IETF Logo Mail Archive

Re: [DNSOP] Measuring DNS TTL Violations in the wild

神明達哉 <jinmei@wide.ad.jp> Tue, 05 December 2017 21:09 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F76E12711A for <dnsop@ietfa.amsl.com>; Tue, 5 Dec 2017 13:09:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23-y6n_1D3cD for <dnsop@ietfa.amsl.com>; Tue, 5 Dec 2017 13:09:57 -0800 (PST)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24E751270AE for <DNSOP@ietf.org>; Tue, 5 Dec 2017 13:09:57 -0800 (PST)
Received: by mail-wm0-x22f.google.com with SMTP id i11so3683743wmf.4 for <DNSOP@ietf.org>; Tue, 05 Dec 2017 13:09:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+cuYQtaacRU/sxX2KSI28OKhRsVndiTLJ9brx0JZHK8=; b=hOguj8GAZw+jifbrZimh76o+zfvhy2Ok6c2Lf8O30FP0D8BbxrYMJOtw+B6HeVEjlN XPWusUKoVez1//Iza9I3Yj6ZNhdA/Veq0tv4351Cb+UQ3XFq9RdWNtA8YpcTViZBhLya JGybxxrlDv3vRZ+vGEGFieX0yWMtq6Akl669Iq3Pe2RgOO7tZFa2aPniPCPNPTfLoArj t6KfaDC2RDwPe42oeBdv+gf853wwcAqVyqb+LIsX9KJyPZ3SU5qXlfBzmjRffBlZCrul Ts5WN/DKF+G6XlaeJu1ew05gmKdybLhCRTe4sbjSpZDJGAxSdK/n5ZL4sVpm9R7qwMGP vVuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+cuYQtaacRU/sxX2KSI28OKhRsVndiTLJ9brx0JZHK8=; b=c2ktwEhXgJIUQuHCM0JriuGcdshYCsMwplZs+FMwDertYglt0X6RjbDJ3G5NRpcMfX WHaS5c0MMcZR3f/FEgd3fWPe2dhP5Z2DNPGNXOD2JQswNhDmvkL673C+Pm1vh3nLbneH dEgp/A2LTv/ueqrh266SkO9UxoGrg9qieQ8CgUSkQQfP1+9WDvwUBEjgU623ercMvbvB Yh6KoWNiLDw4jYpRwwUubdSADspbcW+VKTjDvKYJHrnul//epEOOxkUe2UvBN/OOLKol Y7INBSA0SGrXNOYn6sBA147c5jY21DaRZjdY6Ze7LyAIp2nNKi3ScxWaZAxgcb0R0Ai6 zkGg==
X-Gm-Message-State: AKGB3mI0BGukc/ns4IjOTKJfNTNF7+dPJoQUflNbE7sEWVG5G3UEmgsW Z2wlidYdoLXE/U/b5LUwfO/ndB47bjPZDNcPZoUQd/Bi
X-Google-Smtp-Source: AGs4zMaQOTDW9hFzH3TJVjGpTtwTqYdA3jP6USG8q2b5Qb8gwNE6g3TUOkq1fNmXW7YyMKVNQ0TsvWTI/4VC1/Sip68=
X-Received: by 10.28.221.138 with SMTP id u132mr6686330wmg.113.1512508195470; Tue, 05 Dec 2017 13:09:55 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.223.185.107 with HTTP; Tue, 5 Dec 2017 13:09:54 -0800 (PST)
In-Reply-To: <20171202143925.GA20446@jurassic.lan.banu.com>
References: <aec2510c-e543-6c4a-873d-5c2db7df5a78@sidn.nl> <CAN6NTqytiDj-FfixD6aKD4AKa5oik7SEtP=82JhP4GR=SyWjYw@mail.gmail.com> <9E8E7EAA-7D37-4841-9144-F49C216ABD7B@verisign.com> <CAN6NTqx2Gq5XK6VDz-dVSbL8k5Yg8G=xM12qdQJHsBP=fp6pCw@mail.gmail.com> <20171202143925.GA20446@jurassic.lan.banu.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Tue, 05 Dec 2017 13:09:54 -0800
X-Google-Sender-Auth: 3vCJdqSmE7JAXqSTYJHKrWmONCE
Message-ID: <CAJE_bqcXbiCCC6U1JFE7A1f-UUEaCn4wKPju2L7Xcbia0_E=hA@mail.gmail.com>
To: Mukund Sivaraman <muks@isc.org>
Cc: Ólafur Guðmundsson <olafur@cloudflare.com>, dnsop <DNSOP@ietf.org>, "Wessels, Duane" <dwessels@verisign.com>, "Giovane C. M. Moura" <giovane.moura@sidn.nl>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Z5-DFqm_8rUJ4XT8QZ7ss8QpuXc>
Subject: Re: [DNSOP] Measuring DNS TTL Violations in the wild
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Dec 2017 21:09:59 -0000

At Sat, 2 Dec 2017 20:09:25 +0530,
Mukund Sivaraman <muks@isc.org> wrote:

> > Strictly speaking yes, it is the same as when a Secondary does not update
> > the zone for a long time.
>
> An authoritiative server operator knows what the consequence of setting
> SOA RDATA fields is. It isn't the same as a cache extending TTL as it
> sees fit, in spite of the loose coherency among primary and secondaries.
>
> I don't agree a downstream cache has authoritiative say about extending
> TTLs (except exceptional circumstances where the authority is
> unreachable ~serve-stale).

+1.  I'd accept some level of liberty that an implementation can take,
such as ISC BIND 9 extending a 0-TTL of glue to 1 second:

        /*
         * Glue with 0 TTL causes problems.  We force the TTL to
         * 1 second to prevent this.
         */
        if (rdataset->ttl == 0)
            rdataset->ttl = 1;

but it should be limited to a quite small range.  How much is
acceptable may be debatable, but I wouldn't consider "Stretching TTL
from 1 Hour [...] for 10% or 10 minutes" to be acceptable at the
discretion of an implementation.

--
JINMEI, Tatuya

v2.35.0 | Report a Bug | By Email | System Status