IETF Logo Mail Archive

Re: [DNSSEC-Bootstrapping] Sharding?

Peter Thomassen <peter@desec.io> Fri, 22 October 2021 17:02 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnssec-bootstrapping@ietfa.amsl.com
Delivered-To: dnssec-bootstrapping@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EFBA3A1161 for <dnssec-bootstrapping@ietfa.amsl.com>; Fri, 22 Oct 2021 10:02:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sjIdk9XAi9Y1 for <dnssec-bootstrapping@ietfa.amsl.com>; Fri, 22 Oct 2021 10:02:05 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B95FF3A1141 for <dnssec-bootstrapping@ietf.org>; Fri, 22 Oct 2021 10:02:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:Subject:From:References:To:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=jWJu162Y0+SGLNNyqVauGF7PepYQhUX1yTl+/h1OTUo=; b=TqhmrA3EbGtS1MGGUm6yzQ5Sya 29C86AFJksgBCA4ApJjmkrS5MOL1zCTcUwVdceiZbng2OtKTtV4YuLZe35o6dexaWsCt/Y4n8Zk9/ 1l1r/Iprpn5qV/BqDgyli+G74vMIf6XlkXJ49kLB9R9wCj7d4hfF9+2Vlu4Og6eKO6EyMrR4r5Mw9 vXqRVaZin9ErJdU1C11Jj2POu0srRAIuUjKnp2sMkrDCjzxaY5mZH87CaZuLHS6pf2/q+Yx5SfjLN 85zaCta+kL4FWl4gnO2qGhuvxLEiyjX0hfOGi4rEUXw07/sNTOEQdJqDZ4fghMCZtRvVVNDjFcLUQ /dOaIiZQ==;
Received: from [213.61.118.178] (helo=[192.168.188.94]) by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <peter@desec.io>) id 1mdxva-00038o-LM for dnssec-bootstrapping@ietf.org; Fri, 22 Oct 2021 19:01:58 +0200
To: dnssec-bootstrapping@ietf.org
References: <59003805-21ea-bae9-61be-a4884baf828e@desec.io> <CAH1iCiq1vOcpAdyFnMcMoG2V+_fH0LDBqUy2+yHrJD1QDt=86Q@mail.gmail.com> <e4ce3780-f0c6-8168-4fea-3e9eb16043f8@desec.io> <46ec10edfafb3a110a9ac5cfaa63a0aa2d17cf83.camel@desec.io>
From: Peter Thomassen <peter@desec.io>
Message-ID: <f6d2021b-b4c2-482c-5013-36e952f74424@desec.io>
Date: Fri, 22 Oct 2021 19:01:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <46ec10edfafb3a110a9ac5cfaa63a0aa2d17cf83.camel@desec.io>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssec-bootstrapping/jIoJYvB6l_cGVLlhAvWFO6fLEWA>
Subject: Re: [DNSSEC-Bootstrapping] Sharding?
X-BeenThere: dnssec-bootstrapping@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Authenticated Bootstrapping of DNSSEC Delegations <dnssec-bootstrapping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssec-bootstrapping>, <mailto:dnssec-bootstrapping-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssec-bootstrapping/>
List-Post: <mailto:dnssec-bootstrapping@ietf.org>
List-Help: <mailto:dnssec-bootstrapping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssec-bootstrapping>, <mailto:dnssec-bootstrapping-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2021 17:02:12 -0000

On 10/21/21 10:26 AM, Nils Wisiol wrote:
> On Wed, 2021-10-20 at 18:21 +0200, Peter Thomassen wrote:
>> However, if the parental agent (registry/registrar) does not support
>> the mechanism, bootstrapping records may remain in place more or less
>> indefinitely, until the parent changes their mind (or DS records are
>> provisioned manually). In that case, a large number of records could
>> accumulate under certain hash(ancestor) labels.
>>
>>
>>
>> Do DNS operators think this is a problem that needs to be addressed?
> 
> In this light, I believe it could make sense to support a potentially
> large number of bootstrapping records. Otherwise, DNS operators are
> forced to keep track which zone is located at supporting parental
> agents and what the security status of each zone is.

DNS operators should still clean up bootstrapping records for zones that have been secured, to keep bulk processing via NSEC walks or XFRs of the bootstrap zone efficient.

Given that no operator voiced concerns over the bootstrapping zone size, while it was argued that the protocol scales well even without sharding, I observe that there is currently no support/demand for a sharding mechanism.

I am going to rework some of the draft until Monday (IETF 112 draft submission deadline), mainly to make it relate better to RFC 8078. I am not currently planning to consider sharding in this iteration; if someone feels that is a mistake, please let me know.

Thanks,
Peter

PS: In case demand for sharding should come up later within the WG, we can revisit this (and then also discuss questions like how to do it, whether it should be configurable etc.).


-- 
Like our community service? 💛
Please consider donating at

https://desec.io/

deSEC e.V.
Kyffhäuserstr. 5
10781 Berlin
Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525

v2.23.0 | Report a Bug | By Email