IETF Logo Mail Archive

Re: [DNSSEC-Bootstrapping] Sharding?

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 20 October 2021 17:21 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnssec-bootstrapping@ietfa.amsl.com
Delivered-To: dnssec-bootstrapping@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D30203A0A83 for <dnssec-bootstrapping@ietfa.amsl.com>; Wed, 20 Oct 2021 10:21:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADZnIfDU1kad for <dnssec-bootstrapping@ietfa.amsl.com>; Wed, 20 Oct 2021 10:21:40 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ECD23A0A7B for <dnssec-bootstrapping@ietf.org>; Wed, 20 Oct 2021 10:21:40 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id g36so36937lfv.3 for <dnssec-bootstrapping@ietf.org>; Wed, 20 Oct 2021 10:21:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Auw6D0f022hPArboiuA83J6Rn7WH40k0AE2SV23rXfw=; b=cm1q0jB8U1WkYbCNIi5DS4UC5a5CovbJr27zOJFneRzLltCcOzUmuXXwAb1YtpjcGO XdWDpOgvlexhs5/8spIrWmGO2eJKkJFhDbIcY5Oj6uvnUjZgprnHkrLJ7mlT5Ba7iQzC QHvG1TREomSdTXIowZ3mhm+pkBGu95G+NXeIq4nF15N3bu7uTXUSi4FTicPiVekoJIi0 J3vPYYO4WWCFaZ33Gv0gXylFUu/qQEIvpfuZZtSte1ir++MpShX5OX2TO1/SVu+P8aZ1 1eplBVhuW4bw8RVxHya6j/XfkT++ypdeeflu0We/DgRWgsTBT/YYpueY92JOCHmpxGM0 yWTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Auw6D0f022hPArboiuA83J6Rn7WH40k0AE2SV23rXfw=; b=dsl88b8201tvPr1fX037yDk3Cy/WGIEezyBmJBppEoCQJng3LX+9lBkA42J3SlyjYD XnM8+xhnh7aC6OEpnblcG+5VXil4/w0w6lcdNRTC/W7HeyV8+0+E5V3g86Rmzb5btAMP 2F3D/R6UkZxvKw6k6Ls/I0u7c47L9rlKuoXQauoQrwFrG+KL3KDNLSHY0KvNCPWiNtwY 3MNo1ekiBlGXWbTUiwcvFzoUP95A+ERs0sIrZk+w/w2YEzd58RXdMItI98VGMRHZKVfy vka703kIiS+AUloqb3fVKX+eT0pVrMALaLWzBJMICwFU65hsjCRC0XdPv7obscyIqt2x BE0w==
X-Gm-Message-State: AOAM531oHnd5yLEOFVYaV24ysOx6I4nQC6vw3qk1466eAhL7npeDEaLQ LHo2HkXtnpJFRrvO57o7Kb4KGM9qzCe6gDoeTv9ms1dS
X-Google-Smtp-Source: ABdhPJySne2Kqoh7/j5K+ZsQqduYUam+raCPDmHsf/rDuSbvyxvgvP4BSuNUkey0VzeKqPTbVHdD/s6qCN6mIqwYh0A=
X-Received: by 2002:a05:6512:a92:: with SMTP id m18mr499314lfu.427.1634750498202; Wed, 20 Oct 2021 10:21:38 -0700 (PDT)
MIME-Version: 1.0
References: <59003805-21ea-bae9-61be-a4884baf828e@desec.io> <CABf5zv+bPFfHGxGwwryEO12AVOKxBFbZx=fhqB6R39nmMmF-sg@mail.gmail.com>
In-Reply-To: <CABf5zv+bPFfHGxGwwryEO12AVOKxBFbZx=fhqB6R39nmMmF-sg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 20 Oct 2021 10:21:26 -0700
Message-ID: <CAH1iCir5_raernfEU6iQDPm2LsBLLn5ec33_-fKBk2Be8gwMKg@mail.gmail.com>
To: Steve Crocker <steve@shinkuro.com>
Cc: Peter Thomassen <peter@desec.io>, dnssec-bootstrapping@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bde6a705cecc027b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssec-bootstrapping/54Dapnjo9gm6FGEJMr5Kc7pVV1U>
Subject: Re: [DNSSEC-Bootstrapping] Sharding?
X-BeenThere: dnssec-bootstrapping@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Authenticated Bootstrapping of DNSSEC Delegations <dnssec-bootstrapping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssec-bootstrapping>, <mailto:dnssec-bootstrapping-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssec-bootstrapping/>
List-Post: <mailto:dnssec-bootstrapping@ietf.org>
List-Help: <mailto:dnssec-bootstrapping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssec-bootstrapping>, <mailto:dnssec-bootstrapping-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2021 17:21:46 -0000

