IETF Logo Mail Archive

Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]

Mark Andrews <marka@isc.org> Thu, 12 November 2015 21:37 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42BBB1B36FF for <dnsop@ietfa.amsl.com>; Thu, 12 Nov 2015 13:37:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NQimjaVU7KXk for <dnsop@ietfa.amsl.com>; Thu, 12 Nov 2015 13:37:00 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 509CE1B36FD for <dnsop@ietf.org>; Thu, 12 Nov 2015 13:37:00 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 8E31A1FCAD0; Thu, 12 Nov 2015 21:36:56 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 72A98160085; Thu, 12 Nov 2015 21:37:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 64657160084; Thu, 12 Nov 2015 21:37:28 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JygNQPTtQcwN; Thu, 12 Nov 2015 21:37:28 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 20127160067; Thu, 12 Nov 2015 21:37:28 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 737A23C98C5C; Fri, 13 Nov 2015 08:36:53 +1100 (EST)
To: "Wessels, Duane" <dwessels@verisign.com>
From: Mark Andrews <marka@isc.org>
References: <20151106082238.GA2307@nic.fr> <A62EC834-C954-446C-9F7A-AB6D1F955C7F@verisign.com> <20151112081514.GA16017@laperouse.bortzmeyer.org> <39D878B4-9239-4983-8083-36BCA365BE62@verisign.com>
In-reply-to: Your message of "Thu, 12 Nov 2015 18:13:04 -0000." <39D878B4-9239-4983-8083-36BCA365BE62@verisign.com>
Date: Fri, 13 Nov 2015 08:36:53 +1100
Message-Id: <20151112213653.737A23C98C5C@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/IYcInxUyrhn1OtWZhRRb-6UpE-Y>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 21:37:02 -0000

In message <39D878B4-9239-4983-8083-36BCA365BE62@verisign.com>, "Wessels, Duane
" writes:
> 
> > On Nov 12, 2015, at 12:15 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote
> :
> > 
> > On Wed, Nov 11, 2015 at 01:15:37AM +0000,
> > Wessels, Duane <dwessels@verisign.com> wrote 
> > a message of 107 lines which said:
> > 
> >> This updates RFC 2308 (Negative Caching of DNS Queries).
> > 
> > Good point, I'll add that. Also, I did not dare to add "Updates: RFC
> > 1034". Should I?
> 
> That I don't know.  Someone with more experience should probably answer.
> 
> 
> > 
> >> I think the WG needs to discuss and agree whether or not to make the
> >> NXDOMAIN cut based on QNAME only, or on the SOA owner name.
> > 
> > This is discussed (shortly) in section 5 of the draft. Apparently, it
> > can be risky to rely on the SOA. More discussion welcome.
> 
> As Mark pointed out, we can't use the SOA to make NXDOMAIN more aggressive.
> 
> For a name like foo.bar.example.com and an NXDOMAIN response from example.com
> we can't assume that there would be a zone cut between foo and bar.  
> 
> > 
> >> I think its a little dangerous to say that an NXDOMAIN response
> >> SHOULD cause a cache to delete already cached "positive" data.
> > 
> > Could you elaborate why is it dangerous? (See also the second
> > paragraph of section 7.)
> 
> I'm thinking of worst-case scenarios where, say, an entire TLD is purged
> from the cache due to a spoofed response.  Or, could you imagine a spoofed
> "NXDOMAIN ." response?
> 
> In addition to denying service for the purged domain, a large purge also
> causes the resolver to do a lot of (possibly CPU intensive) work, and
> could also affect the traffic levels between a recursive and authoritatives.
> 
> Perhaps a cache may want to limit the number of nodes/records that it deletes
> per NXDOMAIN response.  Or perhaps it could be configured to not "bulk delete
> "
> TLDs (or root).  
> 
> Perhaps a recursive might be designed to negatively cache an entire zone
> (including TLD) but continue answering positively cached answers in the zone
> until they expire normally.
> 
> DW

Or we can not do anything special w.r.t. TLDs.  DNSSEC prevents this attack.
TLD operators are all in a position to do the right thing and deploy DNSSEC. 

> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.20.3 | Report a Bug | By Email