Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Warren Kumari <warren@kumari.net> Mon, 30 July 2018 14:58 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 312AE130E3B for <dnsop@ietfa.amsl.com>; Mon, 30 Jul 2018 07:58:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWQRDBKgIZuI for <dnsop@ietfa.amsl.com>; Mon, 30 Jul 2018 07:58:24 -0700 (PDT)
Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AF701310E4 for <dnsop@ietf.org>; Mon, 30 Jul 2018 07:58:24 -0700 (PDT)
Received: by mail-wm0-x241.google.com with SMTP id f21-v6so27674wmc.5 for <dnsop@ietf.org>; Mon, 30 Jul 2018 07:58:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=6N8N4MhJFNEDoIc3fRBc47tw1BGP+7Les9rLN1ZpkWg=; b=1GdjNNIGP7pVyhzQuFvPoAjJqCH5UnIvXNEZXDpynGDxj9Tw74AYh+fYJ/dgacjIwO k8V8HnaYpbCyntywqL4TdyHHQhHxA/UwgAirVNNF0zlHGK0l9ycp+MrZjlYgCU27hDlI S3J+IEt4fPnDYq8Qtdf8z2Xr2MGYorJ7JoO9PkRxamxtVxPrcymq4RZ9NSCrF4s/ZlKH f/Mx/3knAbJcryjHD0yebZlATTqDvzgcLGoRfgc1NQBE43I5BpheliMygzJ5d12i1Bjz hWRiCP7/UGCrMEbOjqnZosqulXVa67S5cNbFMqU0ZeEE/CMFlHzN4kDQGf6OecDc7Z8m 26dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=6N8N4MhJFNEDoIc3fRBc47tw1BGP+7Les9rLN1ZpkWg=; b=HMVz5owNRj1/Ha1ZTQMO27cYUHybTBlej2aZ2axKTJUEuG6qRzsYVXkIFNCcPjwk6P jneeD4i1eMCAcNpaJ9d5CXABEDJlxiXv/ZZ89TMnHuWBR81LFQdPffykkFwGgkSyZxlA 5pjp+CLoIM8tnemA/ZrNDeK/PqdgY4wKcuSwb1cQ5kaaFp7fMEzJ/lcIFdhjDvF/4J6B 1zvRo+VgPR8IAtQKSeYZ13HMjAUb1sgZk2H17Yo6QCR2DVgfUZpq8KJKkAZPL0R+Lciv TusmQiyEhH8HvH/1ZomUcCxJ8tMiFWsqC4H3Mph6g3w6oH6SIgncagLLEEnQolbaRhnj Rq+w==
X-Gm-Message-State: AOUpUlFacjl6FfDRrDpsR526+BHRfnQA7b03Q5Cb5LC9aVZkByWs8GmH D6AimDLnjx6YkDQoU4bAPe3q32DbUQIp2Xjq2UMGHKbXTs8=
X-Google-Smtp-Source: AAOMgpdFev1YPT7KPlbZrAJ/PHgL4ZkA9HA3oH9zflN9rnDjAcgqLAN4ZY2/UsOcmFWUFWY8i4GuC7hajO8zeaHViE8=
X-Received: by 2002:a1c:87c9:: with SMTP id j192-v6mr14592725wmd.71.1532962702805; Mon, 30 Jul 2018 07:58:22 -0700 (PDT)
MIME-Version: 1.0
References: <20180729155014.C8F2C20030CD40@ary.qy> <5F1A8568-02D6-4145-8ECE-59385C31DA7C@shinkuro.com> <CAJhMdTP-J8qaGQE1rTQQ6KUC0fdtHpJeztr9GaY2n-WGpYm8Pg@mail.gmail.com> <CABf5zvLq4PUiVYk3-sBZ-HF-Ecp7eSzBKhm-Fw=2+80OOYQ0ug@mail.gmail.com>
In-Reply-To: <CABf5zvLq4PUiVYk3-sBZ-HF-Ecp7eSzBKhm-Fw=2+80OOYQ0ug@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 30 Jul 2018 10:57:46 -0400
Message-ID: <CAHw9_iJ+-yc28+3u3N+8xT3sTRars3bm-yrCzfj1ynF7MhiZcA@mail.gmail.com>
To: Steve Crocker <steve@shinkuro.com>
Cc: Joe Abley <jabley@hopcount.ca>, dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/arcIkDw5JXJEBrf793xVVG7X4SM>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 14:58:28 -0000
On Sun, Jul 29, 2018 at 3:09 PM Steve Crocker <steve@shinkuro.com> wrote: > > Joe, > > As an individuals, you, I, or anyone else, can do whatever we like, of course. On the other hand, as system designers we presumably look at the overall system and try to put in place an operational structure that anticipates and meets the likely needs of the users. > > The present and long-standing system provides the recursive resolvers with well-oiled and highly effective solutions to (a) finding the root servers and (b) getting highly reliable and highly responsive answers from them. Nod. > It seems to me reasonable and reasonably easy to sustain these attributes as we evolve toward downloading the entire root zone instead of individual pieces of it. Vigorus nod. > And by "evolution" we're necessarily talking about a lengthy period of hybrid operation. Nod. > There will likely be a