Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt
Evan Hunt <each@isc.org> Thu, 01 October 2015 05:08 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AB121B29A7 for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 22:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.311
X-Spam-Level:
X-Spam-Status: No, score=-6.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKXP9x8ll4Eb for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 22:08:54 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A01061B29A3 for <dnsop@ietf.org>; Wed, 30 Sep 2015 22:08:54 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id ABA0E1FCD59; Thu, 1 Oct 2015 05:08:51 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 79007216C57; Thu, 1 Oct 2015 05:08:50 +0000 (UTC)
Date: Thu, 01 Oct 2015 05:08:50 +0000
From: Evan Hunt <each@isc.org>
To: Joe Abley <jabley@hopcount.ca>
Message-ID: <20151001050850.GA51763@isc.org>
References: <20150930190405.17300.40441.idtracker@ietfa.amsl.com> <20151001025833.GA51655@isc.org> <0F438B6C-4797-4250-ABCA-4C5AE1D5F232@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0F438B6C-4797-4250-ABCA-4C5AE1D5F232@hopcount.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/oQa6pmUMnXLV1DuB7SmUHUS5YyM>
Cc: dnsop <dnsop@ietf.org>, Ólafur Guðmundsson <olafuratcloudflare.com@isc.org>
Subject: Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 05:08:56 -0000
On Wed, Sep 30, 2015 at 11:28:45PM -0400, Joe Abley wrote: > 1. Return an unsigned response. This will be marked as bogus, and > trigger a QTYPE=HINFO re-query that will either return an actual signed > HINFO from the zone or a signed proof of non-existence. We think. I > haven't actually tested that a re-query will happen, but Olafur is > confident. :-) I haven't tested it either, but that is not what I would expect. If the resolver gets a bogus response to a query of type ANY, I would expect it to try the same query at another name server, until it had exhausted all authoritative name servers, and then reply with SERVFAIL. > 2. Sign the HINFO RR as it is synthesised (or pre-sign one, to avoid the > edge authority servers needing access to a signing key). Pre-signing essentially reduces to adding an empty HINFO to every node in every zone, then using the pick-one-RRset method, but ensuring that HINFO is always selected first. > That is true. However, one of the use-cases for this approach is a > nameserver for which a search for records present at a particular owner > name (as would normally be performed when responding to an ANY query) is > expensive. It's not at all obvious to me that this is cheaper. With either method, you have to search down through the zone to find out whether the node exists (otherwise you'd be returning NXDOMAIN, rather than a minimized response). Since you're doing that search anyway, choosing an RRset to return is pretty cheap. And actually, you really *should* also look through the RRsets at the node to make sure there isn't a non-empty HINFO record before you synthesize an empty one, and if you're doing *that* anyway, choosing an RRset wouldn't cost any more and could well cost less. Assuming we aren't considering the possibility of native HINFO records, I agree that synthesizing an unsigned HINFO would be little quicker than pulling an RRset out of the node, but not *so* much quicker as to seem obviously worthwhile. And for signed zones, synthesizing a signed HINFO would almost certainly be slower, while returning a pre-signed HINFO would be no faster than choosing an RRset. The disadvantages of pick-one-RRset that I can see are 1) more information leaked (but nothing that couldn't be obtained by sending queries for individual qtypes anyway), and 2) modestly larger response size (but still a lot better than unminimized ANY responses). Perhaps both approaches should be described in the draft. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
- [DNSOP] Fwd: New Version Notification for draft-j… Ólafur Guðmundsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-ja… Joe Abley
- Re: [DNSOP] New Version Notification for draft-ja… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-ja… Joe Abley
- Re: [DNSOP] New Version Notification for draft-ja… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-ja… Dick Franks
- Re: [DNSOP] New Version Notification for draft-ja… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-ja… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-ja… Ólafur Guðmundsson
- Re: [DNSOP] New Version Notification for draft-ja… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-ja… Dave Lawrence
- Re: [DNSOP] New Version Notification for draft-ja… Ólafur Guðmundsson
- Re: [DNSOP] New Version Notification for draft-ja… Mark Andrews