Re: [hrpc] Applying RFC8280 to draft-ietf-dnsop-serve-stale
Joseph Lorenzo Hall <hall@isoc.org> Tue, 29 October 2019 15:53 UTC
Return-Path: <hall@isoc.org>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DC8F120956 for <hrpc@ietfa.amsl.com>; Tue, 29 Oct 2019 08:53:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qDJNv9BCoZ4O for <hrpc@ietfa.amsl.com>; Tue, 29 Oct 2019 08:53:02 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-eopbgr740057.outbound.protection.outlook.com [40.107.74.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2467D120962 for <hrpc@irtf.org>; Tue, 29 Oct 2019 08:53:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lIEx1vN3nueWuqwind7Y9xASUNCpQPD5ySoRn+2jsdMozg9qjiaW6A3xbz3wZbP960c9vh0aUKyTNdqabDPEm0NoLLRHl8wRNbq3fa28tKSC1hYba4qC7CJfxqxoLHsdPJxUKFzQnNlVT6g0U4NZ/dTv9jdUGHSG0plOlnWcTnbZUTTCIQJ3KLmICebhFtselVyT9c0Uu25LZeuYUGJuoMDq3DUtSIbN+2EqMWo12XGI7MtDzyhB9U1zqBrUDF6sp69VgfSSxO3QwCMRYo4FHAgheuEpjRCArGqtvu1u23e9VqAFDLXoVH+AmhFJMRyD7CqFpSC0fe1r5Uw1x8IsEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C6hFpKVcKiBjA5ZmHFrN7kpMnZEbel/8aNDsWTVkFW8=; b=WJpl1uCOe+zRjb2aJQmTElXC8onoohaE6LQ6hixdAX5KlSMHrxl8oVqOWDq0oV66uIPgdJxKQ2E+fv933fm4u2O8AVRG3suEBR+fMInTXvIUkDrfP6k1UkLi3pNI0rJgF6ClStHPwQnOT9poeAqsoTilHVellD+Ue0aRmIshkkKD8SJuZFtX/54ivwjDUp8sxWu7HJxClLgHPCstEDRxZQgOO5pyxu/1vj2jAN3x00D1beNPbjoh88ayKrC8T94G2M16kBwjugC2QMMvTeghNL+umbq+SMjA9yQ5aQh/qa9ni/R5XfmOjPK0ll3b7Uv9v5pSJ1GPdF5Zrxor7XQR3A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isoc.org; dmarc=pass action=none header.from=isoc.org; dkim=pass header.d=isoc.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C6hFpKVcKiBjA5ZmHFrN7kpMnZEbel/8aNDsWTVkFW8=; b=ZgexNXn9zXgBIvn4F+3m52TjSRzkRYiTwoKVmwn73eV3gzIr4q43cjDjqzSmDqNtvhX3MYyEWIMOw7ARtK4B6lLOhOcjBiZs/G1FDcJTp44gBhxRn+Iu8u0g1xTcpOLMUbNfDCZw7UpIpJkITRc8qc62ZT56Cw04Mpi8M/UGsYE=
Received: from CH2PR06MB6743.namprd06.prod.outlook.com (20.180.9.24) by CH2PR06MB6598.namprd06.prod.outlook.com (20.180.8.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.23; Tue, 29 Oct 2019 15:53:00 +0000
Received: from CH2PR06MB6743.namprd06.prod.outlook.com ([fe80::85f7:f1b1:5ad7:3e6d]) by CH2PR06MB6743.namprd06.prod.outlook.com ([fe80::85f7:f1b1:5ad7:3e6d%5]) with mapi id 15.20.2387.027; Tue, 29 Oct 2019 15:53:00 +0000
From: Joseph Lorenzo Hall <hall@isoc.org>
To: Karan Saini <karan@cis-india.org>, "hrpc@irtf.org" <hrpc@irtf.org>
Thread-Topic: [hrpc] Applying RFC8280 to draft-ietf-dnsop-serve-stale
Thread-Index: AQHVjlm3UkIKzzyqQ0uVs1hNj8j+FqdxxPeP
Date: Tue, 29 Oct 2019 15:52:59 +0000
Message-ID: <CH2PR06MB67438B7624A961F728D57C04B1610@CH2PR06MB6743.namprd06.prod.outlook.com>
References: <df503160-d805-93fc-030d-75f690ed8279@cis-india.org>
In-Reply-To: <df503160-d805-93fc-030d-75f690ed8279@cis-india.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=hall@isoc.org;
x-originating-ip: [173.226.66.172]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a7474ffb-3563-4fcd-db8e-08d75c88130a
x-ms-traffictypediagnostic: CH2PR06MB6598:
x-ms-exchange-purlcount: 6
x-microsoft-antispam-prvs: <CH2PR06MB65985F64288C8233CD3152B0B1610@CH2PR06MB6598.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0205EDCD76
