IETF Logo Mail Archive

Re: [DNSOP] draft-thomassen-dnsop-generalized-dns-notify and draft-ietf-dnsop-dnssec-bootstrapping

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 16 October 2023 20:19 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6489DC151067 for <dnsop@ietfa.amsl.com>; Mon, 16 Oct 2023 13:19:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.092
X-Spam-Level:
X-Spam-Status: No, score=-2.092 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nGcpkEp1i1ks for <dnsop@ietfa.amsl.com>; Mon, 16 Oct 2023 13:19:11 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D548EC14CF12 for <dnsop@ietf.org>; Mon, 16 Oct 2023 13:19:11 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-9be7e3fa1daso411532166b.3 for <dnsop@ietf.org>; Mon, 16 Oct 2023 13:19:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697487550; x=1698092350; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7BmqzUVPotSYVgq+Png+EkhKXafACMbC5sYt8V0urkQ=; b=TlpY9whxPZyylrC4G22FZnDrt2ym+NhZ7Lyrk//DxhuEpr8fRmZ8gUB76EnKFfIV9M mBcrmGsxzm8obm79HyVsvSHSg9xweBUZEsj0qjq928pbqKFnyeh//jTV9cPbKOBz7pJY F2trDg7bUzPvTYGWKun3lQ5I/nrHsEcgMIwmOEowuj2eZzWhPXdt4LO2VyNyYYLNwyua 7ZSgwoC81PO42zfJf9i1o1SRKOPE04k8jT/J5N/YiMFAGwxFPxGn9BGlhNvHFiozGAd9 EeIu4KjE8VKlK1JI4GLTblQ5eMJcv27doyM4p23Vn9OcULYIwoV/QUtVzLIhne6Iq6HF Mh0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697487550; x=1698092350; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7BmqzUVPotSYVgq+Png+EkhKXafACMbC5sYt8V0urkQ=; b=n7YQquve3w0B5yq7842WddRYH2RhU5R1Fbxk0TU5jJ84fheEY+6IjuWm2FPEcRK+AX fNvgV82iP9bLy0Fxd+gcmKNKHEUglARwhHVxFkXnZ1sFqUEiNWvtNHHf+exPqq0xrmLF 8nTN4i1Q/FUQ+IZeQqktDNLtyItqOp7DUPg6ZFPevys4c/EhVPFco61vzCRNCSvsZ4qF 8De4Pgeknmjlf/zRYmfQ9S7JKvqzLQVmi4MXq8uRM5Rp2iyf0zd+eeOfy1diQcJciysp gX01xmh9tcayyUC+hHH+WbIyauxzjGwNgBGFR0LsvCdHgdSc5tEcrCacqJuS6GrpjATq a9sg==
X-Gm-Message-State: AOJu0YynnbhQwJZk2LHr7Uyn3fR2Y5IQ4ddz76wgAXhNGyfhFdfzf+Y4 +AQ5v6YuFitluGF4yTjPVLR3V2cNcWqBi7hR9bkbzFBIHyQ=
X-Google-Smtp-Source: AGHT+IERvAn6twBp1+ObBmQZ2fdYCdgio6CJ/2PD6jVP9ZMTlaE1F1mscdnubvOlao5fGcDgB2W3QYE3yyuGta/lL5U=
X-Received: by 2002:a17:907:2685:b0:9ba:7f5:8cca with SMTP id bn5-20020a170907268500b009ba07f58ccamr125073ejc.20.1697487549561; Mon, 16 Oct 2023 13:19:09 -0700 (PDT)
MIME-Version: 1.0
References: <20230916025431.1B416A94E6E@ary.qy> <20231013174834.0599E36EEB15@ary.local>
In-Reply-To: <20231013174834.0599E36EEB15@ary.local>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 16 Oct 2023 13:18:57 -0700
Message-ID: <CAH1iCiot2MFtxkkjCbTU5nM+AbZQrufudu4CEw=ByxgiwMbdBg@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="00000000000066ff690607db1e19"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/NEEiwPiPQEqqt5EnkPEeAFf8Q2w>
Subject: Re: [DNSOP] draft-thomassen-dnsop-generalized-dns-notify and draft-ietf-dnsop-dnssec-bootstrapping
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2023 20:19:16 -0000

On Fri, Oct 13, 2023 at 10:48 AM John Levine <johnl@taugh.com> wrote:

> I was looking at these two drafts. The first one says that scanning
> for CDS updates is bad, so use NOTIFY(CDS) rather than scanning. The
> second one says to scan for DS bootstrap.  I am experiencing cognitive
> dissonance.
>

I believe a more concise summary of the Notify vs CDS would be:

   - Notify is better than scanning
   - This is analogous to "Winning $1,000,000 in the lottery is better than
   winning $10."

It also is more helpful to consider the parties and benefits of using
Notify.
CDS scanning will always be necessary, for the use cases relevant here.

   - Notify does not impact the scanning activity at all.
   - Notify *does* reduce the time for a *specific* domain to have the CDS
   processing done.
   - Notify benefits the Registrant, not the Registry or Registrar.


Similarly, the bootstrap process is likely to be further refined, if it is
not already refined thusly:

   - The DNS operator should maintain bootstrap zones for each scanning
   entity (TLD or Registrar, as appropriate)
   - Each scanning entity would then "walk" the corresponding bootstrap zone
   - The feedback between initial DS publication at the TLD parent and the
   bootstrap zone would look a lot like the mechanism used for CDS itself:
      - Publish (CDS or bootstrap)
      - Check TLD until DS is observed
      - Change/remove record (CDS or bootstrap)
   - This turns the relevant bootstrap zones into what are effectively
   FIFOs, with the scanning entity having some ability to control the size of
   the zone being scanned (by scanning more frequently)
   - Since each of the bootstrap zones are DNSSEC signed with NSEC, they
   can be very efficiently walked (this is a feature, not a bug)
   - The scanner can further be optimized into a poll-then-scan-if-needed,
   by using SOA record polling on the zone. Only scan if the poll returns a
   new SOA SN.
   - The use of Notify would be a trigger for the poll-then-scan, with the
   Notify being scoped to the bootstrap zone itself


Hopefully this fixes your cognitive issue. :-)

Brian



>
> I suggest adjusting the bootstrap draft saying to send NOTIFY(DS) to
> the parent of a delegated name to tell it to do the bootstrap rather
> than scanning. The issues in section 3 about why scanning is bad and
> in section 4 about where to send the notification are exactly the same
> as what's there now.
>
> I suppose you could overload NOTIFY(CDS) and the parent does one or
> the other depending on whether the zone already is signed but it seems
> to me that the operations are different so the notification might as
> well be different too.
>
> Bonus update: if we do this, in the bootstrap draft take out section
> 4.3 on triggers and instead say to use notify.
>
> R's,
> John
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email