Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-05.txt
Davey Song <songlinjian@gmail.com> Thu, 18 April 2019 11:04 UTC
Return-Path: <songlinjian@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2C031200EA; Thu, 18 Apr 2019 04:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zm59IPbusOfj; Thu, 18 Apr 2019 04:04:56 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B35612009C; Thu, 18 Apr 2019 04:04:56 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id s15so1673782qtn.3; Thu, 18 Apr 2019 04:04:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Oz1K8Tb1TDj0o/z3dycjQ28v1P+VomDFN+WrNcRhK2s=; b=GhUVaHA5TPjvAla61vaxbIk8by4oNnApJvH61uOh5Mg1qT6XiABsl7tAT2D5wBzeLM xQ7shN4B9Sg0wQkbBdXEIwsef9reH5oDVZIa/Bkl3mcaLdqIV6UC+puQyC+mVoeVowDT kTQER39u3fUJ2/xLTx2sjecjDiYV37Gjm/eBMQb/givylYj5X/BrbHAoD94Wy8p2yFek hZL/TW4UHJ15eDJ3DO/lOkfycGURuDELacchWGzaSTtBGse44cVOvb80bWFm3d9NrBjj AwVJOTyxoe6JUpkoqbb/kGfoMCwg1HjkY0tExdWIRcY3xFUzVOGnCkUo73WRwNXNiz/Y VtPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Oz1K8Tb1TDj0o/z3dycjQ28v1P+VomDFN+WrNcRhK2s=; b=Nml0P/KfPUiNf5yf2q0vFgJrk7ZXca5hMLuE7oWUsNMKcPiecszKXTa/NdbwyeHRXp eFN1TJJTMNWLzXHWbh9hiCbTvjFA3Ij3y7uzO6yXJGm0qy3akoJRIeIJh1k/JSnAMMm2 xHgwAx7ao2j3x3XLQ3tekcF4REwClXTa6cTvTVCmCdBGyf2JgdBQOoBvxBlEZ/EfcyJq 48GVGNof+qfWLFoO2QDa3L/aI83NQOjY+4+hSgk6IcvBZMvzxx+yTKrUAoVGEJw6ioJE lyZs0iwaOskRUmWL4DJUh6bbKv6SoV1PRImm7Sd9u9TdU57raUWTMp1E8NP7gI71Wl0+ BRdA==
X-Gm-Message-State: APjAAAU/1Z1NLjruoo0RV8WXeixu4Ck9cecAKs5N93DkHOQBIQ351JN4 +8UoZUw5UzZ6sBH6gPrxLgRcPQj/43JqPT2+IldNMmgZyL0=
X-Google-Smtp-Source: APXvYqwqnPd9XJOP4b8xd2V+nrSd76X3/DW2Nc+BzcPpfAepK769jJQtgO4zfldkXIgzsXZ9qL6eXXrtltYlWP6vivo=
X-Received: by 2002:ac8:fc8:: with SMTP id f8mr75182630qtk.214.1555585495378; Thu, 18 Apr 2019 04:04:55 -0700 (PDT)
MIME-Version: 1.0
References: <155543713754.24998.8934172511539336013@ietfa.amsl.com>
In-Reply-To: <155543713754.24998.8934172511539336013@ietfa.amsl.com>
From: Davey Song <songlinjian@gmail.com>
Date: Thu, 18 Apr 2019 19:04:44 +0800
Message-ID: <CAAObRXLhzcetGbb7-EkGgpdkiDGo6uHnij5=dY6wFLqvarSuWQ@mail.gmail.com>
To: internet-drafts@ietf.org, dnsop <dnsop@ietf.org>
Cc: i-d-announce@ietf.org
Content-Type: multipart/alternative; boundary="000000000000deb2050586cbf8e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/MENMA0etqVTIcBBnpc7RiWhJVqk>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 11:05:00 -0000
<It is my second time to read it. I may miss something discussed before. Sorry> Some concerns and comments: 1) It sounds to me that the primary targeted outage described in this draft is on the authoritative server during DDOS attack especially. Think about a case of outage of resolver due to a failure in its network path to the authoritative server. Normally end user have more than one configured resolvers. If only one resolver experience the outage and serve the stale data, could the user tell which resolver have more refreshed data ? If not, it may impact users experience if they have to accept stale data during the period when they still have the choice for refreshed ones. As I mentioned the first time I read it, I dislike the fact of concealing using of stale data from end users. 2) I notice it is proposed as a stand track document. If more people here think its benefit outweighs its impacts, I prefer it published as informational document, because it is based on implementation and operation experience. There is no need to change the protocol and the definition of TTL. I prefer to take the serve-stale behavior as a local policy and a side channel in case of resolver's cache-miss. 3) A minor concern: in an thread in dns-operation mailing list last week, it is said that the behavior of serve stale in some ISPs is abused for reason of traffic hijack/tampering/spoofing. I'm afraid it will be encouraged by this document. Best regards, Davey On Wed, 17 Apr 2019 at 01:52, <internet-drafts@ietf.org> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations WG of the > IETF. > > Title : Serving Stale Data to Improve DNS Resiliency > Authors : David C Lawrence > Warren "Ace" Kumari > Puneet Sood > Filename : draft-ietf-dnsop-serve-stale-05.txt > Pages : 12 > Date : 2019-04-16 > > Abstract: > This draft defines a method (serve-stale) for recursive resolvers to > use stale DNS data to avoid outages when authoritative nameservers > cannot be reached to refresh expired data. It updates the definition > of TTL from [RFC1034], [RFC1035], and [RFC2181] to make it clear that > data can be kept in the cache beyond the TTL expiry and used for > responses when a refreshed answer is not readily available. One of > the motivations for serve-stale is to make the DNS more resilient to > DoS attacks, and thereby make them less attractive as an attack > vector. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-serve-stale/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale-05 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-serve-stale-05 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-serve-stale-05 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > I-D-Announce mailing list > I-D-Announce@ietf.org > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt >
- [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-st… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-st… Davey Song
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-st… Karan Saini
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-st… Dave Lawrence