Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
Casey Deccio <casey@deccio.net> Wed, 15 July 2015 20:25 UTC
Return-Path: <casey@deccio.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DD891B2A68 for <dnsop@ietfa.amsl.com>; Wed, 15 Jul 2015 13:25:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cW3hNy83d_QO for <dnsop@ietfa.amsl.com>; Wed, 15 Jul 2015 13:25:02 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B63231B2A65 for <dnsop@ietf.org>; Wed, 15 Jul 2015 13:25:02 -0700 (PDT)
Received: by iggp10 with SMTP id p10so130063458igg.0 for <dnsop@ietf.org>; Wed, 15 Jul 2015 13:25:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=deccio.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rwOA/7GfLQv6YC1nH05venRxkuJ0UJcPjjIIqyv9cik=; b=ER51bJRNKebn/x0HRNVuMgCU+1tlVh1RLmukx3mhvL6kEg4HQvtjhamFez8DKpFha0 i5KczhTrhBmbdOX2e4UmObZPuLW6mEStOErI61FE7u3AyepXEyYjD/TLJURFrc20pCBB /6H72AQMp/3L6li+9yMuNdK4g6B/TuS92EIN8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=rwOA/7GfLQv6YC1nH05venRxkuJ0UJcPjjIIqyv9cik=; b=c2v0WnCGNfHcJrTUk0fDRMwyG1gV9jM0tQQaSygwRBIKAKiBo/BjllrDwgfEUSPDmF J6huCj04alKU9jH0tbqZgRwblB8cGD/H/SZj+wD35/iLKCYjQmBWn+szl7iFW5HNq6nt ZPa5nQMq3uHM8P2P9Q7o5PpqeLLXea58D+fiM9uDijsllVA3jbOP0GSVtXtdSBhHkdg9 ZiYzBhUVCa1DizDr4wredfxHcp69KXCB4uLSLG72+uIZlFYLaKns4zx145a6Ys3r5rnS oODwgeYqfj5YBTSm0gTEjJLeYzZ14/oLGwDTiTyp6gniPeY+ptaFQaH8q8S00uvytA8N /ETg==
X-Gm-Message-State: ALoCoQkYKRrbqFj4AwgfEjMoDjfgzkuXhTGRwXFGE3yz0VqLIaUp1mz8BiSUe5eAk1ZWoUQRcSHF
MIME-Version: 1.0
X-Received: by 10.107.162.147 with SMTP id l141mr7024555ioe.77.1436991901992; Wed, 15 Jul 2015 13:25:01 -0700 (PDT)
Received: by 10.50.240.17 with HTTP; Wed, 15 Jul 2015 13:25:01 -0700 (PDT)
In-Reply-To: <20150707.182043.193693838.fujiwara@jprs.co.jp>
References: <20150310.191541.52184726.fujiwara@jprs.co.jp> <20150707.182043.193693838.fujiwara@jprs.co.jp>
Date: Wed, 15 Jul 2015 16:25:01 -0400
Message-ID: <CAEKtLiSoEu8OUZs56wsm65fqdxtPF49i+m3XfNYAmw3MHPLdew@mail.gmail.com>
From: Casey Deccio <casey@deccio.net>
To: fujiwara@jprs.co.jp
Content-Type: multipart/alternative; boundary="001a1140ff24dd3037051aefbf4c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/p7UklkyR4AAv28_sRP1-EeQ0_8w>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 20:25:05 -0000
Hi, Some thoughts below, strictly on the NSEC/NSEC3 algorithm. They're quite rough, but hopefully they're useful. Cheers, Casey On Tue, Jul 7, 2015 at 5:20 AM, <fujiwara@jprs.co.jp> wrote: > Please check this algorithm. Several times, the phrase "query as usual" is used. However, something might need to be said about the resolver modifying "query as usual" to save NSEC/NSEC3 records associated with wildcard and negative responses in a way that they can be used by the algorithm. For example, the following indexes could be maintained: Indexes: NSEC_TABLE = a canonically ordered mapping of NSEC owner names to NSEC records, grouped by corresponding SOA name NSEC3_TABLE = a canonically ordered mapping of NSEC3 owner names to NSEC3 records, grouped by corresponding SOA name and NSEC3 parameters NSEC3_NAMES = a canonically ordered mapping of names to their corresponding NSEC3-hashed names (or records) QNAME = the query name; > if (QNAME name entry exists in the cache) { > resolve the query as usual; > // if RRSet (query name and query type) exists in the cache, > // the resolver responds the RRSet from the cache > // Otherwise, the resolver needs to iterate the query. > } > > // Find closest enclosing NS RRset in the cache. > // The owner of this NS RRset will be a suffix of the QNAME > // - the longest suffix of any NS RRset in the cache. > SIGNER = closest enclosing NS RRSet of QNAME in the cache; > You should now find the SOA record corresponding to SIGNER. If there is no SOA record in cache, then there are no previously cached negative responses, so you can resolve the query as usual. if (SIGNER zone does not have a special NSEC/NSEC3 data structure) { > Resolve the query as usual; > } > I'm not sure what this means. > if (SIGNER zone is not signed or not validated) { > Resolve the query as usual; > } > You mean here: if the SOA record is not validated (signed is implied by validated). While colloquially we talk about zones being signed, in this case, you want an actual RRset--one that matters at that. The SOA record fits the bill here