IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

Evan Hunt <each@isc.org> Thu, 01 October 2015 05:08 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AB121B29A7 for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 22:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.311
X-Spam-Level:
X-Spam-Status: No, score=-6.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKXP9x8ll4Eb for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 22:08:54 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A01061B29A3 for <dnsop@ietf.org>; Wed, 30 Sep 2015 22:08:54 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id ABA0E1FCD59; Thu, 1 Oct 2015 05:08:51 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 79007216C57; Thu, 1 Oct 2015 05:08:50 +0000 (UTC)
Date: Thu, 01 Oct 2015 05:08:50 +0000
From: Evan Hunt <each@isc.org>
To: Joe Abley <jabley@hopcount.ca>
Message-ID: <20151001050850.GA51763@isc.org>
References: <20150930190405.17300.40441.idtracker@ietfa.amsl.com> <20151001025833.GA51655@isc.org> <0F438B6C-4797-4250-ABCA-4C5AE1D5F232@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0F438B6C-4797-4250-ABCA-4C5AE1D5F232@hopcount.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/oQa6pmUMnXLV1DuB7SmUHUS5YyM>
Cc: dnsop <dnsop@ietf.org>, Ólafur Guðmundsson <olafuratcloudflare.com@isc.org>
Subject: Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 05:08:56 -0000

On Wed, Sep 30, 2015 at 11:28:45PM -0400, Joe Abley wrote:
> 1. Return an unsigned response. This will be marked as bogus, and 
> trigger a QTYPE=HINFO re-query that will either return an actual signed 
> HINFO from the zone or a signed proof of non-existence. We think. I 
> haven't actually tested that a re-query will happen, but Olafur is 
> confident. :-)

I haven't tested it either, but that is not what I would expect.

If the resolver gets a bogus response to a query of type ANY, I
would expect it to try the same query at another name server,
until it had exhausted all authoritative name servers, and then
reply with SERVFAIL.

> 2. Sign the HINFO RR as it is synthesised (or pre-sign one, to avoid the 
> edge authority servers needing access to a signing key).

Pre-signing essentially reduces to adding an empty HINFO to every node in
every zone, then using the pick-one-RRset method, but ensuring that HINFO
is always selected first.

> That is true. However, one of the use-cases for this approach is a 
> nameserver for which a search for records present at a particular owner 
> name (as would normally be performed when responding to an ANY query) is 
> expensive.

It's not at all obvious to me that this is cheaper.

With either method, you have to search down through the zone to find out
whether the node exists (otherwise you'd be returning NXDOMAIN, rather than
a minimized response).  Since you're doing that search anyway, choosing an
RRset to return is pretty cheap.  And actually, you really *should* also
look through the RRsets at the node to make sure there isn't a non-empty
HINFO record before you synthesize an empty one, and if you're doing *that*
anyway, choosing an RRset wouldn't cost any more and could well cost less.

Assuming we aren't considering the possibility of native HINFO records,
I agree that synthesizing an unsigned HINFO would be little quicker
than pulling an RRset out of the node, but not *so* much quicker as
to seem obviously worthwhile.

And for signed zones, synthesizing a signed HINFO would almost
certainly be slower, while returning a pre-signed HINFO would be
no faster than choosing an RRset.

The disadvantages of pick-one-RRset that I can see are 1) more
information leaked (but nothing that couldn't be obtained by sending
queries for individual qtypes anyway), and 2) modestly larger response
size (but still a lot better than unminimized ANY responses).

Perhaps both approaches should be described in the draft.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.23.0 | Report a Bug | By Email