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(136003)(346002)(376002)(39850400004)(396003)(53754006)(189003)(199004)(11346002)(476003)(52536014)(486006)(71190400001)(71200400001)(966005)(14444005)(5660300002)(229853002)(446003)(3846002)(256004)(2906002)(66066001)(33656002)(6116002)(2501003)(76116006)(66946007)(66476007)(66556008)(64756008)(91956017)(66446008)(66574012)(316002)(8676002)(305945005)(74316002)(14454004)(6436002)(8936002)(81156014)(7736002)(86362001)(81166006)(99286004)(6246003)(102836004)(26005)(478600001)(25786009)(110136005)(55016002)(6306002)(76176011)(186003)(53546011)(6506007)(7696005)(9686003); DIR:OUT; SFP:1101; SCL:1; SRVR:CH2PR06MB6598; H:CH2PR06MB6743.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: R1ejXRmBGaSmcFVA9Tb4+QlgfueR4uV3VKPpIlrgjckt1YRyMzR9a+92Tp16O42tHJw4VrAq8343+I4vZ4xoStFi5HVRrzOwasGb0T3n19MTxK9NAwVq7aA89J1+IIZI+Sqb/bpBAxzL0t9nyq50wKr5r3mQn8OM1p+hX/IcgwKuL+o+nFBp+EU9mOqm2SixC1Z+QanfeIb/FCaoSgLEIklI9N4XfW78Y6dV/6O8gbFRS6zbwoqE+68qRdVhV4MtjcqYrODR/086/I+SBrhKOADY9POffvHqmuDhL0jwoPMUvbE2IHQ+4MHxYW5vTFRU0/aQHo6VMoMx4gUqlzHkwoKkjL334Tfex3iarFlcU9SB4k93R0+Zcj0IDTdGXDFxMNwg+vp0SVciXeRa6L2BNcKYWH8DD8jREX8RqgJEcrqq6RSuxe0znQkKSUuGQ+PsHQX5DaUGQXKhnd68hGY80SzQOrWMfvHSs9ZFLcvJyK8=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-Network-Message-Id: a7474ffb-3563-4fcd-db8e-08d75c88130a
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Oct 2019 15:52:59.8949 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Vt7igxjRWiyIf+mfw972pKCTv5q7mUxnfF/enkK/leHB2D2OHdp8P7qLwfp4A/ts
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR06MB6598
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/2OFmRx4rE2vctKOej1PRAwCw9H8>
Subject: Re: [hrpc] Applying RFC8280 to draft-ietf-dnsop-serve-stale
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "mail@nielstenoever.net" <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 15:53:11 -0000
I definitely think some considerations in the guidelines document about intended status sounds good... it's something that I trip up on and would be good to write down for this audience. best, joe ________________________________________ From: hrpc <hrpc-bounces@irtf.org> on behalf of Karan Saini <karan@cis-india.org> Sent: Tuesday, October 29, 2019 9:05 AM To: hrpc@irtf.org Subject: [hrpc] Applying RFC8280 to draft-ietf-dnsop-serve-stale Hi all, This email documents some of the learnings from the application of the questions in RFC8280 and draft-irtf-hrpc-guidelines to draft-ietf-dnsop-serve-stale. “Serving Stale Data to Improve DNS Resiliency” (draft-ietf-dnsop-serve-stale) [0] discusses recursive DNS resolvers serving “stale” data, along with use cases and considerations, and an example implementation for the same. In the context of this draft, “stale data” is used to refer to DNS records for which the specified TTL have elapsed, and where no authoritative server can be reached immediately for retrieving a fresh answer. A stated motivation behind implementing serve-stale is that of making the DNS “more resilient to DoS attacks.” Connectivity ------------ Serving DNS records past their TTL can have positive implications when recursive resolvers cannot immediately reach an authoritative server for refreshing cached data. The rationale behind serving stale relies on the presumption that the underlying information will be identical to that which is stored in the recursive resolver’s cache. Thus, serving stale data can act as a failover mechanism for failures or downtime on part of authoritative servers. If implemented properly, serve-stale should