growing set of recursive resolvers downloading the full root zone and but there will certainly be a very large set of recursive resolvers that continue to operate in the current model. Nod... > Even if there were to be an aggressive push toward hyper local root service, the existing service would have to remain as is for a long time. And by "a long time" I'm guessing ten years is not enough, so I suspect it will be twenty years before one can imagine the current root service reaching twilight. Nod (I would have said much more than 20 years, but ok). > > The heated concern of several years ago about the potential size of the root zone is behind us, I hope. The root zone is not going to grow exponentially. The whole zone will be in the single megabyte range, I think. (Caution: I haven't looked at the actual size. Apologies if I am off a bit. But the overall point is still right. Another round or so of gTLDs might double or even triple the current size of the root zone, but it will not grow by even one order of magnitude and certainly not by multiple orders of magnitude.) Nod. wkumari$ dig axfr . @b.root-servers.net > root.zone wkumari$ ls -alh root.zone -rw-r--r-- 1 wkumari staff 2.1M Jul 30 10:34 root.zone 2.1MB - close enough. > > Distribution of a megabyte or even a few megabytes to, say, a million recursive resolvers twice a day is a relatively modest endeavor on today's Internet. Nod. 2.1MB times 1M resolvers is ~2TB (or the size of a medium capacity SSD drive) > If there are going to be problems, I suspect they won't be related to ad hoc fetching of the root zone from random untrusted sources. Citation needed :-) Regardless of where I get the root zone (trusted source, untrusted source) I'd like to be able to make sure if it is accurate and complete. For example, I just fetched the root zone via AXFR from b.root-servers.net in MIA, a server which, for various reasons I trust implicitly. However, I'm not really sure I trust the network between it and myself - and if I'm planning on using this zone in a production environment I'd really like to be able to know that someone hasn't monkeyed with it between b.root-servers.net and myself. When I open the zone and it contains: ----- aaa. 172800 IN NS ns1.dns.nic.aaa. aaa. 172800 IN NS ns2.dns.nic.aaa. aaa. 172800 IN NS ns3.dns.nic.aaa. aaa. 172800 IN NS ns4.dns.nic.aaa. aaa. 172800 IN NS ns5.dns.nic.aaa. aaa. 172800 IN NS ns6.dns.nic.aaa. aaa. 86400 IN DS 21707 8 1 6D92DD0D0DB0E392FA9D5F08EA15BBD297B8CBE2 aaa. 86400 IN DS 21707 8 2 4F74856F31B73F3BFCDF430985329F55AA655BC9E53C4BF9DC6B14CC E6780600 aaa. 86400 IN DS 28192 8 1 563200F63B8B1797B4D88D14BD6A672EA4D0CC0C aaa. 86400 IN DS 28192 8 2 DCB5AA6EC2B73D3E8C82D481770151160B38BCF2DBF3B9CD587AAD38 8D3572D7 aaa. 86400 IN RRSIG DS 8 1 86400 20180812050000 20180730040000 41656 . 9pGWZzPrVVFeqif5/PwqlO4BeFcTn2fvE1u5Mv5ADl5xn5vgm1WnWrnB 5Fxuk8TYIWFKhZ19DPk8RaU5Qk/kJpB/7A596x+XJ4IkaaMhlfAWYGYo 9C3cr5yj34FtLKlhU5tE3mSyt4lfyg558hSpwgo6cQPTj78KmkBkzjty X/ZeYTcSZX+zcIK2pNB1bG5yU4IEJbqye4LrKUqVKJ48bJI3pa6tci+b SFkGbqhotRfVdXSuNqZ/njLn+mH/vGIVKlMB5IwLe7Jf7lA1bFlMT4pP BACKPMletFgDMlTaMocqmbRBhRUDHnf93+vSoqxykwB+GLO7A/J3k2FZ NqKDtg== aaa. 86400 IN NSEC aarp. NS DS RRSIG NSEC aaa. 86400 IN RRSIG NSEC 8 1 86400 20180812050000 20180730040000 41656 . 