Re: [DNSOP] Caching of negative zone (non-authoritative) responses
Ted Lemon <mellon@fugue.com> Mon, 08 July 2019 18:37 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1D36120683 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 11:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.604
X-Spam-Level:
X-Spam-Status: No, score=-0.604 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTW1bmxYxn5P for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 11:37:17 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D81501206A0 for <dnsop@ietf.org>; Mon, 8 Jul 2019 11:37:16 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id 44so15183970qtg.11 for <dnsop@ietf.org>; Mon, 08 Jul 2019 11:37:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=vpg/Umatkjsumrs3LKoVzTTXI+Twzp51obmhDHJEwsQ=; b=G0ygwP+NL6j/aWqyi47rUC6dNaaKM0rOh4+F8QigfMhy0SaIMmfXlxl+I9D3ddKpD+ yys05FG+5zqwUi2lKNPUltCp0D+v5lRO91ycZzix3X9wNdFCPRd6qK0TUxiGiJl8n6LN 6xmwaKIMC8sG+bBwX/WyaFwA4Gu5HAsX6fpOBbPIBEiXb0z+QPYlNRprIwGgtRT4peiR /ZY4P/RAFm/pXrdFLjTT3ZvvwJXwXiHgKcAVooLDUhMlGxQe83cvg7/DDWcNg0/bcAZ0 gdfd+OTctnflVZCUHtLSnu/z/N8rCnARoTNeHBCBDaoTp5LYWet66pjuhMj32LIUq1pa TeIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=vpg/Umatkjsumrs3LKoVzTTXI+Twzp51obmhDHJEwsQ=; b=M4SGaGcukReT1FMuf/+bkgR3OkkD2EwMGCg/prIVjWI4YXnfKLE3t7RO7ta5aRJF3X /P2xqwMmlGXs8FaFLyOTG/7B+ZUQewS02r9G5SvvfQnqZ5Q1ilucnLpjpkGKUMPCKXkG g5AowkUOM8hNTe6RpLWrKnba0u8lW7+ioaAf6h5QRr1SGL8nP3iK3MUG6xXLgwP9RnBo qHJoqRbr+M6DtUiOsQTaU8UKCcezN82jSjgGGleB0P/PbRCJM4DeuquJRGD2NyT+L98W OQRHOjzLQ9Q/xTdJqAGfDhE1nHOmle9/kdXTf08e8XvUuPPrOfot5fZG5TDqVJ/VMoaJ 9qiQ==
X-Gm-Message-State: APjAAAVFkr7Fmu76NdBXxcaipfZHCPnnOTA7PqS/Vut6VVLPbmDxi9af CkwztyvnfCbBgtGD5FjdzbRBkQ==
X-Google-Smtp-Source: APXvYqyRL50UqxG5aN17xuxTl/XbSBdsyEOmpE6TtElsG2QTmUr808g4JJnx57sm3HwbVbVaJ+RHaA==
X-Received: by 2002:a0c:942c:: with SMTP id h41mr16142405qvh.146.1562611035870; Mon, 08 Jul 2019 11:37:15 -0700 (PDT)
Received: from ?IPv6:2001:470:c1a2:1:450d:3b0b:90d3:8924? ([2001:470:c1a2:1:450d:3b0b:90d3:8924]) by smtp.gmail.com with ESMTPSA id j184sm7657769qkc.65.2019.07.08.11.37.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jul 2019 11:37:14 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <992DA1F0-1F23-4D78-827F-EED3CDBB9A5A@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_10A55135-3DDA-4101-8055-1D8E296128F9"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 08 Jul 2019 14:37:11 -0400
In-Reply-To: <9d04ff4d-c321-eb10-9ed7-c6e4b938b219@godaddy.com>
Cc: Paul Vixie <paul@redbarn.org>, "dnsop@ietf.org" <dnsop@ietf.org>
To: "Michael J. Sheldon" <msheldon@godaddy.com>
References: <BYAPR02MB51900835E25A720BB9BF23C8DBF60@BYAPR02MB5190.namprd02.prod.outlook.com> <2604325.6lOYsMJmL1@linux-9daj> <21eb2ea6-88be-54c5-eee0-2d1fd1b1d424@godaddy.com> <6E8BFC47-D840-4AB4-98DE-C6717F1DB13E@fugue.com> <9d04ff4d-c321-eb10-9ed7-c6e4b938b219@godaddy.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jM3nlOPUlQOOZLQm1t7y3SS6rQM>
Subject: Re: [DNSOP] Caching of negative zone (non-authoritative) responses
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 18:37:30 -0000
