IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-05.txt

Karan Saini <karan@cis-india.org> Fri, 26 April 2019 09:23 UTC

Return-Path: <karan@cis-india.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 891B01202F0; Fri, 26 Apr 2019 02:23:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cis-india.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KK3h4bw9Mldf; Fri, 26 Apr 2019 02:23:29 -0700 (PDT)
Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A3BF1201C8; Fri, 26 Apr 2019 02:23:28 -0700 (PDT)
Received: from smtp.greenhost.nl ([213.108.110.112]) by smarthost1.greenhost.nl with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <karan@cis-india.org>) id 1hJx4m-0007p0-0M; Fri, 26 Apr 2019 11:23:24 +0200
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cis-india.org 3C304580B7B59
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cis-india.org; s=6F901CFA-19A8-11E9-98F1-CB07954443DB; t=1556270538; bh=6xpGEGsKgcygvK1PXJXDn07lxMHiIWydnkfGHYUAGME=; h=Mime-Version:From:Date:Message-Id:To; b=jZ4bq/d3DXvplSAyCTBklO0dT2fgJq4oRZ1DqRWrabMq5ugbMPQZKwmR0MGdpt9LD e6TOZ07cSbu/W+PKWf30f4bmszNmpsstx3eiQLewhZ64xCUZ5nA+aHRTzfKJHLMj9o 7amUyYIAi0eKs5jfeARBtiD4oL9vmRq4bKjdEau/dggfsZcKXEtVaUnWGFKRaCAQ5u 2xBlrfk1oFwJ9YKjodqc9lRO1I6AemA9h5BOoPBTBkdnRrk/pDyQ1sci+hQ/XN3ZYc mxQYgm7Vlr5v35Ax7TIofadgsVWTHtMSGRRpnoQmwnFwuS1aAe8YqXfIDsgRNyANVg ckTLH9Hs88GdA==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Karan Saini <karan@cis-india.org>
In-Reply-To: <CAAObRXLhzcetGbb7-EkGgpdkiDGo6uHnij5=dY6wFLqvarSuWQ@mail.gmail.com>
Date: Fri, 26 Apr 2019 14:53:10 +0530
Cc: internet-drafts@ietf.org, dnsop <dnsop@ietf.org>, i-d-announce@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4AD81AC2-0192-42A8-94CE-EB5DD1EE2FD6@cis-india.org>
References: <155543713754.24998.8934172511539336013@ietfa.amsl.com> <CAAObRXLhzcetGbb7-EkGgpdkiDGo6uHnij5=dY6wFLqvarSuWQ@mail.gmail.com>
To: Davey Song <songlinjian@gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Virus-Scanned: by clamav at smarthost1.samage.net
X-Scan-Signature: a9e4b997d6a751f3e45cb47a3c2b1d2c
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Zxa8EcjlaQtz4z-h7b3bgfyTux0>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 09:23:31 -0000

Hi,

Comment is in-line.

> On 18-Apr-2019, at 4:34 PM, Davey Song <songlinjian@gmail.com> wrote:
> 
> <It is my second time to read it. I may miss something discussed before. Sorry>
>  
> Some concerns and comments:
>  
> 1) It sounds to me that the primary targeted outage described in this draft is on the authoritative server during DDOS attack especially. Think about a case of outage of resolver due to a failure in its network path to the authoritative server. Normally end user have more than one configured resolvers. If only one resolver experience the outage and serve the stale data, could the user tell which resolver have more refreshed data ? If not, it may impact users experience if they have to accept stale data during the period when they still have the choice for refreshed ones. As I mentioned the first time I read it, I dislike the fact of concealing using of stale data from end users. 
>  
> 2) I notice it is proposed as a stand track document. If more people here think its benefit outweighs its impacts, I prefer it published as informational document, because it is based on implementation and operation experience. There is no need to change the protocol and the definition of TTL. I prefer to take the serve-stale behavior as a local policy and a side channel in case of resolver's cache-miss.

I agree with Davey, perhaps publishing this as an experimental or informational document may be beneficial for the purpose that is trying to be fulfilled.

>  
> 3) A minor concern: in an thread in dns-operation mailing list last week, it is said that the behavior of serve stale in some ISPs is abused for reason of traffic hijack/tampering/spoofing. I'm afraid it will be encouraged by this document.
>  
> Best regards,
> Davey
> 
> On Wed, 17 Apr 2019 at 01:52, <internet-drafts@ietf.org> wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations WG of the IETF.
> 
>         Title           : Serving Stale Data to Improve DNS Resiliency
>         Authors         : David C Lawrence
>                           Warren "Ace" Kumari
>                           Puneet Sood
>         Filename        : draft-ietf-dnsop-serve-stale-05.txt
>         Pages           : 12
>         Date            : 2019-04-16
> 
> Abstract:
>    This draft defines a method (serve-stale) for recursive resolvers to
>    use stale DNS data to avoid outages when authoritative nameservers
>    cannot be reached to refresh expired data.  It updates the definition
>    of TTL from [RFC1034], [RFC1035], and [RFC2181] to make it clear that
>    data can be kept in the cache beyond the TTL expiry and used for
>    responses when a refreshed answer is not readily available.  One of
>    the motivations for serve-stale is to make the DNS more resilient to
>    DoS attacks, and thereby make them less attractive as an attack
>    vector.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-serve-stale/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale-05
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-serve-stale-05
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-serve-stale-05
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/i-d-announce
> Internet-Draft directories: http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email