not have a detrimental effect on DNS resolution times for clients. Security -------- Stale records can allow malicious actors to keep “keep their [command and control] systems artificially alive even if the parent has removed the C&C domain name,” as pointed out by Ray Bellis. [1] In the same email, Bellis also stated that serving stale records “must be predicated on the presence of a valid delegation from the parent zone.” [1] The presence of this delegation would provide a layer of agency to the operators of a given parent zone. Another concern raised by some [2] was that DNS attacks, such as traffic hijacking, tampering or spoofing could potentially be prolonged if serve-stale is used, and that such attacks may potentially be encouraged by the publication of the document. These concerns are broadly acknowledged in the “Security Considerations” section of the draft. Conclusion ---------- This document presents a practice of some major DNS operators, who have had operational benefits from serving stale DNS data. The intended status for this document is that of a “Proposed Standard.” (See [RFC7127] for a definition) Davey Song had previously raised the concern that serve-stale may be better suited for publication as an informational or experimental document, rather than it being a part of the standards track [2]. I initially agreed with this point [3], however, considering that the intended status for serve-stale is that of a Proposed Standard, which [RFC7127] defines as a specification that is “stable, has resolved known design choices,” which “has received significant community review, and appears to enjoy enough community interest to be considered valuable,” I believe that the current intended status of the RFC is suitable and appropriate. This, however, has led to an interesting learning that can potentially be adapted to draft-irtf-hrpc-guidelines. The guidelines may benefit from a section exploring the different impacts a specification may have with consideration the intended status of publication. Publication of a particular RFC under a certain status has certain consequences. For instance, publication as an Internet Standard as part of the Standards Track may signal to implementers that the specification has a certain level of maturity, operational experience, and consensus. Similarly, publication of a specification an experimental document as part of the non-standards track would signal to the community that the document “may be intended for eventual standardization but [may] not yet [be] ready,” [BCP9]. [BCP9] further defines when a document should be considered for publication as “experimental” (section 4.2.1) or “informational” (section 4.2.2). I believe the guidelines draft may benefit from the inclusion of text exploring considerations for the intended status of a specification. [0] https://datatracker.ietf.org/doc/draft-ietf-dnsop-serve-stale/ [1] https://mailarchive.ietf.org/arch/msg/dnsop/7lvN6sLwNzkxWh48wPelAFqWTAg [2] https://mailarchive.ietf.org/arch/msg/dnsop/MENMA0etqVTIcBBnpc7RiWhJVqk [3] https://mailarchive.ietf.org/arch/msg/dnsop/Zxa8EcjlaQtz4z-h7b3bgfyTux0 [RFC7127] https://tools.ietf.org/html/rfc7127 [BCP9] https://tools.ietf.org/html/bcp9 Regards, Karan Saini
- [hrpc] Applying RFC8280 to draft-ietf-dnsop-serve… Karan Saini
- Re: [hrpc] Applying RFC8280 to draft-ietf-dnsop-s… Joseph Lorenzo Hall