Re: [DNSOP] mixfr - issue #10 - Client RRSIG logic simplification
Matthijs Mekking <matthijs@pletterpet.nl> Wed, 04 April 2018 10:47 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 356DB127137 for <dnsop@ietfa.amsl.com>; Wed, 4 Apr 2018 03:47:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q6hysru336jA for <dnsop@ietfa.amsl.com>; Wed, 4 Apr 2018 03:47:06 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08EAD12711E for <dnsop@ietf.org>; Wed, 4 Apr 2018 03:47:05 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w34AhUFd013001 for <dnsop@ietf.org>; Wed, 4 Apr 2018 10:47:05 GMT
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2130.oracle.com with ESMTP id 2h4w7180cv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org>; Wed, 04 Apr 2018 10:47:05 +0000
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w34Al4Lp027230 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org>; Wed, 4 Apr 2018 10:47:04 GMT
Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w34Al4hi023294 for <dnsop@ietf.org>; Wed, 4 Apr 2018 10:47:04 GMT
Received: from [172.19.129.14] (/216.146.45.33) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 04 Apr 2018 03:47:04 -0700
To: dnsop@ietf.org
References: <20180329184513.GF62218@registro.br> <c62db666-fc1b-8ef8-8fbb-42443e1b69a0@pletterpet.nl> <20180404013246.GE10662@registro.br> <6000B001-F8B5-4BD0-B3FD-42806BDA335A@hopcount.ca>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <35cfcc35-c00c-d078-4129-a1c0b9609954@pletterpet.nl>
Date: Wed, 04 Apr 2018 12:47:01 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <6000B001-F8B5-4BD0-B3FD-42806BDA335A@hopcount.ca>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8852 signatures=668697
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804040107
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/T68aFUBoz4yEhhfkCdr90u4kfZw>
Subject: Re: [DNSOP] mixfr - issue #10 - Client RRSIG logic simplification
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 10:47:08 -0000
Joe, Thanks for sharing your concerns. On 04-04-18 05:31, Joe Abley wrote: > On Apr 3, 2018, at 21:32, Frederico A C Neves <fneves@registro.br> > wrote: > >>> On Tue, Apr 03, 2018 at 02:37:12PM +0200, Matthijs Mekking >>> wrote: Hi Frederico, >>> >>>> On 03/29/2018 08:45 PM, Frederico A C Neves wrote: I was >>>> looking at our server to evaluate the MIXFR implementation and >>>> it seams to me that the current text covering dnssec aware >>>> client logic don't take in account that a posterior record at >>>> the addition section, by an MIXFR DNSSEC aware server, will >>>> implicitly replace the RRSIG RRset. >>> >>> I am unclear what case you are covering. >> >> Any situation that you have an updated RRset. It is implicit that >> you'll have to update the signature, so I was arguing that this is >> afterward covered by 3.6 Replace a RRset. My "simplified" logic >> take this in account to don't impose this extra logic at the client >> for updated RRsets, only for removed RRsets, explicit or when a >> removal of RR causes it. > > I have not been reading this thread in depth and so I have not > commented up until now. But I sense that there is a proposed shift of > responsibility for coherency in the contents of a zone, specifically > with resapect to DNSSEC. Quite possibly I am wrong, in which case I > will enjoy being told as much. I am happy to entertain you by telling that there is no shift in responsibility for coherency in the contents of a zone. We are merely trying to come up with a more sophisticated syntax such that the primary has to use less bytes to achieve zone consistency. > If I am a zone administrator, responsible for the self-consistent > contents of my zone, and I make a mistake, the behaviour today (with > zones distributed by AXFR, IXFR, rsync, ftp, avian carrier) is that a > DNS zone is a DNS zone and the RRSets contained within are simply > that, no appreciation, understanding or accommodation of DNSSEC > required. I see your argument. On the other hand, if you make a mistake with DNSSEC you are in trouble anyway. > The line of thinking inherent in the lowest quoted paragraph above > suggests that distribution of sets of RRSets (together forming a > zone) must with this new transfer mechanism be completed with > semantic appreciation for the relationship between non-RRSIG-type > RRSets and the corresponding RRSIG-type RRSets that accompany them in > a signed zone. This worries me. > > The protocol requirements for DNSSEC as described in RFC 4035 are > non-trivial to implement already (cf. the treatment of RRSets in a > response with their accompanying RRSIG RRSets as an atomic unit in > the cache, to be expired together regardless of differences in TTL) > and I don't think we want to extend them without good reason. Note that this does not affect resolvers and caches: zone transfers are between authoritative name servers only. I am determined to back the specification with an implementation, especially after the camel is our new favorite animal, so hopefully that will take away your concerns regarding implementation complexity. > If we expect MIXFR (or whatever it is eventually called) to behave > differently in this respect to AXFR, IXFR or any number of > out-of-band transfer mechanisms, we should have a good reason for it. > I don't know that I see one, yet. It is zone transfer size. It can be quite large with DNSSEC (zone re-sign, NSEC3 resalt). To quote someone: Reducing the amount of data, is the only way to keep up with our current and future workloads. Best regards, Matthijs > > > Joe _______________________________________________ DNSOP mailing > list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] mixfr - issue #10 - Client RRSIG logic si… Frederico A C Neves
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Matthijs Mekking
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Mark Andrews
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Matthijs Mekking
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Frederico A C Neves
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Joe Abley
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Matthijs Mekking
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Matthijs Mekking
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Mark Andrews
- Re: [DNSOP] mixfr - issue #10 - Client RRSIG logi… Matthijs Mekking