1MIOeZb204La5r+b71rZxl39WqfVFp4z0kDRh2xd881mW1OICp7zUS1Y qOn/T3WTFQQG+39UVB2uQT+kcwL+rDLN2LGQhTFUzWLTom0oVEzO7rGu zUzbvqMJ0YBtrVqqzxcGYQ0lzGwUgn2qWyFPe6tUXZX3LmJgTT0yHzYT pG0cdEFc/7/7dnXgZIn7LSpOWc8m+Pxz7PSqjQ503cD+UqeJhYRpqTFy YG+UWchXoVZrs0qF6qsqgxdIsGcoeD+0Mh7eondWl4IPNT6UZ1iIxM9q hTNu5y/qyvEW/M20cRGVtY7B9h7RY7d6ASGAbYybeYljG2TBNqYyD9Bh GDg0ow== ns1.dns.nic.aaa. 172800 IN A 127.0.0.1 ns1.dns.nic.aaa. 172800 IN AAAA ::1 ns2.dns.nic.aaa. 172800 IN A 127.0.0.2 ns2.dns.nic.aaa. 172800 IN AAAA ::2 ns3.dns.nic.aaa. 172800 IN A 192.168.1.1 ns3.dns.nic.aaa. 172800 IN AAAA ::3 ---- I'd really like to know if the 127.0.0.1 was there when the zone was signed, and that it hasn't been "fixed" by something on path. W > > Steve > > > On Sun, Jul 29, 2018 at 11:50 AM, Joe Abley <jabley@hopcount.ca> wrote: >> >> On Jul 29, 2018, at 12:19, Steve Crocker <steve@shinkuro.com> wrote: >> >> > It feels like this discussion is based on some peculiar and likely incorrect assumptions about the evolution of root service. Progression toward hyper local distribution of the root zone seems like a useful and natural sequence. However, the source of the copies of the root zone will almost certainly remain robust and trusted. >> >> I think you need to be more clear what you mean by "source". >> >> If you mean the original entity that constructs and first makes >> available the root zone (e.g. the root zone maintainer in the current >> system) then what you say seems uncontentious. >> >> If what you mean is "the place that any particular consumer if the >> root zone might have found it" then I think you need to show your >> working. >> >> Resolvers currently prime from a set of trusted servers (albeit over >> an insecure transport without authentication, so we could quibble >> about what "trusted" means even there) but it's not obvious to me that >> this is a necessary prerequisite for new approaches. >> >> If I have a server sitting next to me that has a current and accurate >> copy of the root zone and I am able to get it from there and assess >> the accuracy of what I receive autonomously, why wouldn't I? >> >> >> Joe > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Hugo Salgado-Hernández
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- Re: [DNSOP] New Version Notification for draft-we… George Michaelson
- Re: [DNSOP] New Version Notification for draft-we… Olafur Gudmundsson
- [DNSOP] New Version Notification for draft-wessel… Weinberg, Matt
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… Roy Arends
- Re: [DNSOP] New Version Notification for draft-we… Jaap Akkerhuis
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Davey Song
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Jim Reid
- Re: [DNSOP] New Version Notification for draft-we… Shumon Huque
- Re: [DNSOP] New Version Notification for draft-we… Bob Harold
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… 神明達哉
- Re: [DNSOP] New Version Notification for draft-we… Tim Wicinski
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… tjw ietf
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… John Levine
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… Steve Crocker
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Florian Weimer
- Re: [DNSOP] New Version Notification for draft-we… Joe Abley
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Tony Finch
- Re: [DNSOP] New Version Notification for draft-we… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-we… John R Levine
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-we… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-we… Ondřej Surý