IETF Logo Mail Archive

Re: [DNSOP] mixfr - issue #10 - Client RRSIG logic simplification

Matthijs Mekking <matthijs@pletterpet.nl> Wed, 04 April 2018 10:47 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 356DB127137 for <dnsop@ietfa.amsl.com>; Wed, 4 Apr 2018 03:47:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q6hysru336jA for <dnsop@ietfa.amsl.com>; Wed, 4 Apr 2018 03:47:06 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08EAD12711E for <dnsop@ietf.org>; Wed, 4 Apr 2018 03:47:05 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w34AhUFd013001 for <dnsop@ietf.org>; Wed, 4 Apr 2018 10:47:05 GMT
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2130.oracle.com with ESMTP id 2h4w7180cv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org>; Wed, 04 Apr 2018 10:47:05 +0000
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w34Al4Lp027230 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org>; Wed, 4 Apr 2018 10:47:04 GMT
Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w34Al4hi023294 for <dnsop@ietf.org>; Wed, 4 Apr 2018 10:47:04 GMT
Received: from [172.19.129.14] (/216.146.45.33) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 04 Apr 2018 03:47:04 -0700
To: dnsop@ietf.org
References: <20180329184513.GF62218@registro.br> <c62db666-fc1b-8ef8-8fbb-42443e1b69a0@pletterpet.nl> <20180404013246.GE10662@registro.br> <6000B001-F8B5-4BD0-B3FD-42806BDA335A@hopcount.ca>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <35cfcc35-c00c-d078-4129-a1c0b9609954@pletterpet.nl>
Date: Wed, 04 Apr 2018 12:47:01 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <6000B001-F8B5-4BD0-B3FD-42806BDA335A@hopcount.ca>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8852 signatures=668697
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804040107
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/T68aFUBoz4yEhhfkCdr90u4kfZw>
Subject: Re: [DNSOP] mixfr - issue #10 - Client RRSIG logic simplification
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 10:47:08 -0000

Joe,

Thanks for sharing your concerns.

On 04-04-18 05:31, Joe Abley wrote:
> On Apr 3, 2018, at 21:32, Frederico A C Neves <fneves@registro.br>
> wrote:
> 
>>> On Tue, Apr 03, 2018 at 02:37:12PM +0200, Matthijs Mekking
>>> wrote: Hi Frederico,
>>> 
>>>> On 03/29/2018 08:45 PM, Frederico A C Neves wrote: I was
>>>> looking at our server to evaluate the MIXFR implementation and 
>>>> it seams to me that the current text covering dnssec aware
>>>> client logic don't take in account that a posterior record at
>>>> the addition section, by an MIXFR DNSSEC aware server, will
>>>> implicitly replace the RRSIG RRset.
>>> 
>>> I am unclear what case you are covering.
>> 
>> Any situation that you have an updated RRset. It is implicit that 
>> you'll have to update the signature, so I was arguing that this is 
>> afterward covered by 3.6 Replace a RRset. My "simplified" logic
>> take this in account to don't impose this extra logic at the client
>> for updated RRsets, only for removed RRsets, explicit or when a
>> removal of RR causes it.
> 
> I have not been reading this thread in depth and so I have not
> commented up until now. But I sense that there is a proposed shift of
> responsibility for coherency in the contents of a zone, specifically
> with resapect to DNSSEC. Quite possibly I am wrong, in which case I
> will enjoy being told as much.

I am happy to entertain you by telling that there is no shift in 
responsibility for coherency in the contents of a zone.

We are merely trying to come up with a more sophisticated syntax such 
that the primary has to use less bytes to achieve zone consistency.


> If I am a zone administrator, responsible for the self-consistent
> contents of my zone, and I make a mistake, the behaviour today (with
> zones distributed by AXFR, IXFR, rsync, ftp, avian carrier) is that a
> DNS zone is a DNS zone and the RRSets contained within are simply
> that, no appreciation, understanding or accommodation of DNSSEC
> required.

I see your argument. On the other hand, if you make a mistake with 
DNSSEC you are in trouble anyway.


> The line of thinking inherent in the lowest quoted paragraph above
> suggests that distribution of sets of RRSets (together forming a
> zone) must with this new transfer mechanism be completed with
> semantic appreciation for the relationship between non-RRSIG-type
> RRSets and the corresponding RRSIG-type RRSets that accompany them in
> a signed zone. This worries me.
> 
> The protocol requirements for DNSSEC as described in RFC 4035 are
> non-trivial to implement already (cf. the treatment of RRSets in a
> response with their accompanying RRSIG RRSets as an atomic unit in
> the cache, to be expired together regardless of differences in TTL)
> and I don't think we want to extend them without good reason.

Note that this does not affect resolvers and caches: zone transfers are 
between authoritative name servers only.

I am determined to back the specification with an implementation, 
especially after the camel is our new favorite animal, so hopefully that 
will take away your concerns regarding implementation complexity.


> If we expect MIXFR (or whatever it is eventually called) to behave
> differently in this respect to AXFR, IXFR or any number of
> out-of-band transfer mechanisms, we should have a good reason for it.
> I don't know that I see one, yet.

It is zone transfer size. It can be quite large with DNSSEC (zone 
re-sign, NSEC3 resalt). To quote someone: Reducing the amount of data, 
is the only way to keep up with our current and future workloads.

Best regards,
   Matthijs


> 
> 
> Joe _______________________________________________ DNSOP mailing
> list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email