Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
"Paul Hoffman" <paul.hoffman@vpnc.org> Thu, 11 August 2016 00:39 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 384AD12D67E for <dnsop@ietfa.amsl.com>; Wed, 10 Aug 2016 17:39:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Dfy2c12Nod2 for <dnsop@ietfa.amsl.com>; Wed, 10 Aug 2016 17:39:49 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68A6612B038 for <dnsop@ietf.org>; Wed, 10 Aug 2016 17:39:49 -0700 (PDT)
Received: from [10.32.60.150] (50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u7B0dkAQ005475 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 10 Aug 2016 17:39:48 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193] claimed to be [10.32.60.150]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Shane Kerr <shane@time-travellers.org>
Date: Wed, 10 Aug 2016 17:38:25 -0700
Message-ID: <B0ED30A0-707B-4E07-88F3-37385CC684C4@vpnc.org>
In-Reply-To: <20160805114511.3ab76c8e@pallas.home.time-travellers.org>
References: <f8c62b82-258c-2b2b-5186-c3cd8e7d7448@gmail.com> <20160805114511.3ab76c8e@pallas.home.time-travellers.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.4r5234)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XHaptYdxfZ92Fd9InN1-VtypVgU>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2016 00:39:51 -0000
On 5 Aug 2016, at 2:45, Shane Kerr wrote: > All, > > At 2016-08-04 20:03:35 -0400 > Tim Wicinski <tjw.ietf@gmail.com> wrote: > >> Remember the Resolver Priming draft? This thing has been kicking >> around >> for a good solid 5 years. It stalled for a few years waiting for the >> busy authors perform some updates. >> Then Paul Hoffman took the reins and has done a great job getting >> this >> ready for publication. > > w00t > > I like this document, and am happy that it is moving again. :) > >> This starts a Working Group Last Call for >> draft-ietf-dnsop-resolver-priming >> >> Current versions of the draft is available here: >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-resolver-priming/ >> >> Please review the draft and offer relevant comments. Also, if someone >> feels the document is *not* ready for publication, please speak out >> with >> your reasons. > > I have two minor comments, which may not require any changes. > > > First, we have: > > "If a priming query does not get a response within 2 seconds, the > recursive resolver SHOULD retry with a different target address from > the configuration." > > The "2 seconds" seems a bit arbitrary. Yep. But... > I'm not sure why any > recommendations need to be made at all. The document already says that > these are basically normal DNS queries elsewhere - surely that is > enough? The queries are normal, but the reliance on them is not. Without priming, nothing can be answered, so that makes them kinda special. > (And maybe if we do want to recommend a retry then we need to be clear > that if an answer comes from an earlier query that the resolver may > accept it?) That would be a radical shift. Instead, how about "If a priming query does not get a response within a short period (for example, 2 seconds), ..."? > Second, a possible additional security consideration is that a priming > query typically signals a resolver starting with an empty cache > (although not always - the Knot resolver has a persistent cache, for > example). This may be an especially vulnerable time for a resolver for > cache poisoning. I don't know what can be done to mitigate this though > aside from requiring TCP or DNS cookies for a time after startup, so > perhaps this can be left out. Priming queries happen both when there is an empty cache and at timeout of the root records. Unless we know for sure what the ratio between those two are, I'm hesitant to put anything in the document saying that it is "common". --Paul Hoffman
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Tim Wicinski
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… 神明達哉
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Marek Vavruša
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Warren Kumari
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Paul Hoffman
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Andreas Gustafsson
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Bob Harold
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Paul Hoffman
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Shane Kerr
- [DNSOP] Working Group Last Call draft-ietf-dnsop… Tim Wicinski
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Edward Lewis
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Stephane Bortzmeyer