Re: [DNSOP] Fwd: New Version Notification for draft-muks-dnsop-dns-opportunistic-refresh-00.txt

Matthijs Mekking <> Tue, 04 July 2017 07:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3C255131A40 for <>; Tue, 4 Jul 2017 00:31:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MfXZ_hD8ffVi for <>; Tue, 4 Jul 2017 00:31:11 -0700 (PDT)
Received: from ( [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7C3CC131A38 for <>; Tue, 4 Jul 2017 00:30:59 -0700 (PDT)
Received: from [IPv6:2001:981:19be:1:74df:1ae0:7501:ee46] (unknown [IPv6:2001:981:19be:1:74df:1ae0:7501:ee46]) by (Postfix) with ESMTPSA id 3E1CABD24 for <>; Tue, 4 Jul 2017 09:30:57 +0200 (CEST)
Authentication-Results:; dmarc=none
References: <> <>
From: Matthijs Mekking <>
Message-ID: <>
Date: Tue, 4 Jul 2017 09:30:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-muks-dnsop-dns-opportunistic-refresh-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Jul 2017 07:31:14 -0000


I already said this in private, but will also mention it here: I like
this idea.

Some initial comments:

1. Why actually define a new option for this. Since the option only uses
one bit to request/acknowledge opportunistic refresh, can't we use one
bit from the Z field from the OPT Record TTL Field?

2. The draft says:

  If Client Subnet [RFC7871] is enabled, resource records in the
  cache may be associated with a subnet.  In these cases, the
  resolver MUST ensure that the zone serial number associated with
  such records is obtained from an SOA record associated with the
  identical subnet.

But a SOA record is not associated with a subnet, and most likely will
return with a SCOPE of 0 since the option is not actually used to
generate the response. Typically with Client Subnet only address records
(A, AAAA) will result in a tailored response. Also, an authoritative
name server may generate a different response for QTYPE=AAAA while the
SOA record has not changed.

It would be tricky to make opportunistic refresh work with Client
Subnet. It would definitely require more thought, but I would also be
fine with just specifying it does not work with ECS.

3. Security Considerations

I think this could use some words on the risk that an adversary tries to
make a record stick in the cache for longer than it is allowed, by
spoofing a response with an additional SOA record (this can be stopped
with DNSSEC obviously).

Best regards,

On 03-07-17 13:36, Stephen Morris wrote:
> Hi
> We have submitted a new draft which attempts to formalize an idea that
> has been kicking around for a couple of years, namely to use serial
> number information from DNS responses to determine whether stale records
> in a cache can be refreshed without the need for an upstream query.
> Please send comments and feedback to the list.
> Stephen
> -------- Forwarded Message --------
> Subject: New Version Notification for
> draft-muks-dnsop-dns-opportunistic-refresh-00.txt
> Date: Fri, 30 Jun 2017 13:41:45 -0700
> From:
> To: Mukund Sivaraman <>;, Shane Kerr
> <>;, Stephen Morris <>;
> A new version of I-D, draft-muks-dnsop-dns-opportunistic-refresh-00.txt
> has been successfully submitted by Mukund Sivaraman and posted to the
> IETF repository.
> Name:		draft-muks-dnsop-dns-opportunistic-refresh
> Revision:	00
> Title:		DNS Opportunistic Refresh for Resolvers
> Document date:	2017-06-29
> Group:		Individual Submission
> Pages:		9
> URL:
> Status:
> Htmlized:
> Htmlized:
> Abstract:
>    This document describes a mechanism whereby a DNS resolver can
>    opportunistically refresh the TTLs of cached records of a zone using
>    serial number information carried in responses from the zone's
>    nameservers.  As well as improving resolver response time by reducing
>    the need to make upstream queries, the mechanism can also reduce the
>    workload of authoritative servers.
> Please note that it may take a couple of minutes from the time of
> submission until the htmlized version and diff are available at
> The IETF Secretariat
> _______________________________________________
> DNSOP mailing list