IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming

"Paul Hoffman" <paul.hoffman@vpnc.org> Fri, 19 August 2016 23:31 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84A0112D0C5 for <dnsop@ietfa.amsl.com>; Fri, 19 Aug 2016 16:31:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1eQcBR0lTTp5 for <dnsop@ietfa.amsl.com>; Fri, 19 Aug 2016 16:31:22 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D271E12D0C2 for <dnsop@ietf.org>; Fri, 19 Aug 2016 16:31:21 -0700 (PDT)
Received: from [10.32.60.29] (50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u7JNVIT5038590 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 19 Aug 2016 16:31:20 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193] claimed to be [10.32.60.29]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: 神明達哉 <jinmei@wide.ad.jp>
Date: Fri, 19 Aug 2016 16:31:18 -0700
Message-ID: <725BA390-5032-4B67-AD84-CC05C37D7644@vpnc.org>
In-Reply-To: <CAJE_bqeLrf_tV+FZo4vk3YPbhTAnzMgPJH7KwzV6MXm_LGC04Q@mail.gmail.com>
References: <CAJE_bqeLrf_tV+FZo4vk3YPbhTAnzMgPJH7KwzV6MXm_LGC04Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.4r5234)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_jKPxTCzSzwtSfVS5TyMw92GyPA>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2016 23:31:23 -0000

On 17 Aug 2016, at 9:45, 神明達哉 wrote:

> I've read draft-ietf-dnsop-resolver-priming-07.  I think this is a
> useful document and is almost ready for publication.

Thanks for the careful review.

> But there seem
> to be a few non-trivial issues that may need to be addressed.
>
> Specific comments:
>
> - Section 2
>
>    Therefore, it is important that resolvers be able to cope with
>    change, even without relying upon configuration updates to be 
> applied
>    by their operator.
>
>   If we really want to make it work "even without relying upon
>   configuration updates", we may need to consider some extreme cases
>   where all of the ./NS data (and/or all of their glue AAAA/A records)
>   change while a resolver keeps running for a very long period.  If
>   this happens, once the cached priming data expires, even the next
>   priming would fail, since at that point the resolver needs to use
>   the configured data but none of the configured data is usable.  If
>   we want to make it work even in such cases, we may have to encourage
>   some specific techniques more strongly, e.g., query prefetch or
>   auto-update the configured "root hint" with the result of priming
>   query, etc.  Or, if this sentence doesn't intend to cover such
>   extreme cases, it may probably have to be reworded to avoid
>   misunderstanding.

This seems like a far-fetched example that would require a new fallback 
mechanism. There are many, many reasons why the root server operators 
would prevent *all* the addresses from changing during the TTL.

> - Section 3.1
>
>    The recursive
>    resolver SHOULD expire the NS records of the root servers according
>    to the TTL values given in the priming response.
>
>   Isn't this (= expiring cached data according to TTL) obvious and
>   non-specific to priming responses?  I don't see why we bother to say
>   the obvious, and if we want to say that I don't see why it's not
>   even a MUST.

Agree. We'll reword this.

> - Section 3.2
>
>    If a priming query does not get a response within 2 seconds, the
>    recursive resolver SHOULD retry with a different target address 
> from
>    the configuration.
>
>   This sentence doesn't seem to be necessary (and may even cause an
>   unnecessary confusion), so I'd primarily suggest just removing it
>   (see my other message on this specific point).

Yes. Earlier WG discussion brought this up, and we'll remove anything 
about time.
>
> - Section 3.3 (DNSSEC with Priming Queries)
>
>   I remember I commented on this section before and we had discussions
>   about how to address it.  I don't remember the conclusion at that
>   time, but is this a result of that discussion?  I'm asking this
>   because the current text still seems to have some explanation gap to
>   me.

The conclusion was the current text. In essence, it says "turn on DO if 
you want; although it is useless now, it might be useful in the future".

> - Section 4.1
>
>    [...]  There may be an Additional section with A
>    and/or AAAA RRSets for the root name servers pointed at by the NS
>    RRSet.
>
>   At least in principle, I suspect the additional A and/or AAAA RRsets
>   is critical information for priming to work correctly.  If the
>   priming response completely replaces ./NS in the cache populated
>   from the local configuration but the response lacks the additional
>   address RRsets, then no further recursive resolution will be
>   successful.  I don't know what's the best way to address this, but
>   one easy tweak is to say "there should be an Additional section..."
>   instead of "may".

Good suggestion.

>
> - Section 4.2
>
>    Said another way: in an EDNS
>    response, if the additional section only has an A RRSet for a 
> server,
>    the resolver SHOULD assume that no AAAA RRSet exists.
>
>   It's not clear to me why we need to say this, especially with an
>   RFC2119 keyword.  What's wrong, for example, if a resolver tries to
>   resolve a "missing" AAAA via a separate direct query?

Agree: we will remove the SHOULD.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email