IETF Logo Mail Archive

Re: [DNSOP] The Larger Discussion on Differences in Response Drafts

Mark Andrews <marka@isc.org> Fri, 19 August 2016 20:08 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D926D12D75F for <dnsop@ietfa.amsl.com>; Fri, 19 Aug 2016 13:08:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.148
X-Spam-Level:
X-Spam-Status: No, score=-8.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lhx0yOuWJ6tH for <dnsop@ietfa.amsl.com>; Fri, 19 Aug 2016 13:07:59 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D723212D9E1 for <dnsop@ietf.org>; Fri, 19 Aug 2016 12:53:59 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 6B05E3493C7; Fri, 19 Aug 2016 19:53:57 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 571AA160048; Fri, 19 Aug 2016 19:53:57 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 42F4916009C; Fri, 19 Aug 2016 19:53:57 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id fEOTvZgls7CG; Fri, 19 Aug 2016 19:53:57 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id B115A160048; Fri, 19 Aug 2016 19:53:56 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id D833551B0533; Sat, 20 Aug 2016 05:53:54 +1000 (EST)
To: Edward Lewis <edward.lewis@icann.org>
From: Mark Andrews <marka@isc.org>
References: <665d8bd3-4229-eb98-1688-2460dcb943b6@gmail.com> <99CE1D3E-18A0-42E6-949F-E78995AFCEE2@icann.org>
In-reply-to: Your message of "Fri, 19 Aug 2016 12:32:19 +0000." <99CE1D3E-18A0-42E6-949F-E78995AFCEE2@icann.org>
Date: Sat, 20 Aug 2016 05:53:54 +1000
Message-Id: <20160819195354.D833551B0533@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gqB-4__R4H0wFy5zBXkgnkOdWRg>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] The Larger Discussion on Differences in Response Drafts
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2016 20:08:01 -0000

In message <99CE1D3E-18A0-42E6-949F-E78995AFCEE2@icann.org>, Edward Lewis write
s:
> On 8/16/16, 08:57, "DNSOP on behalf of Tim Wicinski" <dnsop-bounces@ietf.org 
> on behalf of tjw.ietf@gmail.com> wrote:
> 
> I've only read briefly the drafts and see hints that issues I raise below
> are still lingering.
>
> There's no denying that there's a desire to solve "this".  I keep in mind
> that this isn't the first time there's been a desire to add this to the
> DNS, each time more issues were raised than solutions put forth.  That
> doesn't mean one can't keep trying, but realize this won't be easy.
>
> >- Do we want to Server to PUSH any or all Associated Answers, or
>
> This is what got DNSSEC started in the first place - the potential for
> servers to push data in the additional section.  With DNSSEC the danger
> of cache poisoning is reduced but now, for out of server bailiwick
> answers, the client will start chasing DNSSEC trust chains, perhaps
> needlessly.

You can chase chains when the client requests the data.  DNSSEC validation
doesn't need to always be done when the answer is received.

> >- Do we want the Client to PULL any or all Associated Answers, or
>
> The question I keep asking myself is: How is this different from a client
> just hitting a server with all anticipated questions at one time?  Why
> not just ask for qtype ANY all the time, for data sets owned by the same
> domain name.
>
> Caching (shared, that is) is supposed to play a role here, keeping
> answers closer to the need than at the authority.
>
> (And, of course as has been mentioned in the list, does this enable
> amplification?  I.e., just like ANY.)

We have solutions to amplification.  It isn't a boggie man.

> >- Do we want the Status Quo?
>
> For quite some years we tried to damp out special processing for types as
> this made rolling out new types easier with old code.  The idea was to
> get to where "Handling of Unknown DNS Resource Record (RR) Types" was
> possible.

Unknown RRs is designed to allow data to get to the client without
*requiring* intermediate servers to know the data content.  The
key word there is requiring.

There is nothing about not specifying additional section rules.  In
fact additional section rules are officially acceptable for unknown
types.

Additionally Unknown RRs expects servers to learn about new types.
Just they that knowledge isn't supposed to be a blocker.

> I can see developing a policy for DNS responders to include other RRsets
> as part of the response to a question, but how is this policy made known
> to the querier?  The querier needs to know it to decide if each other
> RRset is germane or a poisoning attempt.  (Germane meaning, genuinely
> related to the question.)

Stub clients presumably know or they wouldn't be asking for the type.

Recursive servers learn what to expect over time.  If it is signed data
they can just store it and validate it when requested.

> I can see developing a means for a client to ask for something and
> "whatever is relevant."  That's partly done by ANY - and in fact the same
> issue with ANY pops up here, does a cache with part of the answer only
> give back that or try to get the entire answer?  Will a recursive element
> have to track all portions of the response to a question instead of
> caching the sets individually? What if the TTL are set differently (on
> purpose)?

Perfect is the enemy of good enough.  Servers need to learn about new
types.  They just don't need to learn immediately.

> Do we want to split the DNS protocol between what is possible on TCP and
> what is possible on UDP?  Right now, AXFR is only available on TCP due to
> its design.  To we want to define some "dangerous" (so to speak) queries
> to be only on TCP?  And we have to define the semantics of how the
> responses are cached, tracked, etc.
>
> IMHO, if the server can let the client know what the policy regarding
> associated answers is, the server can push data to the client.  I don't
> really see how client pull is better than the client asking for things in
> parallel.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email