IETF Logo Mail Archive

Re: [DNSOP] New draft on delegation revalidation

Brian Dickson <brian.peter.dickson@gmail.com> Sat, 11 April 2020 07:12 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 975A83A0C8A for <dnsop@ietfa.amsl.com>; Sat, 11 Apr 2020 00:12:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lW2aQV6vybVF for <dnsop@ietfa.amsl.com>; Sat, 11 Apr 2020 00:12:30 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBD8F3A0C88 for <dnsop@ietf.org>; Sat, 11 Apr 2020 00:12:30 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id u11so2554942vsu.10 for <dnsop@ietf.org>; Sat, 11 Apr 2020 00:12:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Up4ErkO75jTVlyADJuRiyYVZHo8bRx8AJagSxDsNxC0=; b=TliP6JAvHSFFO0VY0ugR4h2UgO5SJefO1a19odhLJQJVZ5AarMV98Q2XDsgFp9+CJn a+zNpN6iCPXk4E2Oj2458Ep+UkOi0sHDwYxCCv8PhlR62Py2cVUs4h0+Q55RYwnGLHSU OdAAvjbPryEKnCeghTRbdu6ytPrem0t9joTrl7H/PxmACpHpPKbmE+pUB6zXo6tsgEXX qIdjLJVkft4P2asKesj/Iao0lUDEONmhu0jwjgvxXbTVqE08ZXT6aVivIbDscVUmk6g1 2a4Ymuvp/wbUCFHEu7YLZRDn1Pj1+ed6/S6bw3T5n2Qgu6rwaxjvBssLAfk2RV79Z8pa TBXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Up4ErkO75jTVlyADJuRiyYVZHo8bRx8AJagSxDsNxC0=; b=Bcqydr5gHc+jVbQYMmDlVSmNfQ3Xjc0+Az3cp5micPA8auXRLsDnS2QeVJnlZmUw6/ eMBBzw7aIh/lLfh0iAFtC9IzZl2SzC4aKKrmfUFX/d4++uLCbzlzki2mGKRRZ8+1xIxT 3XBYJ8M+RhuSsC+tPVKEpDHgTLwWDmwjWyrcVFQNkZb8scfIZ9EqcusBHSjvV0BJIg8s +aD9rusKNagrKLmmVdXlCTUq+HOUu8l6pyRsE2Dvt2xjLqrYsk92Alklm0O8uGWOagc9 T46koMEf9ZvSs7ZG2mvLTROrz9Pwq+0m5uO4lEhz8Sm9m7zPdAPclzcZTJSwn8ulOfSJ FWvQ==
X-Gm-Message-State: AGi0PuZ8vm6u5EIGbmxru9r1RlrZA6rLFVH3+bRwWxdojKmQbRoplMWG u3HnivBhmn12c6j7y9iOp0axTSenyzey8wHE9U0=
X-Google-Smtp-Source: APiQypI8tTWutWrG3YjJ8tWYbeEVGOcWBq+b6HHrmd+ic0SVb9LFjtSaKb9Up8JjIR2tgD8wuHC2QlMSL2FYVZUmuV4=
X-Received: by 2002:a67:b917:: with SMTP id q23mr5860502vsn.75.1586589149827; Sat, 11 Apr 2020 00:12:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com>
In-Reply-To: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Sat, 11 Apr 2020 00:12:18 -0700
Message-ID: <CAH1iCiqcdQCDs0gY=+zJdkfLx4+mbEAzSZp1hPJuyM5U0KTAiQ@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ae16b305a2fe92b0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QloxJ1PJS8yaClP_EYz0FxzsTto>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Apr 2020 07:12:33 -0000

On Fri, Apr 10, 2020 at 6:46 AM Shumon Huque <shuque@gmail.com> wrote:

> Hi folks,
>
> Paul Vixie, Ralph Dolmans, and I have submitted this I-D for
> consideration:
>
>    https://tools.ietf.org/html/draft-huque-dnsop-ns-revalidation-01
>
>
> Comments/discussion welcome.
>

There is one issue not addressed (here or anywhere else) that is
operationally relevant.

If a domain's delegation NS set includes name servers that no longer act as
authoritative servers for the zone, there is no adequate mechanism to
signal to the parent zone or to resolvers that this is a permanent
situation.

The delegation (re)validation might be a reasonable place to implement
something to detect this and adjust the choice of NS on the resolver's
cache.

(Part of the problem maybe be a "catch 22": the server receiving the query
isn't authoritative for the zone, so technically it can't/shouldn't return
anything authoritatively.)

This might also be viewed (correctly) as a corner case in the RRR model
that doesn't get addressed; it seems to happen most frequently if a
registrant changes registrars or if a domain lapses, where the previous
registrar also acted as DNS operator for the zone.

Thoughts? (Not sure if I did justice to the explanation; qv "lame
delegation".)

Brian

v2.23.0 | Report a Bug | By Email