Re: [DNSOP] Comments on draft-ietf-dnsop-root-loopback
Paul Hoffman <paul.hoffman@vpnc.org> Sat, 10 January 2015 18:05 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 638411A6F07 for <dnsop@ietfa.amsl.com>; Sat, 10 Jan 2015 10:05:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.552
X-Spam-Level:
X-Spam-Status: No, score=0.552 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MbrNO1IFNk_q for <dnsop@ietfa.amsl.com>; Sat, 10 Jan 2015 10:05:03 -0800 (PST)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36E8A1A3BA0 for <dnsop@ietf.org>; Sat, 10 Jan 2015 10:05:03 -0800 (PST)
Received: from [10.20.30.90] (50-1-98-91.dsl.dynamic.fusionbroadband.com [50.1.98.91]) (authenticated bits=0) by proper.com (8.15.1/8.14.7) with ESMTPSA id t0AI50gx093447 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 10 Jan 2015 11:05:01 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-98-91.dsl.dynamic.fusionbroadband.com [50.1.98.91] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CAH1iCiqBTh5NcD9LWjQ1BNVRFt0Bc-ROJYs+hG=vO8i_bwrD5A@mail.gmail.com>
Date: Sat, 10 Jan 2015 10:05:00 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <849F33D4-76E2-4C6C-B946-B3083F0235D1@vpnc.org>
References: <CAH1iCirLkTYcBZ7pfYSwdDQhOEUJyN2sjpTMSkTMdGn3ZkX3ZA@mail.gmail.com> <CAH1iCiqBTh5NcD9LWjQ1BNVRFt0Bc-ROJYs+hG=vO8i_bwrD5A@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/NijaOxwPFGs4PMMRutdzRqthDSE>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] Comments on draft-ietf-dnsop-root-loopback
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jan 2015 18:05:09 -0000
Wearing my co-author hat: On Dec 29, 2014, at 2:23 PM, Brian Dickson <brian.peter.dickson@gmail.com> wrote: > - Given the unsigned nature of the glue in the zone, and the importance of root glue, it might be the right time to also introduce a "zone signature" RR, signed by the ZSK. It might be, but that certainly would not go in this document. Having said that, it would be good to first hear evidence about how many resolvers take the unsigned root glue on faith versus how many chase down the names themselves. If there is only a small percentage who use the unsigned root glue, adding a new zone signature RR would seem awfully heavy-weight. (I say that as someone who has already done a design for the RR and presented it as a possibly-useful idea; I'm now not convinced it is worth the effort.) > - Given the lack of the "big red button", this would be a good time to introduce the ability to opt-in to a NOTIFY "registry", so that appropriately validated notifications could be sent by a root-zone operator (from whom the root-loopback operator does AXFRs) It might be, but that certainly would not go in this document. Still, I don't see the need for this if the root-loopback operator is checking for updates at a reasonable rate. The next draft will have a note about the history of root zone updates. > - I'd also suggest adding something like a "sentinel" query for SOA Serial Number be made at REFRESH intervals to randomly-selected root servers. If the SOA Serial Number is stale for REFRESH + RETRY, it may be safer to go SERVFAIL at that point rather than waiting for EXPIRE. (The stale zone might still want to be used if all other root servers become unreachable, so don't delete the zone, just prefer not to use it.) What does "safer" mean here? If the folks who create the root zone (or any zone, for that matter) want people to expire sooner, they should change the value of the EXPIRE field: they shouldn't rely on us second-guessing them. --Paul Hoffman
- [DNSOP] Fwd: Comments on draft-ietf-dnsop-root-lo… Brian Dickson
- Re: [DNSOP] Fwd: Comments on draft-ietf-dnsop-roo… Tony Finch
- Re: [DNSOP] Comments on draft-ietf-dnsop-root-loo… Paul Hoffman
- Re: [DNSOP] Comments on draft-ietf-dnsop-root-loo… Brian Dickson