On Jul 8, 2019, at 2:11 PM, Michael J. Sheldon <msheldon@godaddy.com> wrote: > I'm not authoritative for those. Any response I send for the parent > should be ignored completely. > And it still leaves the issue that I can't return a TTL without a > record, and I don't have a record to return it on. In the case of a delegation, I think you respond as if the zone still exists. You are definitely authoritative for that zone—that’s what a delegation means. Responding with REFUSED doesn’t solve your problem, so doing that isn’t the right move. > But there's other reasons for REFUSED as well (security, ddos filtering, > etc) and I should have a means to add to the reply, "don't ask again for > X seconds” I don’t think there’s a way to do this that will work, because DNSSEC. If you don’t have the key for the zone, you can’t reply with a signed answer. This also makes my solution above fail. Of course, you can do it for un-signed zones, which are the majority, but if we want a real solution, it’s going to require some new work. And if it requires updating all recursive resolvers, you aren’t going to see any benefit from it this decade. And since your proposed solution doesn’t work with DNSSEC, it again doesn’t work this decade. I think if we really wanted a solution to this problem that was secure, we’d need an analog of the DS record, only for the resolver. This would have to exist at the delegation point, and would be owned by the server operator, not the domain owner. A response signed by the owner of the name would be taken to indicate that the delegation is no longer valid, and would result in deferred retries for the lifetime of the zone. Much handwaving, etc., but you’d need something like this in order to securely repudiate a delegation without having the ZSK or the KSK of the delegated zone.
- [DNSOP] Caching of negative zone (non-authoritati… Michael J. Sheldon
- Re: [DNSOP] Caching of negative zone (non-authori… Ted Lemon
- Re: [DNSOP] Caching of negative zone (non-authori… Michael J. Sheldon
- Re: [DNSOP] Caching of negative zone (non-authori… Ted Lemon
- Re: [DNSOP] Caching of negative zone (non-authori… Michael J. Sheldon
- Re: [DNSOP] Caching of negative zone (non-authori… Paul Vixie
- Re: [DNSOP] Caching of negative zone (non-authori… Ted Lemon
- Re: [DNSOP] Caching of negative zone (non-authori… Michael J. Sheldon
- Re: [DNSOP] Caching of negative zone (non-authori… Ted Lemon
- Re: [DNSOP] Caching of negative zone (non-authori… Michael J. Sheldon
- Re: [DNSOP] Caching of negative zone (non-authori… Michael J. Sheldon
- Re: [DNSOP] Caching of negative zone (non-authori… Ted Lemon
- Re: [DNSOP] Caching of negative zone (non-authori… Paul Vixie
- Re: [DNSOP] Caching of negative zone (non-authori… Mark Andrews
- Re: [DNSOP] Caching of negative zone (non-authori… Ted Lemon
- Re: [DNSOP] Caching of negative zone (non-authori… Mark Andrews
- Re: [DNSOP] Caching of negative zone (non-authori… Shane Kerr
- Re: [DNSOP] Caching of negative zone (non-authori… Ted Lemon
- Re: [DNSOP] Caching of negative zone (non-authori… Tony Finch
- Re: [DNSOP] Caching of negative zone (non-authori… Michael J. Sheldon
- Re: [DNSOP] Caching of negative zone (non-authori… Mark Andrews
- Re: [DNSOP] Caching of negative zone (non-authori… Ted Lemon
- Re: [DNSOP] Caching of negative zone (non-authori… Stephane Bortzmeyer