[DNSOP] Comment on Ranking data
Kazunori Fujiwara <fujiwara@jprs.co.jp> Fri, 05 April 2024 07:28 UTC
Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF5D7C14F685 for <dnsop@ietfa.amsl.com>; Fri, 5 Apr 2024 00:28:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jprs.co.jp
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zl0mn7lSR6B5 for <dnsop@ietfa.amsl.com>; Fri, 5 Apr 2024 00:28:53 -0700 (PDT)
Received: from off-send41.osa.jprs.co.jp (off-send41.osa.jprs.co.jp [IPv6:2001:218:3001:17::50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CF3CC14F681 for <dnsop@ietf.org>; Fri, 5 Apr 2024 00:28:51 -0700 (PDT)
Received: from off-sendsmg31.osa.jprs.co.jp (off-sendsmg31.osa.jprs.co.jp [172.23.8.161]) by off-send41.osa.jprs.co.jp (Postfix) with ESMTP id 76DF8402F6D for <dnsop@ietf.org>; Fri, 5 Apr 2024 16:28:48 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jprs.co.jp; s=373623; t=1712302128; bh=ijHLkxzH6vnOk25RI5d68rx0tD1MbGKMAtF9NAYCZvk=; h=Date:To:Subject:From; b=WPSj+LRiXr5PQHjbWzkfIww3uExWf8icmah5PEE7opiny70AHDH/rxhX2YsJTl92n E9nfA/1jvsmCiRx3KsqzobbCWRiPOOYb0zlBioVscuaAwlYMZt1UcV76IpZDWdPZYB 4umiAKvQaH+GAqzM4HDDbzX16YnryQC7HEIEB2FTKO2WeSHvQjYyy6H5c3hMj2B9O8 AZMk3aCliyqzd6yABQcwlMywrrt7O1EpKWCgyo0Mpd5DCqTrN+3ptFzgY/rEAa0JRI 6m13tVhds4nrRUMYOAt21lSkIIWi6vOd2874S4BJWl4WG5jrwOzqa5UdxRCN6wHgaW zTOhEP8EI8Ruw==
Received: from off-sendsmg31.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss91 (Postfix) with ESMTP id DE177602459D for <dnsop@ietf.org>; Fri, 5 Apr 2024 16:28:47 +0900 (JST)
Received: from localhost (off-cpu08.osa.jprs.co.jp [172.23.4.18]) by off-sendsmg31.osa.jprs.co.jp (Postfix) with ESMTP id D2FC56024588 for <dnsop@ietf.org>; Fri, 5 Apr 2024 16:28:47 +0900 (JST)
Date: Fri, 05 Apr 2024 16:28:47 +0900
Message-Id: <20240405.162847.2106826176991704565.fujiwara@jprs.co.jp>
To: dnsop@ietf.org
From: Kazunori Fujiwara <fujiwara@jprs.co.jp>
X-Mailer: Mew version 6.8 on Emacs 24.5.1
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSS-9.1.0.1373-9.0.0.1002-28298.006
X-TM-AS-Result: No-3.992-5.0-31-10
X-imss-scan-details: No-3.992-5.0-31-10
X-TMASE-Version: IMSS-9.1.0.1373-9.0.1002-28298.006
X-TMASE-Result: 10-3.992000-10.000000
X-TMASE-MatchedRID: rNgn9H0RAIJCXIGdsOwlUh5+URxv1WlBrthpnZXZolCHX0cDZiY+DdSH nJDq2yhMhfOzKPzGD3uIWOt4tSMQmcmq8U2/MJXWG9TMqjxt7zFK4f4Z+CZAZwziLcNJx/SxbY2 VjMZmBCQa0igNDteUgEHkanNhPPlfCni2kQk78wiYh7QjWI3JDDqu3dM+YhFR6Mw4RnkAvRJ1iE Ls4zhGiAXAGZ0KQGomC+d3wk6OSwxf8/qnUPLbxtBMptxBxm64lDt5PQMgj01V3TNCtkugS6PFj JEFr+olfeZdJ1Xsorg/58/vGrloc7L1D3ZkqVjazhcsGxgF64Iqtq5d3cxkNbKwBLMPYcW1PK9Q efVWQnfQbBMgTsk9iJyPfpsPI3mMsSeOu2OOkqeVk4O/r89XDjXCYt9FemJBTxmp42U/oikqtnn GSFp0uuxxaF/gNBFyCfQqoar1g2T20sblITqkStZSDeY4tRsv5ubQJGs+YMc=
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/W9aoC6prqh1fxRRfFrrij79-7rU>
Subject: [DNSOP] Comment on Ranking data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 07:28:57 -0000
dnsop WG,
RFC 2181 Section 5.4.1 Ranking data should be obsoleted.
The "Raning data" draft (draft-toorop-dnsop-ranking-dns-data-00)
defines each data's ranking and importance.
However, some of the data should be discarded depending on the use cases.
We have four DNS functions: Authoritative, Recursive Resolver, Forwarder, Stub.
Some implementations have multiple functions. For example, some
recursive resolvers have "split-holizon" and "local zones" functions.
Both "split-holizen" and "local zones" can be treated as a function
where descendants of a specified domain name behave as an authoritative
server rather than a recursive server.
Authoritative (only) servers:
Authoritative-only servers SHOULD answer zone data from a
single source (for example, zone file, zone transfer, other database),
so rankings SHOULD not be used to replace data.
"BBB: Occluded data" SHOULD be discarded.
(at least when responding to queries)
Recursive (only) resolvers:
They don't have "AAA: zone file" / "AA: Data from a zone transfer".
"CCC: Names and addresses for the root servers from a hints file"
or "CC: built into resolver software" SHOULD be used for the priming only.
The data that can be returned to the stub resolver as a name
resolution result is "A: The authoritative data included in the answer
section of an authoritative reply" only.
"A-: Data from the authority section of an authoritative answer."
NXDOMAIN response contains a SOA RR in the autority section.
Some authoritative servers add NS RRSet in the authority section.
I want to discard the NS RR set.
If you want it, send NS queries (as described in the ns-revalidation draft).
"BB: Data from the answer section of a non-authoritative answer"
discard it.
"BB: non-authoritative data from the answer section of authoritative answers"
discard it.
"B: Additional information from an authoritative answer"
If those data correspond to type MX, HTTPS/SVCB, or SRV responses,
resolvers can decide based on local policy.
"B: Data from the authority section of a non-authoritative answer,
Additional information from non-authoritative answers."
This is a referral response.
A non-authoritative response from a server with administrative
authority for a certain name that has NS RRSet in the authority
section and Glue data in the additional section is a delegated
response, and is used only for name resolution and not for
responding to stub resolvers.
The rank of the referral response is "A", I think.
Any other response may be an attack and should be discarded.
"AAA: all data that is verifiable DNSSEC secure regardless off were it came from"
I don't like this rank.
I like to use DNSSEC validation to decide
whether to use "Additional information",
but I don't like to blindly trust data
that has been successfully validated.
I believe many recursive resolver implementations have already
discarded unnecessary responses.
Stub resolvers: accept all responses from the recursive resolver.
--
Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>
- [DNSOP] Comment on Ranking data Kazunori Fujiwara
- Re: [DNSOP] Comment on Ranking data Willem Toorop
- Re: [DNSOP] Comment on Ranking data Ray Bellis