Re: [DNSOP] Generalized DNS Notifications (draft-thomassen-dnsop-generalized-dns-notify-00)
Ólafur Guðmundsson <olafur@cloudflare.com> Tue, 29 November 2022 15:31 UTC
Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 629FCC14F749 for <dnsop@ietfa.amsl.com>; Tue, 29 Nov 2022 07:31:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C79xoWyOumXl for <dnsop@ietfa.amsl.com>; Tue, 29 Nov 2022 07:31:08 -0800 (PST)
Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2D02C14F745 for <dnsop@ietf.org>; Tue, 29 Nov 2022 07:31:08 -0800 (PST)
Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-3cbdd6c00adso48614887b3.11 for <dnsop@ietf.org>; Tue, 29 Nov 2022 07:31:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oJJtoisrg5gEil6YUx7iufOIbV4gDx9iz5GbSDZyIMM=; b=kHd5vcfsmYvg0rfI0ystKtWbBuLa/AiDTAyHgkcb0j+mxIRlVb2BzU5m3AzvgCRVvi aaUZ/xiVE9PjuPY31NQWiJJzV4XNrbNvd4do4t6gs445me01ojB03wIO/yuLPqLnQKFA dBeClytNSQrAzXAg836OURHoDuhcVS5qvh2hs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oJJtoisrg5gEil6YUx7iufOIbV4gDx9iz5GbSDZyIMM=; b=Ia44KVugvxLjQAVg91hbqADRbPeRAwiDzVb3iJSrAYGbbapvzL50y/xTzseAFRr8Of t8pCxt+Af7y0UsPf6vE+/4wE1kSTAxVRgw5cjeeXSEg2ZHnPIwzXo2kaTHg1NeUqS9Ft ZoYvIhQ7jHzbRwWYp8fQAA367jyWrzteEZDg3RlHOFucy+ho7jbUjWx6VJ6ujRuRFfR8 rCSKVzHO3JTAOfZbN/AER2X0YPOxQ4IYlzzg6wIjoVXxAg5gxX7G9giyAe7PmaJkN0Np bO7MuCZN/btQkBPEKOAGpemthjW6BGoQVcV3XwZ3lyxAd3UnobnyZXiZv2vCFxnV9WHM CzrA==
X-Gm-Message-State: ANoB5pm+NggIDMbaS+LhTnrgjFucpE5NV37ROYZhlPoHcB4I01QJZ4/b zRKpavW1t3811TiRB2RC1cMPbm4KZRFa+LZQeZOE804rh7Q=
X-Google-Smtp-Source: AA0mqf7y4d1G0JeaWAzaQ3SIYfxhny6aEYXif1oULrmak1JVpdR62ta2SlhcJ+h/XYqNROObiEr3gMBq8HjQr8jwKf0=
X-Received: by 2002:a81:6584:0:b0:35c:485d:4966 with SMTP id z126-20020a816584000000b0035c485d4966mr39990983ywb.494.1669735867377; Tue, 29 Nov 2022 07:31:07 -0800 (PST)
MIME-Version: 1.0
References: <166966981068.40317.3186361571558270235@ietfa.amsl.com> <ffbace50-a8e4-d16b-107a-29f72b7414be@desec.io>
In-Reply-To: <ffbace50-a8e4-d16b-107a-29f72b7414be@desec.io>
From: Ólafur Guðmundsson <olafur@cloudflare.com>
Date: Tue, 29 Nov 2022 10:30:56 -0500
Message-ID: <CAN6NTqwJCoj-6zWSJx0h1DT_H_m2DW4nbWFG3u9nivuaefAM+g@mail.gmail.com>
To: Peter Thomassen <peter@desec.io>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Johan Stenstam <johan.stenstam@internetstiftelsen.se>
Content-Type: multipart/alternative; boundary="0000000000003ee86405ee9dadb5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XD6HDiUz4mR1Fn0Mjh9LcHgAnWc>
Subject: Re: [DNSOP] Generalized DNS Notifications (draft-thomassen-dnsop-generalized-dns-notify-00)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2022 15:31:12 -0000
Peter, I like the concept a lot and this is a good natural evolution, My comments/issues #1 this should cover normal notify as well as there is no reason parent should have to be updates every time an external DNS provider changes its distribution "top" #2 I would love the examples to use a different port than 53 as there is no need for the notifies to go to that overloaded port #3 As of new type vs SRV the argument against new type at apex is always size of ANY, which I do not buy but I like new types :-) #4 It should be clear that there is no need to run a "nameserver code" as the target of the NOTIFY messages, similarly there is no real reason why the issuer of the Notify is a "nameserver code" i.e. both of ends are front/back ends of provision systems Olafur On Tue, Nov 29, 2022 at 7:37 AM Peter Thomassen <peter@desec.io> wrote: > Dear DNSOP, > > Changes in CDS/CDNSKEY, CSYNC, and other records related to delegation > maintenance are usually detected through scheduled scans run by the > consuming party (e.g. top-level domain registry), incurring an > uncomfortable trade-off between scanning cost and update latency. > > A similar problem exists when scheduling zone transfers, where it has been > solved using the well-known DNS NOTIFY mechanism ([RFC1996]) which enables > primaries to nudge secondaries when there's a zone update, allowing the > latter to initiate an out-of-order zone transfer and reset