Re: [DNSOP] Fwd: New Version Notification for draft-muks-dnsop-dns-opportunistic-refresh-00.txt
Matthijs Mekking <matthijs@pletterpet.nl> Tue, 04 July 2017 07:31 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C255131A40 for <dnsop@ietfa.amsl.com>; Tue, 4 Jul 2017 00:31:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MfXZ_hD8ffVi for <dnsop@ietfa.amsl.com>; Tue, 4 Jul 2017 00:31:11 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C3CC131A38 for <dnsop@ietf.org>; Tue, 4 Jul 2017 00:30:59 -0700 (PDT)
Received: from [IPv6:2001:981:19be:1:74df:1ae0:7501:ee46] (unknown [IPv6:2001:981:19be:1:74df:1ae0:7501:ee46]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 3E1CABD24 for <dnsop@ietf.org>; Tue, 4 Jul 2017 09:30:57 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: dnsop@ietf.org
References: <149885530587.4596.14298730912579200188.idtracker@ietfa.amsl.com> <185af195-dac6-1438-916f-c9b6d73df644@isc.org>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <83761c92-b5c4-7927-8897-718741fe1c6b@pletterpet.nl>
Date: Tue, 04 Jul 2017 09:30:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <185af195-dac6-1438-916f-c9b6d73df644@isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qIaskqXKiz1zYUo8wl7ZDwjbfzE>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-muks-dnsop-dns-opportunistic-refresh-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2017 07:31:14 -0000
Hi, I already said this in private, but will also mention it here: I like this idea. Some initial comments: 1. Why actually define a new option for this. Since the option only uses one bit to request/acknowledge opportunistic refresh, can't we use one bit from the Z field from the OPT Record TTL Field? 2. The draft says: If Client Subnet [RFC7871] is enabled, resource records in the cache may be associated with a subnet. In these cases, the resolver MUST ensure that the zone serial number associated with such records is obtained from an SOA record associated with the identical subnet. But a SOA record is not associated with a subnet, and most likely will return with a SCOPE of 0 since the option is not actually used to generate the response. Typically with Client Subnet only address records (A, AAAA) will result in a tailored response. Also, an authoritative name server may generate a different response for QTYPE=AAAA while the SOA record has not changed. It would be tricky to make opportunistic refresh work with Client Subnet. It would definitely require more thought, but I would also be fine with just specifying it does not work with ECS. 3. Security Considerations I think this could use some words on the risk that an adversary tries to make a record stick in the cache for longer than it is allowed, by spoofing a response with an additional SOA record (this can be stopped with DNSSEC obviously). Best regards, Matthijs On 03-07-17 13:36, Stephen Morris wrote: > Hi > > We have submitted a new draft which attempts to formalize an idea that > has been kicking around for a couple of years, namely to use serial > number information from DNS responses to determine whether stale records > in a cache can be refreshed without the need for an upstream query. > > Please send comments and feedback to the list. > > Stephen > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-muks-dnsop-dns-opportunistic-refresh-00.txt > Date: Fri, 30 Jun 2017 13:41:45 -0700 > From: internet-drafts@ietf.org > To: Mukund Sivaraman <muks@isc.org>, Shane Kerr > <shane@timetravellers.org>, Stephen Morris <stephen@isc.org> > > > A new version of I-D, draft-muks-dnsop-dns-opportunistic-refresh-00.txt > has been successfully submitted by Mukund Sivaraman and posted to the > IETF repository. > > Name: draft-muks-dnsop-dns-opportunistic-refresh > Revision: 00 > Title: DNS Opportunistic Refresh for Resolvers > Document date: 2017-06-29 > Group: Individual Submission > Pages: 9 > URL: > https://www.ietf.org/internet-drafts/draft-muks-dnsop-dns-opportunistic-refresh-00.txt > Status: > https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-opportunistic-refresh/ > Htmlized: > https://tools.ietf.org/html/draft-muks-dnsop-dns-opportunistic-refresh-00 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-muks-dnsop-dns-opportunistic-refresh-00 > > > Abstract: > This document describes a mechanism whereby a DNS resolver can > opportunistically refresh the TTLs of cached records of a zone using > serial number information carried in responses from the zone's > nameservers. As well as improving resolver response time by reducing > the need to make upstream queries, the mechanism can also reduce the > workload of authoritative servers. > > > > > Please note that it may take a couple of minutes from the time of > submission until the htmlized version and diff are available at > tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Fwd: New Version Notification for draft-m… Stephen Morris
- Re: [DNSOP] Fwd: New Version Notification for dra… Robert Edmonds
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking