Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
"Wessels, Duane" <dwessels@verisign.com> Thu, 12 November 2015 18:13 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C2991B2C26 for <dnsop@ietfa.amsl.com>; Thu, 12 Nov 2015 10:13:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1p86xB3c1lc for <dnsop@ietfa.amsl.com>; Thu, 12 Nov 2015 10:13:07 -0800 (PST)
Received: from mail-oi0-x263.google.com (mail-oi0-x263.google.com [IPv6:2607:f8b0:4003:c06::263]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 569941B2C25 for <dnsop@ietf.org>; Thu, 12 Nov 2015 10:13:07 -0800 (PST)
Received: by oie188 with SMTP id 188so4078826oie.0 for <dnsop@ietf.org>; Thu, 12 Nov 2015 10:13:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-type:content-id:content-transfer-encoding:mime-version; bh=iyJvwajzrc+ys2a+NfHnNTy2gxVWTBrgmhwbLc+DsaE=; b=1yYzk8V7fqQxQ1iyWlrcfWyof6NE/J7l/QLPjDPv9sasgKsxgdMHI+Q4AxYfUjCSP7 1NxbySq8HDkhYexvGu3WxE2FdUYhsQ0xR9TEZ5yTWft37N3ZY1oRiZu8LB2IeBFyyNJo P6I/GLvLEg8e1ge7vfniaJWQaXhoVN0Ri+3YE8mvmPDg5o8k/ow9iLkc76VulW3i/Spe PyAip47ov/0sjmqYtb3e3dJT9F9QWfLHjcHtcuyl+MGEavckcRJ05Bmgm3L3Fb4DZEdi +3Il4e07DQGVZxgWS/6hC4FtpMzAQZhVdMR/gvyCi7mmDKn4/r2x2N1bpXri/Mg3RSzn +eKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-type:content-id:content-transfer-encoding :mime-version; bh=iyJvwajzrc+ys2a+NfHnNTy2gxVWTBrgmhwbLc+DsaE=; b=drck/dTK660YNQkm2ksF1EB9bpFQfq415QaF5fKAN2Noy0sWrCSMNxDelhf8ZG1zGC USw2wk8WiM2NHmW+f6mwvjk/aL2NPUhFDsXWgtHI+O7cN/GRdzvhmj6ATK+HowxAyxbo ZIm4DwP0GopOZZs1TjoOAt7Me8x93j+DxbO9SKdDI689fhPelxxuV9aAOeEoFkKKc6PH 1vyb9I9aWrBYSSvKuzCTy0PNuqW4Kwir+lFepI+UPE4JG2bd5VCk3/k1rjR3xUoGtgC2 /r4q9FaEGAxMnhESsDZjGoFSbSw8sXi1tV/WEoZTWI5IJuEW1QbnQCmUQubx9bWK1XA4 2stw==
X-Gm-Message-State: ALoCoQnxZVfT6JLDaDxd2zoHjEhZSGS1BYy7roWoQiLOZoN6Ii/qeB0TV04L/hhPSkHYrBSeV5kWY12PeFqz8M+s0xjEDLRg1A==
X-Received: by 10.55.71.81 with SMTP id u78mr17671298qka.81.1447351986575; Thu, 12 Nov 2015 10:13:06 -0800 (PST)
Received: from brn1lxmailout02.verisign.com (brn1lxmailout02.verisign.com. [72.13.63.42]) by smtp-relay.gmail.com with ESMTPS id y123sm1201218qky.3.2015.11.12.10.13.06 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 12 Nov 2015 10:13:06 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id tACID6ID017936 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 12 Nov 2015 13:13:06 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Thu, 12 Nov 2015 13:13:05 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Thread-Topic: [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
Thread-Index: AQHRHSKCSnkHaanoakiNL7gy0B1pvZ6ZBQ8A
Date: Thu, 12 Nov 2015 18:13:04 +0000
Message-ID: <39D878B4-9239-4983-8083-36BCA365BE62@verisign.com>
References: <20151106082238.GA2307@nic.fr> <A62EC834-C954-446C-9F7A-AB6D1F955C7F@verisign.com> <20151112081514.GA16017@laperouse.bortzmeyer.org>
In-Reply-To: <20151112081514.GA16017@laperouse.bortzmeyer.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <F6B88724E4DDDD4FA9C642E3E8EEDECC@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/mKSnJfReD-63687aSRRnPjEnlmQ>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 18:13:09 -0000
> On Nov 12, 2015, at 12:15 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > > On Wed, Nov 11, 2015 at 01:15:37AM +0000, > Wessels, Duane <dwessels@verisign.com> wrote > a message of 107 lines which said: > >> This updates RFC 2308 (Negative Caching of DNS Queries). > > Good point, I'll add that. Also, I did not dare to add "Updates: RFC > 1034". Should I? That I don't know. Someone with more experience should probably answer. > >> I think the WG needs to discuss and agree whether or not to make the >> NXDOMAIN cut based on QNAME only, or on the SOA owner name. > > This is discussed (shortly) in section 5 of the draft. Apparently, it > can be risky to rely on the SOA. More discussion welcome. As Mark pointed out, we can't use the SOA to make NXDOMAIN more aggressive. For a name like foo.bar.example.com and an NXDOMAIN response from example.com we can't assume that there would be a zone cut between foo and bar. > >> I think its a little dangerous to say that an NXDOMAIN response >> SHOULD cause a cache to delete already cached "positive" data. > > Could you elaborate why is it dangerous? (See also the second > paragraph of section 7.) I'm thinking of worst-case scenarios where, say, an entire TLD is purged from the cache due to a spoofed response. Or, could you imagine a spoofed "NXDOMAIN ." response? In addition to denying service for the purged domain, a large purge also causes the resolver to do a lot of (possibly CPU intensive) work, and could also affect the traffic levels between a recursive and authoritatives. Perhaps a cache may want to limit the number of nodes/records that it deletes per NXDOMAIN response. Or perhaps it could be configured to not "bulk delete" TLDs (or root). Perhaps a recursive might be designed to negatively cache an entire zone (including TLD) but continue answering positively cached answers in the zone until they expire normally. DW
- [DNSOP] [internet-drafts@ietf.org: I-D Action: dr… Stephane Bortzmeyer
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Wessels, Duane
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Mark Andrews
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Mark Andrews
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Stephane Bortzmeyer
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Paul Hoffman
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Wessels, Duane
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Mark Andrews
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Stephane Bortzmeyer
- [DNSOP] Using the SOA in a NXDOMAIN response (Was… Stephane Bortzmeyer
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Stephane Bortzmeyer
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Stephane Bortzmeyer
- Re: [DNSOP] Using the SOA in a NXDOMAIN response … John Levine
- Re: [DNSOP] Using the SOA in a NXDOMAIN response … Wessels, Duane
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Tony Finch