IETF Logo Mail Archive

Re: [DNSOP] New draft on delegation revalidation

Shumon Huque <shuque@gmail.com> Mon, 13 April 2020 20:56 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DABE93A1E07 for <dnsop@ietfa.amsl.com>; Mon, 13 Apr 2020 13:56:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nbKr_KLCOQfs for <dnsop@ietfa.amsl.com>; Mon, 13 Apr 2020 13:55:59 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CDEB3A1E06 for <dnsop@ietf.org>; Mon, 13 Apr 2020 13:55:59 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id b7so6018065oic.2 for <dnsop@ietf.org>; Mon, 13 Apr 2020 13:55:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4UBH9HvZAzkeuChigyCw85xEbbFEkFJSVlRbWpcJ/Xs=; b=DFeDMQ+e2p84q8+BoblLKHI1NfBMFBcYeb1Duv+XZThTqy+OCp1wKye4fWb+Vy5RkV Tj7iuZgT1ZTsFJoOZ3cuhXszrKrzPK7nuK0zWlBaNDAIRegY/fHIBFPagHz+SF/EcfHx jsu8BfAWj8TuaCmi2wYAYy/keM4HV4w+GpzQGTyKt8bXc6AAA+HMvSr/XJwjEkKSgTWi Jl9aw/iKJOWhQrY5Ih589aevWoj1+jgkYj8tjS/pVhYLfvjWPOgLvux2Fgh7hnaof7eR tjQ52driulifoD79/Zd1JOiQDSu4hbepyDyPDejQBZpGmNiPlRnx3UenDZU00sh5B7ve gCAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4UBH9HvZAzkeuChigyCw85xEbbFEkFJSVlRbWpcJ/Xs=; b=UqBCCw/fKa1LRps3OvMxNZn/CHIXJwV6JD29Q0bYEe4eQxOnxgah8kNmDC8f6z6V6Y hb3s17lShClRgiAiwiZWE6JQwJLS8i6NJjh9rPUt/TfKq0zYUKZ+234Qk1HSYYloVkcE JarwAj2umwA8GErb9h31pvtdpG+y2VvyZnvFQMByNamsPhSyES+XfctAHk3D5FgwBhuD vkSztU7unJPWMMRxk23TjWTTxo7OPcaSr6P3M8MGktdrhcjF6701KV0lgRP8Y/mUk4Nb VnjYOtGL9icGoZkX63uHca/FbGvziRPnIKaahtlewFNA1ItN1bDsvtuQtwMLUuFUy3nO 4KGQ==
X-Gm-Message-State: AGi0PubvRBR7oPNgglsj+/J7Me4+UK508zdPJ5t+qMyUIWiYCuMTaFQK Ingk3tv8r3wwe0aZU/lILPlQZCkpftKUtpoCbpI=
X-Google-Smtp-Source: APiQypLukHhfiNygdYPn/yhbiKSFfHVhgtA6+pfi/EAMep9BrGneFK/yMyzbd4YtHFfIOhD8K+xGgWI0Go/kWgwsGyE=
X-Received: by 2002:aca:2209:: with SMTP id b9mr13498393oic.103.1586811358663; Mon, 13 Apr 2020 13:55:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CAN6NTqwrdE-_jE5iMRp05vm1URtdRkYLU7Dk2wWd43PvA-F3MQ@mail.gmail.com>
In-Reply-To: <CAN6NTqwrdE-_jE5iMRp05vm1URtdRkYLU7Dk2wWd43PvA-F3MQ@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 13 Apr 2020 16:55:47 -0400
Message-ID: <CAHPuVdVGfPBgMxyX171BO00kuwbm7BjFFtQcUxnGHWn15_2Rkw@mail.gmail.com>
To: Ólafur Guðmundsson <olafur@cloudflare.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005bd8c305a3324f0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/o0b830L5_DEXE1vSpZl85ZJyh-g>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2020 20:56:01 -0000

On Mon, Apr 13, 2020 at 4:36 PM Ólafur Guðmundsson <olafur@cloudflare.com>
wrote:

>
> I read the draft and like it, this is a clear statement of the problem and
> good way forward.
>

Thanks Olafur!


> I agree with the idea that "all" NS are lame is a good signal to
> revalidate,
>

Yeah, me too. But as Paul later notes, I think we'd need a hold time timer
of some sort to prevent the parents from getting DDOS'd by resolvers caught
in a tight revalidation loop. We could recommend a timer value in the draft.

One idea to throw out here triggered by the first two paragraphs in section
> 3
> Should we recommend that Authoritative servers that are configured for
> minimal-response overwrite that on DNSKEY query and include NS RRset if
> there is space ?
>

Worth considering. That would be a very useful optimization if everyone
was doing it from the start. But it suffers from the incremental deployment
problem. Since resolvers can't know who might be doing this in advance, if
they want to minimize latency, they'd still need to fire off the NS query in
parallel with the DNSKEY.

Shumon.

v2.23.0 | Report a Bug | By Email