Re: [DNSOP] Updated cheese-shop.
神明達哉 <jinmei@wide.ad.jp> Sat, 27 February 2016 00:05 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86CBE1B3429 for <dnsop@ietfa.amsl.com>; Fri, 26 Feb 2016 16:05:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.378
X-Spam-Level:
X-Spam-Status: No, score=-0.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, J_CHICKENPOX_84=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qDOQb1pIDLer for <dnsop@ietfa.amsl.com>; Fri, 26 Feb 2016 16:05:17 -0800 (PST)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B191C1B3426 for <dnsop@ietf.org>; Fri, 26 Feb 2016 16:05:17 -0800 (PST)
Received: by mail-ig0-x235.google.com with SMTP id hb3so44793904igb.0 for <dnsop@ietf.org>; Fri, 26 Feb 2016 16:05:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=mRlBTxS15Zip+HtZGLj4vpMfBGegSPZJjIH1IDh8Zfw=; b=M0WNfrCTvTciEO/4DYtR2aA89w1APQ2hYV8JxUHXJZiWzjfcIzaX+iAZQRsgEmMi4T HP2jhUIqYEIiZ6w15czXJoJfemxo7FBfqsyDVzLWp8EjxgSsrUsEH2A7habh5i1VWMPB uWmB4S0v7Vz2nxHrwJ8vdj6i7ODJrqKjEyBZUdnxoW+Yu0ew3XYFr3XiiM79vuP6YQ0H S9E1MYmDw0K4Kp/DTS/od/8kXKRzQ9ipwWhCt4hNu0kexTLO7vZ06ugnA0RHz917NBh2 ddrLuGyuncpceMBDO+HdAYmZFebtCsOR7qm/LWKSGTp2Ul1IAU77UWeEInDnVmFnuLnt DTmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=mRlBTxS15Zip+HtZGLj4vpMfBGegSPZJjIH1IDh8Zfw=; b=QB21oDAPKgCfUSNujMF+rDTz8wnBaGW6mR42hwFPUFE0lVw9+lZsrwKjYCeRD/TXwZ JQkvPWI1PEh3ZzRAJgR5g/FFg2kXqjRRNrpGkF+78gdQQDhFmHW+LnM9IEsfw0M+xLl0 MZDjly1/oOVgPSU1XJzI0fHvqOdXRhMy2wOQ31yKpJEgRnCfTf1VlReP3JxAs9YEX672 8TozOIplPs+kT2QThsOcY7wd/1d3fJpcfj8DUCc52n2bUcvFtyB11QkmpRRFsFRgbWK6 83lAmSq9mUthJ1IGEbfO2o41pFlbFmPgi6PgReA5UoQti4DUeRW4EK/uxXgQNkftqu01 9QKg==
X-Gm-Message-State: AD7BkJKtKFqAAnJLUfeyNpv5SavtxAdC39nWnlt+BXy1pr2F4/h8qTp5aKISLVJtaJ57CKOAFmLUKlNfYNi7eA==
MIME-Version: 1.0
X-Received: by 10.50.78.227 with SMTP id e3mr518639igx.64.1456531517031; Fri, 26 Feb 2016 16:05:17 -0800 (PST)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.169.35 with HTTP; Fri, 26 Feb 2016 16:05:16 -0800 (PST)
In-Reply-To: <CAHw9_i+qiU+rMcPHfv=EnogiwuMJzoaTi8a_KUWSepbLd7j6ug@mail.gmail.com>
References: <CAHw9_i+qiU+rMcPHfv=EnogiwuMJzoaTi8a_KUWSepbLd7j6ug@mail.gmail.com>
Date: Fri, 26 Feb 2016 16:05:16 -0800
X-Google-Sender-Auth: mo63YAlODuGM1EEke3vLE0kTkAY
Message-ID: <CAJE_bqc2Uf+g9vV4a3jiMT03C7O7EJ+=PvQzQ7_3dnWRJdKD8Q@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Warren Kumari <warren@kumari.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/zKig99_PGmSlyLGZLf0t5qlEA5c>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Updated cheese-shop.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Feb 2016 00:05:19 -0000
At Thu, 25 Feb 2016 04:58:11 +0000, Warren Kumari <warren@kumari.net> wrote: > We have recently updated "Believing NSEC records in the DNS root" ( > https://tools.ietf.org/html/draft-wkumari-dnsop-cheese-shop-01). > > This incorporates some comments, but also does a better job of explaining > the technique, what the benefits are, and why we are only handling the > special case of the root zone. > We believe that, in this limited use-case the suggestions in Section 4.5 of > RFC4035 are not as relevant. We also believe that the NSEC case (and no > wildcards :-)) is simpler to solve than the NSEC3 case. > > For these reasons we think that it is worth pursuing this in parallel > with Fujiwara-san's "Aggressive use of NSEC/NSEC3" document. > cheese-shop does not conflict with "Aggressive use...", rather it > complements it, and can demonstrate the technique (in this restricted use > case). > > We welcome any feedback, including tomatoes, howls of derisive laughter, > etc. I don't have a strong opinion on the idea itself, but I've read it and have some comments on the draft: - Abstract [...] This improves performance; the resolver can answer immediatly, and