because of its role with negative responses. > if (SIGNER zone is signed with NSEC) { > While in theory a zone is signed with either NSEC or NSEC3, in practice all that matters is the NSEC or NSEC3 proofs provided in individual responses. While not necessarily desirable, it is entirely possible that subsequent responses could different NSEC/NSEC3 results. Therefore, for algorithm robustness, checking whether a zone is signed with NSEC or NSEC3 is less useful than simply looking at both NSEC and NSEC3 records in the cache. I would eliminate "if SIGNER zone is signed with NSEC" and its corresponding "else"/"else if" altogether. You should really check both NSEC and NSEC3. BEGIN NSEC SECTION if (covering NSEC RR of QNAME at SIGNER zone > doesn't exist in the cache) { > Resolve the query as usual. > } > s/Resolve the query as usual/Go to NSEC3 SECTION/ > > TEST = Find the longest existing domain name of QNAME > from the covering NSEC RR; > You could use the term "closest encloser"/CLOSEST_ENCLOSER instead of "longest existing domain name"/TEST. if (*.TEST name entry exists in the cache) { > the resolver can generate positive response > or resolve the query as usual; > } > s/resolve the query as usual/Go to the NSEC3 SECTION It could be a NODATA response (which is a negative response), if the type doesn't exist. Although, I think that's what you mean by "positive response or resolve the query as usual". > if covering NSEC RR of "*.TEST" at SIGNER zone exists > in the cache { > the resolver can generate negative response; > } > s/resolver can generate negative response/Return synthesized negative response/ > // Lack of information, need to resolve the query as usual > No. move on to NSEC3 now. > } else > if (SIGNER zone is signed with NSEC3 and does not use Opt-Out) { > Eliminate this "else if SIGNER zone is signed with NSEC3 and does not use Opt-out" check too. BEGIN NSEC3 SECTION TEST = SIGNER; > Again, I would look for closest encloser (CLOSEST_ENCLOSER) here (e.g., using the NSEC3_NAMES table). There might be multiple NSEC3 records for a single closest encloser if multiple sets of NSEC3 parameters are used across different responses, but really all you need is one. In this case, you would need to iterate through the different sets of NSEC3 parameters. Once you have the closest encloser, the algorithm looks more (but not entirely) like the NSEC portion above, but with NSEC3 instead. I'm not sure I follow the logic in the previously written NSEC3 section. I've made some modifications below. if (no CLOSEST_ENCLOSER is found) { Go to FALLBACK SECTION } NEXT_CLOSEST_ENCLOSER_PROOF_FOUND = False for each set of parameters corresponding to NSEC3 names in the appropriate zone { if (there is a NSEC3 RR covering the next closest encloser (i.e., CLOSEST_ENCLOSER + one label)) { NEXT_CLOSEST_ENCLOSER_PROOF_FOUND = True } } if ! NEXT_CLOSEST_ENCLOSER_PROOF_FOUND { Go to FALLBACK SECTION } WILDCARD_PROOF_FOUND = False for each set of parameters corresponding to NSEC3 names in the appropriate zone { if (*.CLOSEST _ENCLOSER name entry exists in the cache) { the resolver can generate positive response or Go to FALLBACK SECTION; } if covering NSEC3 RR of "*.NEXT_CLOSEST_ENCLOSER" exists in the cache { WILDCARD_PROOF_FOUND = True } } If WILDCARD_PROOF_FOUND { Return synthesized negative response } BEGIN FALLBACK SECTION // Lack of information, need to resolve the query as usual
- [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-0… fujiwara
- [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-0… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Bob Harold
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Casey Deccio
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Stephane Bortzmeyer
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… P Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Stephane Bortzmeyer
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Roy Arends
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Roy Arends
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Evan Hunt
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Ray Bellis
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Tim Wicinski
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Viktor Dukhovni
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveu… Shumon Huque