Re: [DNSOP] Request for Adoption (draft-moura-dnsop-authoritative-recommendations)

Töma Gavrichenkov <> Wed, 28 November 2018 19:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E0CFA130FD1 for <>; Wed, 28 Nov 2018 11:59:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Hzy49WNgEx8T for <>; Wed, 28 Nov 2018 11:59:14 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 074B61277D2 for <>; Wed, 28 Nov 2018 11:59:14 -0800 (PST)
Received: by with SMTP id t13so11225330ywe.13 for <>; Wed, 28 Nov 2018 11:59:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=6OE7bdERAcAL+ZRmOdUoixj5WDjnNz/AiGs3xJ13Nj4=; b=jXHE5gkZBLCAyf9nFSjaihnwRjDtzgV9D3cZC/mFeOyaJIevt8j6NneJENYgFyIDRq qspADl5DhR6rFtlscmKjdRq5VNrxS9NLu2Dh6oerW61mGN2nRSa9u/WOlsIZAFjyuQW1 F/zs8Ww2QoOOHxu2KqsYKdPybkAM71dq34CKn+QLuOg8F9LEJSUhTLEP8gmI+0b0sSY+ RGrYUoW6hryNMIgNKB38NsJwoQlQwcw2S0q87bsNHP6VOqDetIVlqHaiJ5dJIZ2lsJh1 tjBwMuQKRh8981CunFxHTCbaVY9cxXPLc/2/PMi7PgX6Q8E3UA2K3f8qzDz3WvtWnWY+ PJAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=6OE7bdERAcAL+ZRmOdUoixj5WDjnNz/AiGs3xJ13Nj4=; b=fc4XpPE/2YudMPYXQWm1R3xS9/Gudd/92tamnVNFaqPJdbBL5SO4TZLlcWzfAsSthd mF8RNY6Hl4Fq0shKxA8RKfaa7VB6sYPPGF9u74dEEfJjUTak/E8nB++TsnR5+wUW/ozc K36KgbhvqidkxsEdezt01KRNeqhBr5yKlR/E8AqV/oyLTWRWpGeFPYHPR3umlJeN+HuZ ccIAhDs/5Sj0JuwXDkxKQFnI+ksHLqsdBSZ2LUazRjjZwg5RKvCLk97t7V6M4LI2rmV3 cZMbL3Od7OWCWo4stXnF6gs02M8zaAJIUeiCC4LMXtLwO6otaDiPdIGVMm0Oje0K6RgL PmRg==
X-Gm-Message-State: AGRZ1gLlLIRpELFy3lDaJCVh27Ha5inv1rhn2pX0dYChKRrvnWLlZirk Iu3kVLDIKc36nn+xPf/osT1cVjO9v+YA7HrgVS9cyxPi
X-Google-Smtp-Source: AJdET5eAtkUGzmH/7rTwUlVU2LVz6qEakbH90o58fb+RpKnrvWFUe9mYFjqpF1eazLha8QZ7YJoVg5BjfwV61z9wXrY=
X-Received: by 2002:a0d:d84c:: with SMTP id a73mr40230689ywe.184.1543435153028; Wed, 28 Nov 2018 11:59:13 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <>
Date: Wed, 28 Nov 2018 22:59:01 +0300
Message-ID: <>
Cc: dnsop <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [DNSOP] Request for Adoption (draft-moura-dnsop-authoritative-recommendations)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Nov 2018 19:59:16 -0000

Hello Giovane,

On Wed, Nov 28, 2018 at 12:56 PM Giovane Moura <>; wrote:
> This is an informational draft that presents recommendations for
> authoritative DNS operators, based on research works we have been
> conducting over the last few years.

Thank you for sharing this!

A few suggestions:

> 5. R4 [..]
>  -  It can withdraw or pre-prepend its route to some or to all of its
>      neighbors, shrinking its catchment (the number of clients that BGP
>      maps to it), shifting both legitimate and attack traffic to other
>      anycast sites.  The other sites will hopefully have greater
>      capacity and be able to service the queries.

Not necessarily so.
First, one can (may?) use BGP communities to limit the route
announcement propagation, thus making the distribution between sites
more even.
Second, Flowspec/DOTS/selective BH/et cetera.

> 6. R5 [..]

Shouldn't we wait before the faith of draft-ietf-dnsop-serve-stale is
determined? The outcome of this one may be then heavily influenced.

Anyway, it's not quite clear what this section suggests. Should I set
the TTL to 10s? What are the consequences of that? How's that related
to my threat model?

> 2: R1 [..]
(yes, out of order)

Well, *one* (and there may be more) of the reasons to maintain
authoritative servers with uneven latency distribution may be to have
a) some fast servers you can afford to get brought down by a DDoS
attack, b) a "lightning rod" — a purposefully degraded absorber,
mentioned in (5).

> 2: R1 [..]
> But the distribution of queries tend to be skewed towards authoritatives with lower

There's a reason for that that you may want to mention, namely, smoothed RTT.

| Töma Gavrichenkov
| gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191
| mailto:
| fb: ximaera
| telegram: xima_era
| skype: xima_era
| tel. no: +7 916 515 49 58