Re: [DNSOP] draft-thomassen-dnsop-generalized-dns-notify and draft-ietf-dnsop-dnssec-bootstrapping
John R Levine <johnl@taugh.com> Mon, 16 October 2023 21:30 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3AD4C151553 for <dnsop@ietfa.amsl.com>; Mon, 16 Oct 2023 14:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LOTS_OF_MONEY=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="sgnNMRmk"; dkim=pass (2048-bit key) header.d=taugh.com header.b="wR7EUiNP"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id er76jCWfuYAx for <dnsop@ietfa.amsl.com>; Mon, 16 Oct 2023 14:30:38 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8887C1519AC for <dnsop@ietf.org>; Mon, 16 Oct 2023 14:30:38 -0700 (PDT)
Received: (qmail 42278 invoked from network); 16 Oct 2023 21:30:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=a524652dab7c.k2310; bh=G9EUw1qZcWHCtMaRyFFI1par+hQ4O8/Q+ReVfvg1M8Q=; b=sgnNMRmkoWejlgs+Rkc357f7TcK58i+d/h425+rw4IvuBVjkeuEzZPW9XcvaChVFK+UNdZiHhnT22eMDt6LK5DVklvVHCE6zlQ11g1iMNVAQmSPh0GWhpSthZEr5zgJsLs7TyH0VRpYniWEyWUgsd7sHQZOYaMaP4BNDnbnE2bv1cjeW6mDgk/+oaqP7X7/5QFOLH8uNGdvCb0Rao8IdFj4iR+6/noIKjoQy5LLeqQSY4Q7abR3YnRpcRIzN76fSafPmac2Xg/RyDCW4C4rQEGVzIEtQBc9aSMSbVK2Biwfb7f13gpGbLPrycLbTWMEglPWJZDiitQ0y0cejvyoA8A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=a524652dab7c.k2310; bh=G9EUw1qZcWHCtMaRyFFI1par+hQ4O8/Q+ReVfvg1M8Q=; b=wR7EUiNPFqadP4jbFHkejFvRJTa82IoVbL4gpqiYO6ajhQmgQIfFPjqesS2hrXmE08s0kGfNC4Y6ZhJ3bwQToubu9v8mM8APGSfJHMm/Kt+a/xv4XE2DZYuhE88pgNmtrr+WSPDbt+R78F4F28h1RnHVEsQHWADU6ind9gsoBpRR4Ak7UTZTdEEgHCqC0zYx6QNAz4heI1SIOrexVsSJ8VtfUblG/s/SOxPmooQ632CTBFCOTwzcEcCA3eKhYTiOXu0tfZ2C955NKYJ27yESTbazFYLo46kg6zwuwf0/FSNgbfGm/h8VuHpXZErDPYyVOACv670T/DEdkKaKGRKMEg==
Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 16 Oct 2023 21:30:36 -0000
Received: by ary.local (Postfix, from userid 501) id 461B0429696C; Mon, 16 Oct 2023 17:30:36 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.local (Postfix) with ESMTP id 163154296944; Mon, 16 Oct 2023 17:30:36 -0400 (EDT)
Date: Mon, 16 Oct 2023 17:30:36 -0400
Message-ID: <eeb557f9-8787-87ad-5e69-8ed6861cc666@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: dnsop@ietf.org
X-X-Sender: johnl@ary.local
In-Reply-To: <CAH1iCiot2MFtxkkjCbTU5nM+AbZQrufudu4CEw=ByxgiwMbdBg@mail.gmail.com>
References: <20230916025431.1B416A94E6E@ary.qy> <20231013174834.0599E36EEB15@ary.local> <CAH1iCiot2MFtxkkjCbTU5nM+AbZQrufudu4CEw=ByxgiwMbdBg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SOokhHs8Zz1H7HcwN70rupcIRZQ>
Subject: Re: [DNSOP] draft-thomassen-dnsop-generalized-dns-notify and draft-ietf-dnsop-dnssec-bootstrapping
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2023 21:30:43 -0000
I thinnk you're agreeing that we should add notifications even though we can imagine a wide range of so-far nonexistent ways to limit the cost of scanning. My thought is that the notify is for the domain to be signed, so there's no scanning, just parent checks to see whether it likes the new keys and if so, installs them. I suppose the notification might get lost, but sending another one is likely to be faster than waiting for a scan. > On Fri, Oct 13, 2023 at 10:48 AM John Levine <johnl@taugh.com> wrote: > >> I was looking at these two drafts. The first one says that scanning >> for CDS updates is bad, so use NOTIFY(CDS) rather than scanning. The >> second one says to scan for DS bootstrap. I am experiencing cognitive >> dissonance. >> > > I believe a more concise summary of the Notify vs CDS would be: > > - Notify is better than scanning > - This is analogous to "Winning $1,000,000 in the lottery is better than > winning $10." > > It also is