Re: [DNSOP] Review of draft-ietf-dnsop-serve-stale-02.txt

Paul Wouters <paul@nohats.ca> Tue, 06 November 2018 05:12 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D81C912D4EA for <dnsop@ietfa.amsl.com>; Mon, 5 Nov 2018 21:12:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3SHwZwzFLr9M for <dnsop@ietfa.amsl.com>; Mon, 5 Nov 2018 21:12:48 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE7B41294D0 for <dnsop@ietf.org>; Mon, 5 Nov 2018 21:12:48 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42pyNb3N47zFmw; Tue, 6 Nov 2018 06:12:47 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1541481167; bh=L0/qTW6efLzQU+xBSagaEBX5pDCiqcgXoPEt4GDYasc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=TgrD7OqHuR/KQlPWiaJ14ZZgz2Wnbf1bABEXtSZj7gZNHtbQ1PUqDeO4CKz30u0XO khcNhx2DGNnV4vfprviXCGSSF89V8sSgODuRbo4MWTMDd94c/9oWUdF3CxQCWDOFBN 8ZgIk0YFpaZSlZ+G2BNXOnh5g0HoWt98F0NywDC0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id OGvY__jKTbqQ; Tue, 6 Nov 2018 06:12:46 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 6 Nov 2018 06:12:45 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id E44D3681889; Tue, 6 Nov 2018 00:12:44 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca E44D3681889
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id DD6C541C3B26; Tue, 6 Nov 2018 00:12:44 -0500 (EST)
Date: Tue, 6 Nov 2018 00:12:44 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: Bob Harold <rharolde@umich.edu>
cc: IETF DNSOP WG <dnsop@ietf.org>
In-Reply-To: <CA+nkc8A2Von3tzCJrP35YnCL78joZt9Munx7PYbw4EJ-T1nd1Q@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1811060011130.10631@bofh.nohats.ca>
References: <20181103081228.GA32569@naina> <23519.58661.219419.142204@gro.dd.org> <alpine.DEB.2.20.1811051833080.24450@grey.csi.cam.ac.uk> <5BE09118.9040102@redbarn.org> <CA+nkc8A2Von3tzCJrP35YnCL78joZt9Munx7PYbw4EJ-T1nd1Q@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/MV1yLVqrYW6Nym8__gqF7NKYF3o>
Subject: Re: [DNSOP] Review of draft-ietf-dnsop-serve-stale-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 05:12:50 -0000

On Mon, 5 Nov 2018, Bob Harold wrote:

> On Mon, Nov 5, 2018 at 1:51 PM Paul Vixie <paul@redbarn.org>; wrote:
>       because of deliberate reconfiguration or takedown, i'll hope that
>       serve-stale offers authority operators (both apex and parent) a
>       signalling pattern that says, "actually, i want this dead, NOW."
> 
> 
> Good point.  I think that would mean that if using all the NS records in the cache fail to get a good response, then the resolver should check
> the parent domain to see if the NS records have changed or have been removed.
> (answers or NXDOMAIN being a good response in this case, REFUSED or LAME or timeout being bad responses)
> 
> Would that work?   Should that be in the draft?

Something along those lines should be added. But this particular
approach might be too simple. What if the parent is also under
DDOS attack? When can/should you look at the parent's parent (eg
think Public Suffix boundaries)

Paul