IETF Logo Mail Archive

Re: [DNSOP] Measuring DNS TTL Violations in the wild

Joe Abley <jabley@hopcount.ca> Wed, 06 December 2017 11:17 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 069C61286B1 for <dnsop@ietfa.amsl.com>; Wed, 6 Dec 2017 03:17:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2g3YN70KYsLZ for <dnsop@ietfa.amsl.com>; Wed, 6 Dec 2017 03:17:39 -0800 (PST)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1D20124205 for <DNSOP@ietf.org>; Wed, 6 Dec 2017 03:17:39 -0800 (PST)
Received: by mail-it0-x22e.google.com with SMTP id d137so6669009itc.2 for <DNSOP@ietf.org>; Wed, 06 Dec 2017 03:17:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Lvyj7PLqaTF5rVu0YphxBxHgf54wqPDWYuilfkX+/L0=; b=FeRjktH53rBoT4Gh9XqMCaj6WiurJQXneT5NPsIlp1+DQCBJRyBcgAb7gN70LF2F0S 7k6kDU+5iV5JDlwfYAb1cEen5WMPAMMrkMsnJr4Vn5E85fLwDU0Uq5yaVIUTvMS0xdqP +3NlnvNM1pEufax3sWhh4RcqNytmYXn8X1i8s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Lvyj7PLqaTF5rVu0YphxBxHgf54wqPDWYuilfkX+/L0=; b=EohNoJUeUHozf3uhvq92nkvIwRNCh1fL/DN3QhwHzEF8gOs9RYF2ryWdYbG5FmUcI9 4Va0G4dmkANusV3gYlnHcWjqzPjJw/vtj/RSOdTU9MNuuWcTF520e+XhBWTox9YKjzfd tTZJoM6Z2w/KDetIJTNnHp5C0hHAextUb1layPZRg+IznvQGlylZ0lPKDpL7JDCGW/Zp xhk8lSbxlUyxV3iNvMcw6bKVIX8Cq7amw3uK+PrWUvFN+M8eF25AiU3MlnqTWn47gi4E 19MVy4GiXiG0irJH3Kx9qUn8ek/DLK4VYsyKRVKy2sUHaOT4MBVqC0qcQWmzOgAtwKTJ kRTw==
X-Gm-Message-State: AKGB3mIRr7WWdXPBJHZaHiZ5FOVMX0qYlgkBmgT6r+OaP7zOrca34krC H6vx6qeM9i8JQOnW3COaYNINlzefdVw=
X-Google-Smtp-Source: AGs4zMbwXhpCI+UyvosJf0qWvxROurjHojoM1VG0XFfobO30IMv9MKxxcruz66rr0T5Usl7dlUUBRg==
X-Received: by 10.36.22.147 with SMTP id a141mr22085618ita.30.1512559058537; Wed, 06 Dec 2017 03:17:38 -0800 (PST)
Received: from ?IPv6:2607:f2c0:101:3:644f:842a:4298:8bca? ([2607:f2c0:101:3:644f:842a:4298:8bca]) by smtp.gmail.com with ESMTPSA id r190sm1259644iod.7.2017.12.06.03.17.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Dec 2017 03:17:37 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Joe Abley <jabley@hopcount.ca>
X-Mailer: iPad Mail (15C114)
In-Reply-To: <CANLjSvVwtdseYdQ31w695rvyy=rup=qyqHee5RBupgcChYhbDA@mail.gmail.com>
Date: Wed, 06 Dec 2017 06:17:36 -0500
Cc: Mukund Sivaraman <muks@isc.org>, Ólafur Guðmundsson <olafur@cloudflare.com>, "Wessels, Duane" <dwessels@verisign.com>, "Giovane C. M. Moura" <giovane.moura@sidn.nl>, dnsop <DNSOP@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E208A578-00E8-4F56-B170-2BA83BAB8638@hopcount.ca>
References: <aec2510c-e543-6c4a-873d-5c2db7df5a78@sidn.nl> <CAN6NTqytiDj-FfixD6aKD4AKa5oik7SEtP=82JhP4GR=SyWjYw@mail.gmail.com> <9E8E7EAA-7D37-4841-9144-F49C216ABD7B@verisign.com> <CAN6NTqx2Gq5XK6VDz-dVSbL8k5Yg8G=xM12qdQJHsBP=fp6pCw@mail.gmail.com> <20171202143925.GA20446@jurassic.lan.banu.com> <CANLjSvVwtdseYdQ31w695rvyy=rup=qyqHee5RBupgcChYhbDA@mail.gmail.com>
To: Lanlan Pan <abbypan@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/r1yDnUKLS2aMo0uUh9NeDtDwLHQ>
Subject: Re: [DNSOP] Measuring DNS TTL Violations in the wild
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Dec 2017 11:17:41 -0000

On Dec 5, 2017, at 23:04, Lanlan Pan <abbypan@gmail.com> wrote:

> Some authorititatives set the NS RR TTL<60s, they don't follow the best practice guide.

The trouble here is understanding the motivations of any particular parameter, and doing so at scale.

You could assume as a resolver operator that a zone manager (note, not an authoritative server operator) has made a mistake when you get a response with a low TTL, or you could take the position that it's not your business to make such inferences.

Local policy to meet your own objectives in the operation of your resolver is different from seeking to correct decisions made by zone managers. Assuming errors (hence "correction") is a slippery slope to having no single source of truth.

There are protocol design decisions relating to TTLs that relate to metadata that a resolver operator *can't* reasonably adust, like signature validity periods.

More philosophically, the loose-coherency and data persistence associated with caching works because its boundaries are understood. The ability to use the system as a whole relies upon an explicit contract between zone manager and resolver operator, and if that contract fractures, applications and user-experience will follow. Any changes to the contract (and I'm not suggesting there can't be changes) need to be conservative, well documented and carefully implemented. Playing fast and loose with the interpretation of TTLs on every other resolver doesn't sound like any of those things.


Joe

v2.37.1 | Report a Bug | By Email | System Status