more helpful to consider the parties and benefits of using > Notify. > CDS scanning will always be necessary, for the use cases relevant here. > > - Notify does not impact the scanning activity at all. > - Notify *does* reduce the time for a *specific* domain to have the CDS > processing done. > - Notify benefits the Registrant, not the Registry or Registrar. > > > Similarly, the bootstrap process is likely to be further refined, if it is > not already refined thusly: > > - The DNS operator should maintain bootstrap zones for each scanning > entity (TLD or Registrar, as appropriate) > - Each scanning entity would then "walk" the corresponding bootstrap zone > - The feedback between initial DS publication at the TLD parent and the > bootstrap zone would look a lot like the mechanism used for CDS itself: > - Publish (CDS or bootstrap) > - Check TLD until DS is observed > - Change/remove record (CDS or bootstrap) > - This turns the relevant bootstrap zones into what are effectively > FIFOs, with the scanning entity having some ability to control the size of > the zone being scanned (by scanning more frequently) > - Since each of the bootstrap zones are DNSSEC signed with NSEC, they > can be very efficiently walked (this is a feature, not a bug) > - The scanner can further be optimized into a poll-then-scan-if-needed, > by using SOA record polling on the zone. Only scan if the poll returns a > new SOA SN. > - The use of Notify would be a trigger for the poll-then-scan, with the > Notify being scoped to the bootstrap zone itself > > > Hopefully this fixes your cognitive issue. :-) > > Brian > > > >> >> I suggest adjusting the bootstrap draft saying to send NOTIFY(DS) to >> the parent of a delegated name to tell it to do the bootstrap rather >> than scanning. The issues in section 3 about why scanning is bad and >> in section 4 about where to send the notification are exactly the same >> as what's there now. >> >> I suppose you could overload NOTIFY(CDS) and the parent does one or >> the other depending on whether the zone already is signed but it seems >> to me that the operations are different so the notification might as >> well be different too. >> >> Bonus update: if we do this, in the bootstrap draft take out section >> 4.3 on triggers and instead say to use notify. >> >> R's, >> John >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> > Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] Call for Adoption: draft-thomassen-dnsop-… Suzanne Woolf
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… Gavin Brown
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… Andrew Newton
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… Ralf Weber
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… Brian Dickson
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… John Levine
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… Suzanne Woolf
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… Johan Stenstam
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… Lars-Johan Liman
- [DNSOP] draft-thomassen-dnsop-generalized-dns-not… John Levine
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… pmevzek@godaddy.com
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… Peter Thomassen
- Re: [DNSOP] Call for Adoption: draft-thomassen-dn… Ben Schwartz
- Re: [DNSOP] draft-thomassen-dnsop-generalized-dns… Peter Thomassen
- Re: [DNSOP] scanning doesn't scale, draft-thomass… John R Levine
- Re: [DNSOP] scanning doesn't scale, draft-thomass… Peter Thomassen
- Re: [DNSOP] draft-thomassen-dnsop-generalized-dns… Brian Dickson
- Re: [DNSOP] draft-thomassen-dnsop-generalized-dns… John R Levine