IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Warren Kumari <warren@kumari.net> Mon, 30 July 2018 14:58 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 312AE130E3B for <dnsop@ietfa.amsl.com>; Mon, 30 Jul 2018 07:58:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWQRDBKgIZuI for <dnsop@ietfa.amsl.com>; Mon, 30 Jul 2018 07:58:24 -0700 (PDT)
Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AF701310E4 for <dnsop@ietf.org>; Mon, 30 Jul 2018 07:58:24 -0700 (PDT)
Received: by mail-wm0-x241.google.com with SMTP id f21-v6so27674wmc.5 for <dnsop@ietf.org>; Mon, 30 Jul 2018 07:58:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=6N8N4MhJFNEDoIc3fRBc47tw1BGP+7Les9rLN1ZpkWg=; b=1GdjNNIGP7pVyhzQuFvPoAjJqCH5UnIvXNEZXDpynGDxj9Tw74AYh+fYJ/dgacjIwO k8V8HnaYpbCyntywqL4TdyHHQhHxA/UwgAirVNNF0zlHGK0l9ycp+MrZjlYgCU27hDlI S3J+IEt4fPnDYq8Qtdf8z2Xr2MGYorJ7JoO9PkRxamxtVxPrcymq4RZ9NSCrF4s/ZlKH f/Mx/3knAbJcryjHD0yebZlATTqDvzgcLGoRfgc1NQBE43I5BpheliMygzJ5d12i1Bjz hWRiCP7/UGCrMEbOjqnZosqulXVa67S5cNbFMqU0ZeEE/CMFlHzN4kDQGf6OecDc7Z8m 26dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=6N8N4MhJFNEDoIc3fRBc47tw1BGP+7Les9rLN1ZpkWg=; b=HMVz5owNRj1/Ha1ZTQMO27cYUHybTBlej2aZ2axKTJUEuG6qRzsYVXkIFNCcPjwk6P jneeD4i1eMCAcNpaJ9d5CXABEDJlxiXv/ZZ89TMnHuWBR81LFQdPffykkFwGgkSyZxlA 5pjp+CLoIM8tnemA/ZrNDeK/PqdgY4wKcuSwb1cQ5kaaFp7fMEzJ/lcIFdhjDvF/4J6B 1zvRo+VgPR8IAtQKSeYZ13HMjAUb1sgZk2H17Yo6QCR2DVgfUZpq8KJKkAZPL0R+Lciv TusmQiyEhH8HvH/1ZomUcCxJ8tMiFWsqC4H3Mph6g3w6oH6SIgncagLLEEnQolbaRhnj Rq+w==
X-Gm-Message-State: AOUpUlFacjl6FfDRrDpsR526+BHRfnQA7b03Q5Cb5LC9aVZkByWs8GmH D6AimDLnjx6YkDQoU4bAPe3q32DbUQIp2Xjq2UMGHKbXTs8=
X-Google-Smtp-Source: AAOMgpdFev1YPT7KPlbZrAJ/PHgL4ZkA9HA3oH9zflN9rnDjAcgqLAN4ZY2/UsOcmFWUFWY8i4GuC7hajO8zeaHViE8=
X-Received: by 2002:a1c:87c9:: with SMTP id j192-v6mr14592725wmd.71.1532962702805; Mon, 30 Jul 2018 07:58:22 -0700 (PDT)
MIME-Version: 1.0
References: <20180729155014.C8F2C20030CD40@ary.qy> <5F1A8568-02D6-4145-8ECE-59385C31DA7C@shinkuro.com> <CAJhMdTP-J8qaGQE1rTQQ6KUC0fdtHpJeztr9GaY2n-WGpYm8Pg@mail.gmail.com> <CABf5zvLq4PUiVYk3-sBZ-HF-Ecp7eSzBKhm-Fw=2+80OOYQ0ug@mail.gmail.com>
In-Reply-To: <CABf5zvLq4PUiVYk3-sBZ-HF-Ecp7eSzBKhm-Fw=2+80OOYQ0ug@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 30 Jul 2018 10:57:46 -0400
Message-ID: <CAHw9_iJ+-yc28+3u3N+8xT3sTRars3bm-yrCzfj1ynF7MhiZcA@mail.gmail.com>
To: Steve Crocker <steve@shinkuro.com>
Cc: Joe Abley <jabley@hopcount.ca>, dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/arcIkDw5JXJEBrf793xVVG7X4SM>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 14:58:28 -0000

