IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-liu-dnsop-dns-cache

abby pan <abbypan@gmail.com> Thu, 31 March 2016 19:10 UTC

Return-Path: <abbypan@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7CB912D772 for <dnsop@ietfa.amsl.com>; Thu, 31 Mar 2016 12:10:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jua1Q8hXbxuA for <dnsop@ietfa.amsl.com>; Thu, 31 Mar 2016 12:10:22 -0700 (PDT)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9F9B12D78D for <dnsop@ietf.org>; Thu, 31 Mar 2016 12:10:13 -0700 (PDT)
Received: by mail-ob0-x22a.google.com with SMTP id fp4so30067165obb.2 for <dnsop@ietf.org>; Thu, 31 Mar 2016 12:10:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z/opvVOX8/wv/PBI1vUt8R44kWNgndvXcaFnR81R2e8=; b=yw5GDAL+KbsZC29qunH5dJyXSUaXF2AqMu0o6b+ijW+LX/upPMUqftj4m+1E6knMrA IIwAvyaYSiEmfL/cNgxcJeBJljc5dwFWheNrBb7Z8n6xk7JzZ7SoR7qHR+rMuCx3+35r wUdbLs6IqKoEZnBJWbqAXpgGCv7OjDbYlBJvqrC5cTOmIA+C9FhEaYiCc2dL56xFE8Rt 20c9Shd7N1aTq6NA9C1kUxJdlHk2Ljjn/lYMsR2NTHUylMS/g7dLK5UhqeZl2yAvgQcj K1jY+N5/5Z8PeZtO7c0+9DnhSwWDg9AagDabhcVNuQnvochEr8e2kKUzroPDFiyTiQHI Fnzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z/opvVOX8/wv/PBI1vUt8R44kWNgndvXcaFnR81R2e8=; b=L2YKe5Hh1PEfKawzAxa/COy0OTz4FbKIRw+tfVJfpaW86vQsVFv+/yxJvz9FSXzqEo HdeeA0fH7X2r7lBrK6fuRTW4QSMXTVTWGrpmI1vkNdWLBLx7MmoT4Sf8j8vybecTbU7C K7Y640LFyYGUI8MSXV80EemQfCEbDKX4dCn0oP8iHPvONcJIBp3veKoDf1mQugfhd1ST bWezCKUxTRbdEm5FPcwUtgTtAEFmleZpeIIymTHV63tB9jviIwbhqI2aHoLXsroQ0rzr FgL8H8JiBpUICYx9upEmZO/yFYFToygKYYWUHZUfX2GMA6umPjB5wj0FZI7fK11B3yOa rWAw==
X-Gm-Message-State: AD7BkJIbjGmgNh0gmsd8g/ZSmTJa5PAoOfCUFwQVB9WgHc2ZxMWkWIfP+oFA8NeTxdM2pO+q16F9F458SqfrXw==
X-Received: by 10.60.117.102 with SMTP id kd6mr1937307oeb.73.1459451413351; Thu, 31 Mar 2016 12:10:13 -0700 (PDT)
MIME-Version: 1.0
References: <201603211441020416620@cnnic.cn> <20160325144328.GA19412@nic.fr> <CANLjSvXgBKA1+g5RfrL3w87a3CLsJ39wYaaAb00cwmdOz6Mj0Q@mail.gmail.com> <20160329134729.GA28195@nic.fr> <CANLjSvUvMusSPPHw9u=FD7YO0KAZvs9B0UtWboscCMG5VDycdA@mail.gmail.com> <f152e300-ab31-49c0-2103-e300d2a5cfe5@bogus.com>
In-Reply-To: <f152e300-ab31-49c0-2103-e300d2a5cfe5@bogus.com>
From: abby pan <abbypan@gmail.com>
Date: Thu, 31 Mar 2016 19:10:03 +0000
Message-ID: <CANLjSvUsybrDu_wqAt24fnoYxoZeO=TnpAUGM-1hoQRcji1dOw@mail.gmail.com>
To: joel jaeggli <joelja@bogus.com>, Stephane Bortzmeyer <bortzmeyer@nic.fr>
Content-Type: multipart/alternative; boundary="047d7b417e630f8cd3052f5d031f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/qe8Lc0NwcRPDAGfCsE_JdkuFPw4>
Cc: gengguanggang <gengguanggang@cnnic.cn>, 成 鹏 <max.ldp@alibaba-inc.com>, dnsop <dnsop@ietf.org>, "刘志辉(乘黄)" <chenghuang.lzh@alibaba-inc.com>, panlanlan <panlanlan@cnnic.cn>
Subject: Re: [DNSOP] New Version Notification for draft-liu-dnsop-dns-cache
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 19:10:24 -0000

joel jaeggli <joelja@bogus.com>于2016年4月1日周五 上午2:35写道:

>
> >
> >     > 2) baidu dns hijack(2010):
> >     >
> >
> http://www.zdnet.com/article/baidu-dns-records-hijacked-by-iranian-cyber-army/
> >
> >     This paper says it was purely social engineering on the registrar. No
> >     change in the DNS would help.
> >
> >
> > if cache can temporary prolong the ttl of baidu ns, that will help.
>
> It actually can't really unless you're proposing that a recursive
> resolver refuse to honor the ns/soa after ttl expiration. that makes it
> rather hard to change providers, transfer zones or replace nameservers.
> which are of course reasons why you would have a lower ttl on such
> records anyway.
>
> if you're suggesting that large content providers zones are sufficiently
> ossified that they never change or are re/delegated well, that isn't true.
>
> yeah,  totally aggree with you, we all want the change of ns  RR can
spread fast with short ttl in normal case.

the prolong ttl action is actived on "rescue case" as above:
when cache encounter  "baidu.com" 's new ns record (hijack),  and almost
all *.baidu.com 's query is fail through the "new" ns.
cache can roll back to "old"  ns of baidu.com, and prolong the ttl, to
ensure the success dns query.

normal ns change is not affected.
-- 

Best Regards

Pan Lanlan
Tel: +86 186 9834 2356

v2.23.0 | Report a Bug | By Email