Re: [DNSOP] New draft on delegation revalidation
Shumon Huque <shuque@gmail.com> Mon, 13 April 2020 20:56 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DABE93A1E07 for <dnsop@ietfa.amsl.com>; Mon, 13 Apr 2020 13:56:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nbKr_KLCOQfs for <dnsop@ietfa.amsl.com>; Mon, 13 Apr 2020 13:55:59 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CDEB3A1E06 for <dnsop@ietf.org>; Mon, 13 Apr 2020 13:55:59 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id b7so6018065oic.2 for <dnsop@ietf.org>; Mon, 13 Apr 2020 13:55:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4UBH9HvZAzkeuChigyCw85xEbbFEkFJSVlRbWpcJ/Xs=; b=DFeDMQ+e2p84q8+BoblLKHI1NfBMFBcYeb1Duv+XZThTqy+OCp1wKye4fWb+Vy5RkV Tj7iuZgT1ZTsFJoOZ3cuhXszrKrzPK7nuK0zWlBaNDAIRegY/fHIBFPagHz+SF/EcfHx jsu8BfAWj8TuaCmi2wYAYy/keM4HV4w+GpzQGTyKt8bXc6AAA+HMvSr/XJwjEkKSgTWi Jl9aw/iKJOWhQrY5Ih589aevWoj1+jgkYj8tjS/pVhYLfvjWPOgLvux2Fgh7hnaof7eR tjQ52driulifoD79/Zd1JOiQDSu4hbepyDyPDejQBZpGmNiPlRnx3UenDZU00sh5B7ve gCAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4UBH9HvZAzkeuChigyCw85xEbbFEkFJSVlRbWpcJ/Xs=; b=UqBCCw/fKa1LRps3OvMxNZn/CHIXJwV6JD29Q0bYEe4eQxOnxgah8kNmDC8f6z6V6Y hb3s17lShClRgiAiwiZWE6JQwJLS8i6NJjh9rPUt/TfKq0zYUKZ+234Qk1HSYYloVkcE JarwAj2umwA8GErb9h31pvtdpG+y2VvyZnvFQMByNamsPhSyES+XfctAHk3D5FgwBhuD vkSztU7unJPWMMRxk23TjWTTxo7OPcaSr6P3M8MGktdrhcjF6701KV0lgRP8Y/mUk4Nb VnjYOtGL9icGoZkX63uHca/FbGvziRPnIKaahtlewFNA1ItN1bDsvtuQtwMLUuFUy3nO 4KGQ==
X-Gm-Message-State: AGi0PubvRBR7oPNgglsj+/J7Me4+UK508zdPJ5t+qMyUIWiYCuMTaFQK Ingk3tv8r3wwe0aZU/lILPlQZCkpftKUtpoCbpI=
X-Google-Smtp-Source: APiQypLukHhfiNygdYPn/yhbiKSFfHVhgtA6+pfi/EAMep9BrGneFK/yMyzbd4YtHFfIOhD8K+xGgWI0Go/kWgwsGyE=
X-Received: by 2002:aca:2209:: with SMTP id b9mr13498393oic.103.1586811358663; Mon, 13 Apr 2020 13:55:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CAN6NTqwrdE-_jE5iMRp05vm1URtdRkYLU7Dk2wWd43PvA-F3MQ@mail.gmail.com>
In-Reply-To: <CAN6NTqwrdE-_jE5iMRp05vm1URtdRkYLU7Dk2wWd43PvA-F3MQ@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 13 Apr 2020 16:55:47 -0400
Message-ID: <CAHPuVdVGfPBgMxyX171BO00kuwbm7BjFFtQcUxnGHWn15_2Rkw@mail.gmail.com>
To: Ólafur Guðmundsson <olafur@cloudflare.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005bd8c305a3324f0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/o0b830L5_DEXE1vSpZl85ZJyh-g>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2020 20:56:01 -0000
On Mon, Apr 13, 2020 at 4:36 PM Ólafur Guðmundsson <olafur@cloudflare.com> wrote: > > I read the draft and like it, this is a clear statement of the problem and > good way forward. > Thanks Olafur! > I agree with the idea that "all" NS are lame is a good signal to > revalidate, > Yeah, me too. But as Paul later notes, I think we'd need a hold time timer of some sort to prevent the parents from getting DDOS'd by resolvers caught in a tight revalidation loop. We could recommend a timer value in the draft. One idea to throw out here triggered by the first two paragraphs in section > 3 > Should we recommend that Authoritative servers that are configured for > minimal-response overwrite that on DNSKEY query and include NS RRset if > there is space ? > Worth considering. That would be a very useful optimization if everyone was doing it from the start. But it suffers from the incremental deployment problem. Since resolvers can't know who might be doing this in advance, if they want to minimize latency, they'd still need to fire off the NS query in parallel with the DNSKEY. Shumon.
- Re: [DNSOP] New draft on delegation revalidation Mark Andrews
- [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Tim Wicinski
- Re: [DNSOP] New draft on delegation revalidation Brian Dickson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John Levine
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Puneet Sood
- Re: [DNSOP] New draft on delegation revalidation Ólafur Guðmundsson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John R Levine
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Vladimír Čunát
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Vladimír Čunát
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Masataka Ohta
- Re: [DNSOP] Privacy and DNSSEC Vittorio Bertola
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- [DNSOP] Client Validation - filtering validation? Brian Dickson
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Mark Andrews
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] Client Validation - filtering validat… Vittorio Bertola
- Re: [DNSOP] Client Validation - filtering validat… Paul Wouters
- Re: [DNSOP] Client Validation - filtering validat… S Moonesamy
- Re: [DNSOP] Client Validation - filtering validat… John Levine
- Re: [DNSOP] Client Validation - filtering validat… Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Wouters
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie