Re: [DNSOP] Fwd: New Version Notification for draft-muks-dnsop-dns-opportunistic-refresh-00.txt

Matthijs Mekking <matthijs@pletterpet.nl> Tue, 04 July 2017 07:31 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C255131A40 for <dnsop@ietfa.amsl.com>; Tue, 4 Jul 2017 00:31:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MfXZ_hD8ffVi for <dnsop@ietfa.amsl.com>; Tue, 4 Jul 2017 00:31:11 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C3CC131A38 for <dnsop@ietf.org>; Tue, 4 Jul 2017 00:30:59 -0700 (PDT)
Received: from [IPv6:2001:981:19be:1:74df:1ae0:7501:ee46] (unknown [IPv6:2001:981:19be:1:74df:1ae0:7501:ee46]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 3E1CABD24 for <dnsop@ietf.org>; Tue, 4 Jul 2017 09:30:57 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: dnsop@ietf.org
References: <149885530587.4596.14298730912579200188.idtracker@ietfa.amsl.com> <185af195-dac6-1438-916f-c9b6d73df644@isc.org>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <83761c92-b5c4-7927-8897-718741fe1c6b@pletterpet.nl>
Date: Tue, 4 Jul 2017 09:30:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <185af195-dac6-1438-916f-c9b6d73df644@isc.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qIaskqXKiz1zYUo8wl7ZDwjbfzE>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-muks-dnsop-dns-opportunistic-refresh-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2017 07:31:14 -0000

Hi,

I already said this in private, but will also mention it here: I like
this idea.

Some initial comments:


1. Why actually define a new option for this. Since the option only uses
one bit to request/acknowledge opportunistic refresh, can't we use one
bit from the Z field from the OPT Record TTL Field?


2. The draft says:

  If Client Subnet [RFC7871] is enabled, resource records in the
  cache may be associated with a subnet.  In these cases, the
  resolver MUST ensure that the zone serial number associated with
  such records is obtained from an SOA record associated with the
  identical subnet.

But a SOA record is not associated with a subnet, and most likely will
return with a SCOPE of 0 since the option is not actually used to
generate the response. Typically with Client Subnet only address records
(A, AAAA) will result in a tailored response. Also, an authoritative
name server may generate a different response for QTYPE=AAAA while the
SOA record has not changed.

It would be tricky to make opportunistic refresh work with Client
Subnet. It would definitely require more thought, but I would also be
fine with just specifying it does not work with ECS.


3. Security Considerations

I think this could use some words on the risk that an adversary tries to
make a record stick in the cache for longer than it is allowed, by
spoofing a response with an additional SOA record (this can be stopped
with DNSSEC obviously).


Best regards,
  Matthijs




On 03-07-17 13:36, Stephen Morris wrote:
> Hi
> 
> We have submitted a new draft which attempts to formalize an idea that
> has been kicking around for a couple of years, namely to use serial
> number information from DNS responses to determine whether stale records
> in a cache can be refreshed without the need for an upstream query.
> 
> Please send comments and feedback to the list.
> 
> Stephen
> 
> 
> 
> -------- Forwarded Message --------
> Subject: New Version Notification for
> draft-muks-dnsop-dns-opportunistic-refresh-00.txt
> Date: Fri, 30 Jun 2017 13:41:45 -0700
> From: internet-drafts@ietf.org
> To: Mukund Sivaraman <muks@isc.org>;, Shane Kerr
> <shane@timetravellers.org>;, Stephen Morris <stephen@isc.org>;
> 
> 
> A new version of I-D, draft-muks-dnsop-dns-opportunistic-refresh-00.txt
> has been successfully submitted by Mukund Sivaraman and posted to the
> IETF repository.
> 
> Name:		draft-muks-dnsop-dns-opportunistic-refresh
> Revision:	00
> Title:		DNS Opportunistic Refresh for Resolvers
> Document date:	2017-06-29
> Group:		Individual Submission
> Pages:		9
> URL:
> https://www.ietf.org/internet-drafts/draft-muks-dnsop-dns-opportunistic-refresh-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-opportunistic-refresh/
> Htmlized:
> https://tools.ietf.org/html/draft-muks-dnsop-dns-opportunistic-refresh-00
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-muks-dnsop-dns-opportunistic-refresh-00
> 
> 
> Abstract:
>    This document describes a mechanism whereby a DNS resolver can
>    opportunistically refresh the TTLs of cached records of a zone using
>    serial number information carried in responses from the zone's
>    nameservers.  As well as improving resolver response time by reducing
>    the need to make upstream queries, the mechanism can also reduce the
>    workload of authoritative servers.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of
> submission until the htmlized version and diff are available at
> tools.ietf.org.
> 
> The IETF Secretariat
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>