[DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt

fujiwara@jprs.co.jp Tue, 07 July 2015 09:20 UTC

Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECE541A86E2 for <dnsop@ietfa.amsl.com>; Tue, 7 Jul 2015 02:20:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.097
X-Spam-Level: ***
X-Spam-Status: No, score=3.097 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, J_CHICKENPOX_55=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQIVS4FDZqx0 for <dnsop@ietfa.amsl.com>; Tue, 7 Jul 2015 02:20:46 -0700 (PDT)
Received: from off-send01.osa.jprs.co.jp (off-send01.osa.jprs.co.jp [IPv6:2001:218:3001:17::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 586401A7034 for <dnsop@ietf.org>; Tue, 7 Jul 2015 02:20:46 -0700 (PDT)
Received: from off-sendsmg01.osa.jprs.co.jp (off-sendsmg01.osa.jprs.co.jp [172.23.8.61]) by off-send01.osa.jprs.co.jp (8.14.4/8.14.4) with ESMTP id t679Ki6r007595 for <dnsop@ietf.org>; Tue, 7 Jul 2015 18:20:44 +0900
Received: from off-sendsmg01.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss71 (Postfix) with ESMTP id EFCB9180083 for <dnsop@ietf.org>; Tue, 7 Jul 2015 18:20:43 +0900 (JST)
Received: from localhost (off-cpu04.osa.jprs.co.jp [172.23.4.14]) by off-sendsmg01.osa.jprs.co.jp (Postfix) with ESMTP id E419818005E for <dnsop@ietf.org>; Tue, 7 Jul 2015 18:20:43 +0900 (JST)
Date: Tue, 07 Jul 2015 18:20:43 +0900
Message-Id: <20150707.182043.193693838.fujiwara@jprs.co.jp>
To: dnsop@ietf.org
From: fujiwara@jprs.co.jp
In-Reply-To: <20150310.191541.52184726.fujiwara@jprs.co.jp>
References: <20150310.191541.52184726.fujiwara@jprs.co.jp>
X-Mailer: Mew version 6.5 on Emacs 22.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1690-8.0.0.1202-21660.006
X-TM-AS-Result: No--8.310-5.0-31-10
X-imss-scan-details: No--8.310-5.0-31-10
X-TMASE-MatchedRID: TxWMfh/XGrFCXIGdsOwlUh5+URxv1WlB+KgiyLtJrSBXkdp2v/Yspuu/ ECyhLxqOE3yTTDqxgbLCh5UkBi9iExaboGhgYQbaIyvp1AQXH8thBfGxmdHCgslgi/vLS272LCf 3huf7nagnwKlPHcZkONAsTkoTIArQCXZ8FQwqLpi3HA8h5a0MOVo1rFkFFs1aHFSQk97VYGrOEM terKmLMYYJG/XfZTOZZlTIOsCImsalPBzBrYuLRlT/YzREB9OK/8CuA+b/YYRcKZwALwMGsw0li Ide/RKg4vM1YF6AJbZcLc3sLtjOt6ryC8RS5234Zz0AAGWYgqKg5oovEWFmKY6HM5rqDwqtg+Nv gj/AnemOGxBmtp08i4Mmq393l5H9aXwXL0/5cYEnGLx5veDBVw==
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/nJ_zDro0gwVu6GCXdErWhr1p6Vo>
Subject: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 09:20:54 -0000

Akira Kato and I submitted draft-fujiwara-dnsop-nsec-aggressiveuse-01.

  https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/

* Added reference to DLV {{RFC5074}} and imported some sentences.
* Added Aggressive Negative Caching Flag idea.
* Added detailed algorithms in Appendix.

Please check and comment.

I made a mistake at detailed algorithm part in -01.
I added updated version in this mail and I will update the draft.
NSEC3 validation is difficult for me.
Please check this algorithm.

And where is the pseudo code writing guide ?

~~~~~~~~~~~
QNAME = the query name;
if (QNAME name entry exists in the cache) {
    resolve the query as usual;
    // if RRSet (query name and query type) exists in the cache,
    //     the resolver responds the RRSet from the cache
    // Otherwise, the resolver needs to iterate the query.
}

// Find closest enclosing NS RRset in the cache.
// The owner of this NS RRset will be a suffix of the QNAME
//    - the longest suffix of any NS RRset in the cache.
SIGNER = closest enclosing NS RRSet of QNAME in the cache;

if (SIGNER zone does not have a special NSEC/NSEC3 data structure) {
    Resolve the query as usual;
}

if (SIGNER zone is not signed or not validated) {
   Resolve the query as usual;
}

if (SIGNER zone is signed with NSEC) {
    // NSEC mode
    if (covering NSEC RR of QNAME at SIGNER zone
       doesn't exist in the cache) {
        Resolve the query as usual.
    }

    TEST = Find the longest existing domain name of QNAME
           from the covering NSEC RR;

    if (*.TEST name entry exists in the cache) {
        the resolver can generate positive response
        or resolve the query as usual;
    }
    if covering NSEC RR of "*.TEST" at SIGNER zone exists
         in the cache {
        the resolver can generate negative response;
    }
    // Lack of information, need to resolve the query as usual
} else
if (SIGNER zone is signed with NSEC3 and does not use Opt-Out) {
    // NSEC3 mode

    TEST = SIGNER;
    while (TEST != QNAME) {
        // if any error happens in this loop, break this loop
        UPPER = TEST;
        add a label from the QNAME to the start of TEST;
          // TEST = label.UPPER
        if (TEST name entry exist in the cache) {
            continue; // need to check rest of QNAME
        }
        if (covering NSEC3 of TEST exist in the cache) {
            // (non-)terminal name TEST does not exist
            if (*.UPPER name entry exist in the cache) {
                // TEST does not exist and *.UPPER exist
                the resolver can generate positive response;
            } else
            if (covering NSEC3 of *.UPPER exist in the cache) {
                // TEST does not exist and *.UPPER does not exist
                the resolver can generate negative response;
            }
            break; // Lack of information
        } else
        if (NSEC3 of TEST does not exist in the cache) {
            break; // Lack of information
        }
        // TEST label exist, then need to check rest of QNAME
    }
    // Lack of information, need to resolve the query as usual
}
Resolve the query as usual
~~~~~~~~~~~
--
Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>