Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-00.txt

Tom Pusateri <> Fri, 24 August 2018 03:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 32D61130DCD for <>; Thu, 23 Aug 2018 20:45:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HRP3s-l55MF4 for <>; Thu, 23 Aug 2018 20:45:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 396F3130DCC for <>; Thu, 23 Aug 2018 20:45:00 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 2C4522E00; Thu, 23 Aug 2018 23:40:46 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Tom Pusateri <>
In-Reply-To: <>
Date: Thu, 23 Aug 2018 23:44:57 -0400
Cc: Tim Wattenberg <>, dnsop WG <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Paul Vixie <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-00.txt
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Aug 2018 03:45:03 -0000


Thanks for the feedback!

An RRset isn’t granular enough because the components of the set could come from different clients with different timeout values.
Therefore, a unique identifier is needed for each record. The hash provides that unique identifier since it is calculated over the entire record including the unique RDATA.

The contents of the TIMEOUT RDATA field are not encrypted. The list of hashes are the list of unique identifiers. If each record had a unique identifier, we could use that instead but because they don’t, we create one with the hash.

The AAAA._TIMEOUT.FSI.IO idea is a neat one that we hadn’t thought of but it isn’t unique to a record with a potentially different timeout value from a different client and only works if all the members of the RRset have the same timeout.

We’ll take a look at your TTL concern and your previous draft.



> On Aug 23, 2018, at 9:23 PM, Paul Vixie <> wrote:
> tom, tim, thanks for this. i have two concerns, and three observations.
> concern #1 is about this text:
>>   3.  TIMEOUT resource records are not automatically sent in AXFR, IXFR
>>       zone transfer requests.  Both primary and secondary servers
>>       should be configured on a per zone basis to transfer TIMEOUT
>>       resource records to ensure they are supported.
> this is impractical given the high automation usually now involved in primary/secondary AXFR and IXFR relationships. i suggest negotiating for this with an OPT RR in the AXFR or IXFR request, indicating whether the initiator ("secondary" in this document) supports TIMEOUT or not.
> concern #2:
> you don't appear to have addressed TTL overrun here. it's necessary for a record which will expire to have a declining TTL as that expiry time nears. if it's always been 3600, then when you're within one hour of expiry time, returned TTL has to be reduced to whatever time remains.
> observation #1:
> none of the crypto seems nec'y. i would not quibble about it except that since it is crypto it will have to morph over time to become stronger against growing brute-force attacks and vuln research. this puts a maintainance burden on the community every time we encode crypto into a protocol. can you explain why the TIMEOUT RDATA isn't in clear text?
> observation #2:
> might you arrange for an _-related schema, so that each RRset having a TIMEOUT can have those records as a niece/nephew domain? for WWW.FSI.IO AAAA, the TIMEOUT would be at AAAA._TIMEOUT.FSI.IO, in this case.
> observation #3:
> this was all considered previously. most recently it was the subject of an apple patent (EP1759516) by cheshire and sekar. first and foremost it was proposed in the old DNSIND working group by myself, in 1996. you don't have to worry about the patent, due to my prior art. since the draft is expired, i've put a copy online here:
> the IETF DNSIND WG rejected this draft on the basis of its complexity. the idea of a zone having timers inside it, for self-modification, was just a bridge too far at that time. given what is now called "the camel" i think pendulum has swung _well_ away from that point of view, but is now in the process of swinging back. if i had hope, i would submit DEFUPD again, exactly as it was in 1996, because it still deftly threads the needle posed by UPDATE. your needs may differ.
> "good luck storming the castle, boys!" (_The Princess Bride_)
> vixie
> re:
> _______________________________________________
> DNSOP mailing list