Re: [Doh] [Ext] Does the HTTP freshness lifetime need to match the TTL?

Tony Finch <dot@dotat.at> Tue, 08 May 2018 11:36 UTC

Return-Path: <dot@dotat.at>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C0E912DA21 for <doh@ietfa.amsl.com>; Tue, 8 May 2018 04:36:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iAPkL8mw5TrN for <doh@ietfa.amsl.com>; Tue, 8 May 2018 04:36:02 -0700 (PDT)
Received: from ppsw-40.csi.cam.ac.uk (ppsw-40.csi.cam.ac.uk [131.111.8.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CB0612D94F for <doh@ietf.org>; Tue, 8 May 2018 04:36:02 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:36294) by ppsw-40.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1fG0uT-000Cug-kf (Exim 4.89_2) (return-path <dot@dotat.at>); Tue, 08 May 2018 12:35:57 +0100
Date: Tue, 8 May 2018 12:35:57 +0100
From: Tony Finch <dot@dotat.at>
To: Mark Nottingham <mnot@mnot.net>, Miek Gieben <miek@miek.nl>
cc: Paul Hoffman <paul.hoffman@icann.org>, DoH WG <doh@ietf.org>
In-Reply-To: <20180508094545.itl6cvpsekzrpxs4@miek.nl>
Message-ID: <alpine.DEB.2.11.1805081229550.1809@grey.csi.cam.ac.uk>
References: <15A1809C-2CA3-4A3B-A5B1-279227C30223@icann.org> <3E34581E-E2DC-48B7-A4AD-6B9FDA418179@icann.org> <31900328-8813-47D3-9F89-0B863CE673B3@mnot.net> <20180508094545.itl6cvpsekzrpxs4@miek.nl>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/tCDnaYbzEiS8w69zSruqzScr9ME>
Subject: Re: [Doh] [Ext] Does the HTTP freshness lifetime need to match the TTL?
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2018 11:36:04 -0000

Miek Gieben <miek@miek.nl> wrote:
> [ Quoting <mnot@mnot.net> in "Re: [Doh] [Ext] Does the HTTP fresh..." ]
> >
> > Cache Interaction {#caching}
>
> I like this text, but is the working-group OK with *not* mentioning DNSSEC?
>
> If you only look a the TTL and not the inception and expiry dates of RRSIGs
> you can easily serve BAD data.

Mark's suggestion is pretty comprehensive in other areas, so I think it
ought to mention RRSIG expiry dates. (The upstream DNS server should have
fixed up the TTLs, but if you're going through the DNS packet to work out
an expiry time you might as well do it properly.)

The other possible addition is a reference to draft-ietf-dnsop-serve-stale
alongside the HTTP staleness considerations. But serve-stale is still a
draft and you probably don't want to make DoH wait for it.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Biscay: Northwesterly 4 or 5, occasionally 6 at first in northeast, becoming
variable 4 later. Moderate, becoming rough in west. Occasional drizzle.
Moderate or good, occasionally poor.