and possibly 'ADEL' and 'AAAADEL'. Which are the equivalents of NS, A, AAAA
> for delegations/glue. With separate record types, we can define that they are
> covered by a RRSIG. Solving issues with data not being signed.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email