does not need to query the root. This is probably true as recursion is generally very expensive. But unless/until we actually have measurement results that prove this, I'd make it a bit weaker, e.g, "This can improve performance:...". Or, even better, actually conduct such measurement and show how much it's improved. - Section 1 If a DNS resolver queries a root zone authoritative name server with the EDNS0 DNSSEC OK option set, for a name that does not exist in the A minor nit, but "DNSSEC OK option" should probably be "DNSSEC OK bit" (it's not an EDNS option). - Section 1 either side of the queried name. For example, if a nameserver queries for .belkin, it will get back an NXDOMAIN, [...] [...]. This means that, if the nameserver subsequently (during the TTL of the NSEC record) gets a query for .beeswax I think "nameserver" should better be "(DNS) resolver" to avoid confusion about these and the "name server" in the first sentence: If a DNS resolver queries a root zone authoritative name server with [...] - Section 1 The title of this draft comes from a famous Monty Python skit - "The Cheese Shop". There are some useful parallels between this problem and the skit - watching the skit is encouraged to understand the problem - https://www.youtube.com/watch?v=cWDdd5KKhts I know I'm in the minority group, but I'd suggest not making it too cool for documents supposed to be read and understood by people who may not necessarily have particular cultural background. For those people just reading a material written in an unfamiliar language is already a burden; I'd rather eliminate further barriers unless it's absolutely necessary even if it results in something boring. Specifically, I suggest renaming the file name to, e.g.: draft-wkumari-dnsop-nsec-aggressiveuse-for-root And, whether or not this suggestion is accepted, I'd note that it's not about the "Title" (which is pretty good in the sense of this comment) but the file name. So, if this section isn't removed if and when it's finally published as an RFC, the text will have dangling reference. - Section 2 [...] Instead, the resolver SHOULD answer these queries directly with NXDOMAIN (and NSEC records if so signalled by EDNS). They SHOULD set the AA bit and AD bits. Why the AA bit? At least it's not required today (or could even be considered non-compliant). Is this some new requirement specific to the context of this draft (if so, what's the rationale?), or is it just a typo? - Section 3 [...] - and this is true whether or not this is implemented (if someone had queried for the exact name, there would be a negatively cached answer, this simply expands the range of negative caches). I think the discussion here should be more careful. Assume the NSEC or NXDOMAIN TTL of 1 day, in the following scenario: - Jan 1 0:00 a resolver queries for .belkin and gets response with NXDOMAIN+NSEC - Jan 1 0:01 .beeswax is added to the root (and this fact is widely published, starting to trigger queries for the name) - Jan 1 0:02 a resolver gets a query from a client for .beeswax Before this technique is used, the query will succeed at 0:02. But if the resolver uses the described technique, it will have to wait until Jan 2 0:00. Even if the worst case waiting period is the same, it may be a bit naive to ignore this difference. I'm not necessarily opposed to the conclusion itself (again, I don't have a particular opinion on the proposal itself, for now), but I'd like to see some more considerations on the effect. -- JINMEI, Tatuya
- [DNSOP] Updated cheese-shop. Warren Kumari
- Re: [DNSOP] Updated cheese-shop. John Levine
- Re: [DNSOP] Updated cheese-shop. abby pan
- Re: [DNSOP] Updated cheese-shop. 神明達哉
- Re: [DNSOP] Updated cheese-shop. Warren Kumari
- Re: [DNSOP] Updated cheese-shop. 神明達哉