the serial check > timer. > > At the IETF a few weeks back, Johan and I felt a sudden enlightenment when > it occurred to us that the same approach could be used to reduce scanning > cost for CDS/CSYNC scans and the like, while maintaining low update > latency. In fact, the NOTIFY spec already does allow sending NOTIFY message > of other types. So, we not use that for hinting beyond SOA? > > We wrote up a draft, and if you'd like to read how one could make this > work, feel free to take a look: > --> > https://datatracker.ietf.org/doc/draft-thomassen-dnsop-generalized-dns-notify/ > > There is also an application in multi-signer setups, where Viktor had > brought up the problem of ZSK rollovers by one signer, and how the others > would know about that. That's not as well fleshed-out yet, but we figured > it shouldn't keep us from circulating the initial idea. > > Best, > Peter > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-thomassen-dnsop-generalized-dns-notify-00.txt > Date: Mon, 28 Nov 2022 13:10:10 -0800 > From: internet-drafts@ietf.org > To: Johan Stenstam <johan.stenstam@internetstiftelsen.se>, Peter > Thomassen <peter@desec.io> > > > A new version of I-D, draft-thomassen-dnsop-generalized-dns-notify-00.txt > has been successfully submitted by Peter Thomassen and posted to the > IETF repository. > > Name: draft-thomassen-dnsop-generalized-dns-notify > Revision: 00 > Title: Generalized DNS Notifications > Document date: 2022-11-28 > Group: Individual Submission > Pages: 13 > URL: > https://www.ietf.org/archive/id/draft-thomassen-dnsop-generalized-dns-notify-00.txt > Status: > https://datatracker.ietf.org/doc/draft-thomassen-dnsop-generalized-dns-notify/ > Html: > https://www.ietf.org/archive/id/draft-thomassen-dnsop-generalized-dns-notify-00.html > Htmlized: > https://datatracker.ietf.org/doc/html/draft-thomassen-dnsop-generalized-dns-notify > > > Abstract: > Changes in CDS/CDNSKEY, CSYNC, and other records related to > delegation maintenance are usually detected through scheduled scans > run by the consuming party (e.g. top-level domain registry), > incurring an uncomfortable trade-off between scanning cost and update > latency. > > A similar problem exists when scheduling zone transfers, and has been > solved using the well-known DNS NOTIFY mechanism ([RFC1996]). This > mechanism enables a primary nameserver to proactively inform > secondaries about zone changes, allowing the secondary to initiate an > ad-hoc transfer independently of when the next SOA check would be > due. > > This document extends the use of DNS NOTIFY beyond conventional zone > transfer hints, bringing the benefits of ad-hoc notifications to DNS > delegation maintenance in general. Use cases include DNSSEC key > rollovers hints via NOTIFY(CDS) and NOTIFY(DNSKEY), and quicker > changes to a delegation's NS record set via NOTIFY(CSYNC). > > TO BE REMOVED: This document is being collaborated on in Github at: > https://github.com/peterthomassen/draft-thomassen-dnsop-generalized- > dns-notify (https://github.com/peterthomassen/draft-thomassen-dnsop- > generalized-dns-notify). The most recent working version of the > document, open issues, etc. should all be available there. The > authors (gratefully) accept pull requests. > > > > > The IETF Secretariat > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Generalized DNS Notifications (draft-thom… Peter Thomassen
- Re: [DNSOP] Generalized DNS Notifications (draft-… Joe Abley
- Re: [DNSOP] Generalized DNS Notifications (draft-… Paul Wouters
- Re: [DNSOP] Generalized DNS Notifications (draft-… Joe Abley
- Re: [DNSOP] Generalized DNS Notifications (draft-… Ólafur Guðmundsson
- Re: [DNSOP] Generalized DNS Notifications (draft-… Mark Andrews
- Re: [DNSOP] Generalized DNS Notifications (draft-… Mark Andrews
- Re: [DNSOP] Generalized DNS Notifications (draft-… Joe Abley
- Re: [DNSOP] Generalized DNS Notifications (draft-… Johan Stenstam
- Re: [DNSOP] Generalized DNS Notifications (draft-… Shreyas Zare
- Re: [DNSOP] Generalized DNS Notifications (draft-… George Michaelson