On Sun, Jul 29, 2018 at 3:09 PM Steve Crocker <steve@shinkuro.com> wrote:
>
> Joe,
>
> As an individuals, you, I, or anyone else, can do whatever we like, of course.  On the other hand, as system designers we presumably look at the overall system and try to put in place an operational structure that anticipates and meets the likely needs of the users.
>
> The present and long-standing system provides the recursive resolvers with well-oiled and highly effective solutions to (a) finding the root servers and (b) getting highly reliable and highly responsive answers from them.

Nod.

> It seems to me reasonable and reasonably easy to sustain these attributes as we evolve toward downloading the entire root zone instead of individual pieces of it.

Vigorus nod.

> And by "evolution" we're necessarily talking about a lengthy period of hybrid operation.

Nod.

> There will likely be a growing set of recursive resolvers downloading the full root zone and but there will certainly be a very large set of recursive resolvers that continue to operate in the current model.

Nod...

> Even if there were to be an aggressive push toward hyper local root service, the existing service would have to remain as is for a long time.  And by "a long time" I'm guessing ten years is not enough, so I suspect it will be twenty years before one can imagine the current root service reaching twilight.

Nod (I would have said much more than 20 years, but ok).

>
> The heated concern of several years ago about the potential size of the root zone is behind us, I hope.  The root zone is not going to grow exponentially.  The whole zone will be in the single megabyte range, I think.  (Caution: I haven't looked at the actual size.  Apologies if I am off a bit.  But the overall point is still right.  Another round or so of gTLDs might double or even triple the current size of the root zone, but it will not grow by even one order of magnitude and certainly not by multiple orders of magnitude.)

Nod.
wkumari$ dig axfr . @b.root-servers.net > root.zone
wkumari$ ls -alh root.zone
-rw-r--r--  1 wkumari  staff   2.1M Jul 30 10:34 root.zone

2.1MB - close enough.

>
> Distribution of a megabyte or even a few megabytes to, say, a million recursive resolvers twice a day is a relatively modest endeavor on today's Internet.

Nod. 2.1MB times 1M resolvers is ~2TB (or the size of a medium
capacity SSD drive)

> If there are going to be problems, I suspect they won't be related to ad hoc fetching of the root zone from random untrusted sources.

Citation needed :-)

