Re: [DNSOP] Perl related question on BULK RR

Stephane Bortzmeyer <bortzmeyer@nic.fr> Tue, 28 March 2017 16:19 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBF25129449 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 09:19:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22v11NFsPRnu for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 09:19:18 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [217.70.190.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F4F8129430 for <dnsop@ietf.org>; Tue, 28 Mar 2017 09:19:18 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id EF86431C7D; Tue, 28 Mar 2017 18:19:16 +0200 (CEST)
Received: by godin (Postfix, from userid 1000) id BAE9EEC0AFC; Tue, 28 Mar 2017 18:16:30 +0200 (CEST)
Date: Tue, 28 Mar 2017 11:16:30 -0500
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Tony Finch <dot@dotat.at>
Cc: "Woodworth, John R" <John.Woodworth@CenturyLink.com>, "'dnsop@ietf.org'" <dnsop@ietf.org>
Message-ID: <20170328161630.GB24741@laperouse.bortzmeyer.org>
References: <A05B583C828C614EBAD1DA920D92866BD0716932@PODCWMBXEX501.ctl.intranet> <alpine.DEB.2.11.1703281107300.13590@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.11.1703281107300.13590@grey.csi.cam.ac.uk>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 16.04 (xenial)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VR9tU1IF-qmH_pnhOfBX6qfiyqo>
Subject: Re: [DNSOP] Perl related question on BULK RR
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 16:19:20 -0000

On Tue, Mar 28, 2017 at 11:19:10AM +0100,
 Tony Finch <dot@dotat.at> wrote 
 a message of 33 lines which said:

> So my question is, how does the BULK rewriting system interact with DNS
> loops? Is there a CPU-eating tarpit in there?

Also, I find that the Security Considerations section of
draft-woodworth-bulk-rr-05.txt is empty about the risk for
authoritative secondary servers. Once you enable BULK, you are at the
mercy of your master. (My registrar provides free secondary DNS
service. Their server hosts thousands of zones they do not manage or
control. I don't think they would be happy to enable BULK.)

Advice:

* a sub-section of Security Considerations section about this risk,

* suggestions that there SHOULD be a way to disable BULK processing
(or may be the opposite, make if off by default).