On Tue, Oct 19, 2021 at 9:30 AM Steve Crocker <steve@shinkuro.com> wrote:

> Peter,
>
> The sentence
>
> For a given second label such as hash(co.uk), the first label will
> indicate all the (bootstrappable) domains that the DNS operator manages
> under that ancestor.
>
>
> raises a question of nor only whether the number is too large but also how
> frequently it changes.  How accurate does this have to be?  If it's
> supposed to be completely accurate, this will likely be out of date very
> quickly for a large domain.
>
>
I think that is a non-issue, or orthogonal to the purpose of the zone(s).
Each zone would be basically internally integrated by the DNS operator, as
a service for their customers.
Each zone would basically operate like a queue for a backlog of zones known
to be possible to go secure.
There are multiple steps in going secure, via bootstrap:

   - Generate keys and sign the zone
   - Publish records in bootstrap zone
   - Parental agent pulls record from bootstrap and adds secure delegation
   - Clean-up of processed records for now-secure domains

So there are two places where some latency or queueing are likely to
happen: signing to publishing; and publishing to consumption.

Each DNS operator will have its own operational practices and
infrastructure. Each operator would need to do its own thing, including
setting expectations for customers, and ensuring things continue to work.

The aggregate behavior is fine even if some DNS operators drop the ball
occasionally. The market forces exert influence, i.e. customers can switch
operators if they are not happy with the performance.

Brian


>
> On Tue, Oct 19, 2021 at 9:05 AM Peter Thomassen <peter@desec.io> wrote:
>
>> Hi all,
>>
>> In my other email, I mentioned an open question about the protocol
>> format. Here you go.
>>
>> So far, the owner name of the signaling record for example.co.uk hosted
>> on ns1.provider.net is: example.hash(co.uk)._boot.ns1.provider.net
>>
>> For a given second label such as hash(co.uk), the first label will
>> indicate all the (bootstrappable) domains that the DNS operator manages
>> under that ancestor.
>>
>> In case of the .com zone, I can imagine this to be a number that is
>> potentially very high. (The concern does not apply to the second label, as
>> many domains will have the same ancestor.)
>>
>> 1.) Do you think that this will be a problem for anyone, such as at the
>> scale of Cloudflare?
>> 2.) If yes: What could be done about it?
>>         a. One migiation could be to synthesize signaling records ad hoc,
>> but that requires auth support.
>>         b. Another way would be to introduce some kind of sharding (=
>> splitting the first label into several, possibly based on a few hash
>> digits).
>>         c. ...?
>>
>> I am not sure this is really a problem at all, but an approach like 2.b)
>> would be a protocol change, so it will be hard to do it later. That's why
>> I'm interested in your opinions. (If nobody thinks this is a problem, we
>> can close it right away.)
>>
>> Cheers,
>> Peter
>>
>> --
>> Like our community service? 💛
>> Please consider donating at
>>
>> https://desec.io/
>>
>> deSEC e.V.
>> Kyffhäuserstr. 5
>> 10781 Berlin
>> Germany
>>
>> Vorstandsvorsitz: Nils Wisiol
>> Registergericht: AG Berlin (Charlottenburg) VR 37525
>>
>> --
>> DNSSEC-Bootstrapping mailing list
>> DNSSEC-Bootstrapping@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnssec-bootstrapping
>>
> --
> DNSSEC-Bootstrapping mailing list
> DNSSEC-Bootstrapping@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssec-bootstrapping
>

v2.23.0 | Report a Bug | By Email