[DNSOP] New draft on delegation revalidation

Shumon Huque <shuque@gmail.com> Fri, 10 April 2020 13:46 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B1853A0A98 for <dnsop@ietfa.amsl.com>; Fri, 10 Apr 2020 06:46:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VL2RZQQAOkxy for <dnsop@ietfa.amsl.com>; Fri, 10 Apr 2020 06:46:00 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED3593A0A7E for <dnsop@ietf.org>; Fri, 10 Apr 2020 06:45:42 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id e4so1403406oig.9 for <dnsop@ietf.org>; Fri, 10 Apr 2020 06:45:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=lOdQTyHICNRCyivVqwj7AnE+nYw4ewjd57ZRWt+hrlA=; b=TXCzgUTFOvpXDUZnJARx30ZZPWyScCDjCvby6WVajuPv1CMMD1lHr0mhlRWnbD18HD aRoOIFyiNmIXeVm+MPhfisWDc+FBP/5jv+B3Gc/vdbE3H8dUSEiegtKHaYid4PXIYQkM 82IU4ArE7ALsWnjffP9hhBOhatBnXpSrr10FnEvjoG1suL7lDCVPod202CqfCFoe7Oj0 lcoBMVvRkzq0QVup3wedWFKToiUQ9BppSCOnI+LmRWNfbBfwyeljrlQ2r7Yttlyn4Yjy 26f5oFqyPVW7d5eNscLNEFzK5hv2SGaLp75yS0nt0uFTVGAa0e2RqHsdhMitvZ639uoh 2WeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=lOdQTyHICNRCyivVqwj7AnE+nYw4ewjd57ZRWt+hrlA=; b=GB8x5Lyjtxbx3rdByhRcUvkKhJcG92ZIoh8JaglcGZPV97wE3kxEZTBTeKeWkSytUk ZLnX+qi/X/Uv/i1i4SctGb0P7vHAhVDY4uVbh3+BAqbqVTk8ZbKoKTAeaquZLCRcaHiU ivAiTmwlM7+vajwSVTx62OOuoAXTj9PLYR26Tmta7clwJ02mOjaD3aHi/iby93VLKYw/ /M+kyOLFbafPYlH9RNE9oe8zOx2ppCuKDINH37sWsOz5ZQTVH1VAjV/KSLuU1HwkV+jR 6/2dYaHBz/ZTZBUn0XzzQ11J0gh2bPHjP/c4Gr7ZiPORzgX7UDHnDYD/PODrTcO1xDa7 epXQ==
X-Gm-Message-State: AGi0PuYgFdbggABTHjtFnEB9Q/IGJTAcErnM/cD3kOBcgfEF0Q3eS6Ui itmlEfAcRPBixvTOGdYEJmXv4j1U/YEOZ6bqZ/uZuaKwepw=
X-Google-Smtp-Source: APiQypK4T5fx2bS9Z80SpAQnf+OiueR+HfRvg+DSc7KFos04DmEd1uxo0i/omggbpskrPvTNIQt+LI/17oXjv/TsOrc=
X-Received: by 2002:a05:6808:2d9:: with SMTP id a25mr3394828oid.125.1586526341362; Fri, 10 Apr 2020 06:45:41 -0700 (PDT)
MIME-Version: 1.0
From: Shumon Huque <shuque@gmail.com>
Date: Fri, 10 Apr 2020 09:45:30 -0400
Message-ID: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000000fa2305a2eff346"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fXmzHFzh153OO01hA5Oq8-T-fO8>
Subject: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2020 13:46:02 -0000

Hi folks,

Paul Vixie, Ralph Dolmans, and I have submitted this I-D for
consideration:

   https://tools.ietf.org/html/draft-huque-dnsop-ns-revalidation-01

I mentioned it on the dns-operations@dns-oarc.net mailing
list last week, where the topic came up in another thread,
and there has already been some lively discussion about it
there. So we recommend reading the thread there:


https://lists.dns-oarc.net/pipermail/dns-operations/2020-April/020041.html

There is a range of different behaviors in resolver implementations
in this respect today, and it would be good if we could agree on
more commonality.

The main recommendations in the draft are to: (1) deterministically
prefer the authoritative child NS set over the non-authoritative,
unsigned, delegating NS set in the parent, (2) revalidate the parent
delegation at the expiration of the parent NS set TTL, to promptly
detect when the parent has re-delegated the zone elsewhere (or
removed the delegation).

These are not new ideas of course. They have been proposed in Vixie
et. al.'s resimprove draft from 2010, and Wouter Wijngaard's resolver
mitigations draft from 2009. The Unbound resolver already mostly
implements this with the 'harden-referral-path' configuration option.

Comments/discussion welcome.

Shumon, Paul, and Ralph.