IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt

Paul Vixie <paul@redbarn.org> Wed, 09 March 2022 08:02 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E3273A0B21 for <dnsop@ietfa.amsl.com>; Wed, 9 Mar 2022 00:02:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvGaGWDmdK-0 for <dnsop@ietfa.amsl.com>; Wed, 9 Mar 2022 00:02:28 -0800 (PST)
Received: from util.redbarn.org (util.redbarn.org [24.104.150.222]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15FF33A0980 for <dnsop@ietf.org>; Wed, 9 Mar 2022 00:02:27 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by util.redbarn.org (Postfix) with ESMTPS id 3B3141A2424; Wed, 9 Mar 2022 08:02:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1646812945; bh=muJAlscoTGODFr89Y9nwF2OsaE6fYcg6B0n8rjcLrFI=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=h+Vz/FUd86dBjtT3AuZwSesCIn2OUWEewOpc7Tf5gKn/Vep1Ghk7LMjeBD14m/Bo2 so6IlWhglRm1cK5mS1cuGeLT5G1t7XVOtAmPba21Y/Wp1JwZJY94m0TvBOUag90Wem C1I+4kTDnc5aIIgcQQ4TtnwmTAzkdyKR1FyIUC8Y=
Received: from [24.104.150.142] (unknown [24.104.150.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 1D2787597E; Wed, 9 Mar 2022 08:02:25 +0000 (UTC)
To: Shumon Huque <shuque@gmail.com>, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Cc: dnsop <dnsop@ietf.org>
References: <164668869128.9050.17922186658317778247@ietfa.amsl.com> <36d847dc-4a1d-a5a-ad25-afb5a73d1122@nohats.ca> <CAHPuVdVpH_H9B487HgBypVQ8xFMXNsOiGopkSO6yM5BTjc-G9w@mail.gmail.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <ec259cc9-1252-d3e5-7570-860152525375@redbarn.org>
Date: Wed, 09 Mar 2022 00:02:25 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.54
MIME-Version: 1.0
In-Reply-To: <CAHPuVdVpH_H9B487HgBypVQ8xFMXNsOiGopkSO6yM5BTjc-G9w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/affTtpDRglx69aiB18LMAXhNR3s>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2022 08:02:35 -0000

see inline.

Shumon Huque wrote on 2022-03-08 21:12:
> On Tue, Mar 8, 2022 at 1:04 PM Paul Wouters 
> <paul.wouters=40aiven.io@dmarc.ietf.org 
> <mailto:40aiven.io@dmarc.ietf.org>> wrote:
> 
>     On Mon, 7 Mar 2022, internet-drafts@ietf.org
>     <mailto:internet-drafts@ietf.org> wrote:
> 
>      > Subject: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt
> 
>     ...
> 
>          A delegation under re-validation is called a "re-validation point"
>          and is "still valid" if its parent zone's servers still respond to
>          an in-zone question with a referral to the re-validation point, and if
>          that referral overlaps with the previously cached referral by at
>          least one name server name, and the DS RRset (if seen) overlaps the
>          previously cached DS RRset (if also seen) by at least one delegated
>          signer.
> 
>     This paragraph, from an implemeter's point of view, is super dense. It
>     might be worth splitting this one sentence into multiple ones.
> 
> Yeah, this is Paul V's re-worked text regarding revalidation, so I'll
> defer to him. Feel free to suggest specific rewording though.

huh. i think the problem is that this paragraph is only one sentence 
long. my high school english teachers would have berated me, and others 
are welcome to do so now. let's try breaking it up a bit.

<<A delegation under re-validation is called a "re-validation point". To 
be considered "still valid", the ancestor zone whose authority servers 
offered the referral response that gave rise to the re-validation point 
must still offer a compatible referral response if queried again for a 
name considered to be in-bailiwick (a "re-validation query"). To be 
considered compatible, the NS RRset of re-validation response must 
overlap with the previously cached referral response by at least one 
name server name, and if a DS RRset is given, it must overlap with the 
previously cached referral response by at least one delegated signer. 
For avoidance of doubt, this means a change in referral from signed to 
unsigned or from unsigned to signed signals a delegation change for the 
purposes of this specification, even if the NS RRset is unchanged.>>

let me know if this isn't an improvement, or if more improvement is needed.

>          but to a wholly novel NS RRset or a wholly novel DS RRset
> 
>     Please use a different word from "novel". Maybe "disjoint NS RRset" ?

ok by me.

>     Should the document mention anything for the case of refreshing before
>     expiration? Eg to keep a hot cache, to requery items that are still
>     being queried for before their TTL hits? If this feature is supported,
>     how should it work with the parent/child TTLs?
> 
> Pre-fetching? That is worth discussing. Although, it'd be nice if the
> details of that mechanism had already been published first. Is anyone
> working on reviving/publishing draft-wkumari-dnsop-hammer ? Warren?
pre-fetching is a degenerate case of re-appearance. sometimes an NS 
RRset will be transmitted without having been solicited with qtype=NS. 
these are not delegations and should not reset the re-validation timers. 
we might want to point that out in the specification being discussed in 
this thread. (shumon?)

if a formal specification for "pre-fetching" some day exists and 
recognizes that some zones do not answer qtype=NS and that the only way 
to learn about delegation points from them is to ask a question that 
solicits a referral, and recommends that this be done when 
"pre-fetching" NS RRsets otherwise due to expire, then it is that 
specification's burden to explain how this would relate to re-validation 
timers from the (earlier) specification we're discussing in this thread.

my hope is that a "pre-fetching" specification would not recommend 
soliciting NS RRsets via referrals, and would instead exclude NS RRsets 
from pre-fetching, with a reference to the specification we're 
discussing in this thread and a recommendation that re-validation and 
not pre-fetching be used when the near-expiry cached RRset is rrtype=NS.

-- 
P Vixie

v2.23.0 | Report a Bug | By Email