IETF Logo Mail Archive

Re: [DNSOP] Measuring DNS TTL clamping in the wild

Steve Crocker <steve@shinkuro.com> Fri, 01 December 2017 18:12 UTC

Return-Path: <steve@shinkuro.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09FE412762F for <dnsop@ietfa.amsl.com>; Fri, 1 Dec 2017 10:12:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=shinkuro-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7TWNg0od4mcD for <dnsop@ietfa.amsl.com>; Fri, 1 Dec 2017 10:12:39 -0800 (PST)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 652F81275C5 for <DNSOP@ietf.org>; Fri, 1 Dec 2017 10:12:39 -0800 (PST)
Received: by mail-qt0-x22d.google.com with SMTP id e2so14107687qti.0 for <DNSOP@ietf.org>; Fri, 01 Dec 2017 10:12:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shinkuro-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=2zXFaAvmipfhqeEVcv8w3b/Vcd2Yecm/yk2CXVXyuUs=; b=KBIxKv+jns48A7kWql2TMbeo5gyaCnDt1ZHaQFGu+rGnwVOQ2uDnnDZpV+g9evtVdq hOhDwQJFq1V2qOz8Rx/agY0iRwnNcxYrlCX19QFhCJwiNhoSsIs3QIe1hSmXznY8Gmlc Lh+y0tD7QO0Qc90gLfr1RZstQalvhC3k6OYnrvhu4B+kwlSJQhnAU18XFhL8UxrNZKwq 5V7ApZsAYbsHfsbQ5sIxYHnbrQrLoUt9xMmgbjIIbLkR3/YoRa2HnThr0P5uWNEeL5+o WXnwTinGkjY4Fkmvx5WnlyBhbZVgOMxHWZR64jtAw9117sR+nKOAxmBRZGUUWQhKJxIu cPsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=2zXFaAvmipfhqeEVcv8w3b/Vcd2Yecm/yk2CXVXyuUs=; b=XcSCipl8iydiGRl7To8NhRiwphyUp0CNFKlG3/jrFj/6P9nCEc+7HRKcoildS6CgEc 7JOEgdVTQzvpOMT6eHYtsThED0dBtqbh30QeFNBty7Gw2QAA8mJs0haCAZbxf9sdcrCI k8tmUmMzlgd+S8i1aONbOFqqBE/I3vMccMgcJNsg574FOsyfVfjxWvhycTTkxNNSr54x bC8Gv5GpWSSXvl3i4a+mJSbb4ZyiRdeQBHAvTyWD1iuExyOdvIZORiyTpGezedO8f004 dAQ09fZtFVihTIh+q6GmdFa4RImWQ0zTFyo9XJXQhWsvyuJ5mFXMNMWaNoQSTg2TI1Au z+BQ==
X-Gm-Message-State: AKGB3mIQOoV+6n8qSEJYZQsz2SFIL1WHoVwEdPhQbjQj3zUuZFBJ/rKh i9MV1kh6QclB8eQjQVjTLu8QJQ==
X-Google-Smtp-Source: AGs4zMbDfk+pId/DObNnisNFEoV/Nm9ZIBeVJuW8OxCDwJUSnQVd1nJPFUXzd4DCxRNoZz21EMdQ4g==
X-Received: by 10.200.48.144 with SMTP id v16mr10142196qta.244.1512151958508; Fri, 01 Dec 2017 10:12:38 -0800 (PST)
Received: from [192.168.168.139] (70-88-139-89-adhvan-corporation-va.hfc.comcastbusiness.net. [70.88.139.89]) by smtp.gmail.com with ESMTPSA id i190sm4924568qkd.5.2017.12.01.10.12.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Dec 2017 10:12:37 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.1 \(3445.4.7\))
From: Steve Crocker <steve@shinkuro.com>
In-Reply-To: <EA286206-0AD7-48C3-B5BE-C2BFA1C7FB73@puck.nether.net>
Date: Fri, 01 Dec 2017 13:12:34 -0500
Cc: "Stephen D. Crocker" <steve@shinkuro.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <61DF0A99-0B74-40AB-815F-3DF78755EBE5@shinkuro.com>
References: <aec2510c-e543-6c4a-873d-5c2db7df5a78@sidn.nl> <CAN6NTqytiDj-FfixD6aKD4AKa5oik7SEtP=82JhP4GR=SyWjYw@mail.gmail.com> <9E8E7EAA-7D37-4841-9144-F49C216ABD7B@verisign.com> <CAN6NTqx2Gq5XK6VDz-dVSbL8k5Yg8G=xM12qdQJHsBP=fp6pCw@mail.gmail.com> <953C8354-3F9D-46A4-82AB-7ED3A9E17387@vpnc.org> <EA286206-0AD7-48C3-B5BE-C2BFA1C7FB73@puck.nether.net>
To: Jared Mauch <jared@puck.nether.net>, Paul Hoffman <paul.hoffman@vpnc.org>, Ólafur Guðmundsson <olafur@cloudflare.com>, dnsop <DNSOP@ietf.org>
X-Mailer: Apple Mail (2.3445.4.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/a-iiz4qm3RoAXOo8w6vdfEnkm8o>
Subject: Re: [DNSOP] Measuring DNS TTL clamping in the wild
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 18:12:50 -0000

I would be very interested in a bit more precision here.  Is there a way to say what is permissible vs impermissible re TTLs, and is there a way to say what is desirable vs undesirable re TTLs?  We all understand that longer TTLs reduce the frequency of refresh at the expense of slower response whenever the authoritative information changes.  However, some fraction of the recursive resolvers impose minimum and/or maximum limits on the TTLs they receive from the authoritative servers.

Shortening TTLs increases the amount of traffic between the recursive resolvers and authoritative resolvers and lengthens the response time for some queries.  However, I don’t think there is any service guarantee with respect to an individual query that is violated by shortening the TTL.

Lengthening a TTL, on the other hand, does change one of the service guarantees.  When there is a change in the entry in the authoritative server, what is the maximum time until that change is guaranteed to be propagated throughout the net?  This depends primarily on the TTL.  However, when the TTL is lengthened by the recursive resolvers, the upper bound for propagation of a change is similarly increased.

Is there any common understanding of how much lengthening is permitted?  Is commonplace?

Let me make a guess that the only lengthening that takes place in practice is a floor of ten seconds.

Comments?

Thanks,

Steve




> On Dec 1, 2017, at 12:52 PM, Jared Mauch <jared@puck.nether.net> wrote:
> 
> 
> 
>> On Dec 1, 2017, at 12:23 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
>> 
>> On 1 Dec 2017, at 9:16, Ólafur Guðmundsson wrote:
>> 
>>> We are getting into religion here, the original poster called people that
>>> cap TTL's Heretics,
>> 
>> Looking through the mail archives, no one other than you is using that term.
> 
> I think this is subject to interpretation, some people view the done differently.
> The subject line felt hostile.. 2nd attempt to adjust subject-line to make it less hostile.
> 
> - jared
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.37.1 | Report a Bug | By Email | System Status