Regardless of where I get the root zone (trusted source, untrusted
source) I'd like to be able to make sure if it is accurate and
complete.
For example, I just fetched the root zone via AXFR from
b.root-servers.net in MIA, a server which, for various reasons I trust
implicitly. However, I'm not really sure I trust the network between
it and myself - and if I'm planning on using this zone in a production
environment I'd really like to be able to know that someone hasn't
monkeyed with it between b.root-servers.net and myself.
When I open the zone and it contains:
-----
aaa.                    172800  IN      NS      ns1.dns.nic.aaa.
aaa.                    172800  IN      NS      ns2.dns.nic.aaa.
aaa.                    172800  IN      NS      ns3.dns.nic.aaa.
aaa.                    172800  IN      NS      ns4.dns.nic.aaa.
aaa.                    172800  IN      NS      ns5.dns.nic.aaa.
aaa.                    172800  IN      NS      ns6.dns.nic.aaa.
aaa.                    86400   IN      DS      21707 8 1
6D92DD0D0DB0E392FA9D5F08EA15BBD297B8CBE2
aaa.                    86400   IN      DS      21707 8 2
4F74856F31B73F3BFCDF430985329F55AA655BC9E53C4BF9DC6B14CC E6780600
aaa.                    86400   IN      DS      28192 8 1
563200F63B8B1797B4D88D14BD6A672EA4D0CC0C
aaa.                    86400   IN      DS      28192 8 2
DCB5AA6EC2B73D3E8C82D481770151160B38BCF2DBF3B9CD587AAD38 8D3572D7
aaa.                    86400   IN      RRSIG   DS 8 1 86400
20180812050000 20180730040000 41656 .
9pGWZzPrVVFeqif5/PwqlO4BeFcTn2fvE1u5Mv5ADl5xn5vgm1WnWrnB
5Fxuk8TYIWFKhZ19DPk8RaU5Qk/kJpB/7A596x+XJ4IkaaMhlfAWYGYo
9C3cr5yj34FtLKlhU5tE3mSyt4lfyg558hSpwgo6cQPTj78KmkBkzjty
X/ZeYTcSZX+zcIK2pNB1bG5yU4IEJbqye4LrKUqVKJ48bJI3pa6tci+b
SFkGbqhotRfVdXSuNqZ/njLn+mH/vGIVKlMB5IwLe7Jf7lA1bFlMT4pP
BACKPMletFgDMlTaMocqmbRBhRUDHnf93+vSoqxykwB+GLO7A/J3k2FZ NqKDtg==
aaa.                    86400   IN      NSEC    aarp. NS DS RRSIG NSEC
aaa.                    86400   IN      RRSIG   NSEC 8 1 86400
20180812050000 20180730040000 41656 .
1MIOeZb204La5r+b71rZxl39WqfVFp4z0kDRh2xd881mW1OICp7zUS1Y
qOn/T3WTFQQG+39UVB2uQT+kcwL+rDLN2LGQhTFUzWLTom0oVEzO7rGu
zUzbvqMJ0YBtrVqqzxcGYQ0lzGwUgn2qWyFPe6tUXZX3LmJgTT0yHzYT
pG0cdEFc/7/7dnXgZIn7LSpOWc8m+Pxz7PSqjQ503cD+UqeJhYRpqTFy
YG+UWchXoVZrs0qF6qsqgxdIsGcoeD+0Mh7eondWl4IPNT6UZ1iIxM9q
hTNu5y/qyvEW/M20cRGVtY7B9h7RY7d6ASGAbYybeYljG2TBNqYyD9Bh GDg0ow==
ns1.dns.nic.aaa.        172800  IN      A       127.0.0.1
ns1.dns.nic.aaa.        172800  IN      AAAA    ::1
ns2.dns.nic.aaa.        172800  IN      A       127.0.0.2
ns2.dns.nic.aaa.        172800  IN      AAAA   ::2
ns3.dns.nic.aaa.        172800  IN      A       192.168.1.1
ns3.dns.nic.aaa.        172800  IN      AAAA    ::3
----
I'd really like to know if the 127.0.0.1 was there when the zone was
signed, and that it hasn't been "fixed" by something on path.

W


>
> Steve
>
>
> On Sun, Jul 29, 2018 at 11:50 AM, Joe Abley <jabley@hopcount.ca> wrote:
>>
>> On Jul 29, 2018, at 12:19, Steve Crocker <steve@shinkuro.com> wrote:
>>
>> > It feels like this discussion is based on some peculiar and likely incorrect assumptions about the evolution of root service.  Progression toward hyper local distribution of the root zone seems like a useful and natural sequence.  However, the source of the copies of the root zone will almost certainly remain robust and trusted.
>>
>> I think you need to be more clear what you mean by "source".
>>
>> If you mean the original entity that constructs and first makes
>> available the root zone (e.g. the root zone maintainer in the current
>> system) then what you say seems uncontentious.
>>
>> If what you mean is "the place that any particular consumer if the
>> root zone might have found it" then I think you need to show your
>> working.
>>
>> Resolvers currently prime from a set of trusted servers (albeit over
>> an insecure transport without authentication, so we could quibble
>> about what "trusted" means even there) but it's not obvious to me that
>> this is a necessary prerequisite for new approaches.
>>
>> If I have a server sitting next to me that has a current and accurate
>> copy of the root zone and I am able to get it from there and assess
>> the accuracy of what I receive autonomously, why wouldn't I?
>>
>>
>> Joe
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email