Re: [DNSOP] draft-tale-dnsop-serve-stale

Paul Vixie <> Wed, 29 March 2017 19:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E8742129541 for <>; Wed, 29 Mar 2017 12:10:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2yI5ZBsQnO5j for <>; Wed, 29 Mar 2017 12:10:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 66E44129510 for <>; Wed, 29 Mar 2017 12:10:31 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 4827E61F9C; Wed, 29 Mar 2017 19:10:29 +0000 (UTC)
Message-ID: <>
Date: Wed, 29 Mar 2017 12:10:28 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.12 (Windows/20170323)
MIME-Version: 1.0
To: Shumon Huque <>
CC: Warren Kumari <>, dnsop <>, Pieter Lexis <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] draft-tale-dnsop-serve-stale
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Mar 2017 19:10:33 -0000

Shumon Huque wrote:
> On Tue, Mar 28, 2017 at 12:20 PM, Paul Vixie <
>     ...
>     speaking of resimprove, i hope you'll include in this draft the idea of
>     using delegation-TTL as a delegation-recheck interval, and using an
>     authoritative NXDOMAIN from the delegator as proof that you need to run
>     an "rm -rf" in your cache.
>     i bring this up because we need to be able to kill more cached data
>     faster-- the opposite of stretchiness-- for abuse control reasons. if
>     you're going to soften the signaling for cache expiration, you really
>     ought to balance that out with this simple method of also hardening it.
> Perhaps you've forgotten (since you participated in the discussions), but
> the portion of resimprove that dealt with expunging cached data below the
> NXDOMAIN boundary was rescued, expanded on, and published as
> RFC 8020 ("NXDOMAIN: There Really is Nothing Underneath") late last
> year.

yes, i know that RFC 8020 includes both the idea of stopping downward
searches when a cached NXD is encountered, and the idea of pruning (like
"rm -rf" in UNIX) existing cache entries when an NXD is received. those
changes, in addition to QM, will do much to pacify the DNS data model.

however, it's equally vital for malicious DNS content takedown, that the
part about remembering the delegation NS TTL and using it to
periodically revalidate the existence of that delegation, also be
brought forward. this becomes even more vital if we're making TTL
stretchy, and i would be happy to see tale's document cover this topic.

in other words, the prune-and-stop on NXD must be given a new source of
NXD, which is delegation revalidation. i'd love it if delegations all
had a one hour or less TTL, at least for public suffixes.

P Vixie