[hrpc] Applying RFC8280 to draft-ietf-dnsop-serve-stale
Karan Saini <karan@cis-india.org> Tue, 29 October 2019 13:06 UTC
Return-Path: <karan@cis-india.org>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3000A120805 for <hrpc@ietfa.amsl.com>; Tue, 29 Oct 2019 06:06:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cis-india.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LL-VE4xkAh7V for <hrpc@ietfa.amsl.com>; Tue, 29 Oct 2019 06:06:35 -0700 (PDT)
Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6121120801 for <hrpc@irtf.org>; Tue, 29 Oct 2019 06:06:35 -0700 (PDT)
Received: from smtp.greenhost.nl ([213.108.110.112]) by smarthost1.greenhost.nl with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <karan@cis-india.org>) id 1iPRCA-0007rb-FM for hrpc@irtf.org; Tue, 29 Oct 2019 14:06:34 +0100
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cis-india.org 593B458131623
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cis-india.org; s=6F901CFA-19A8-11E9-98F1-CB07954443DB; t=1572354353; bh=kBAl8780jzZPDGZHswgWRkz1jmL8B5wbrTFI12dQGLs=; h=To:From:Message-ID:Date:MIME-Version; b=JpoVRjbAX04K4mdFBdw3YcC4QU3llv00AnxKyoRicJBKn9EK9Xfin+1ykc15mOSmw uv4sxW44UljqHWitcGUqse/8Pn9vvE0CyFojdZv7BleoxlN4OjfvOAN3oii5dClYka wD0dPfSB2i8JetJ17vTIzVL29u8+Tr8s1IAdxrCHw+gT6/iicu1n/0J1nK/+D86QVX ok9zhYXdbHQYgwOiJ8m7upjQ86ket8xQexGqNsJSVQe1Oj1hJsYA2AbWMnDwhEVumm Dz0Lf4BqOH1mIatwJRSANUEvpA9gal7qJbOnSwQ9kb4DtqVcKjhR3nqsVmbx7zAu/g yCmXqWo1j4fPA==
To: hrpc@irtf.org
From: Karan Saini <karan@cis-india.org>
Message-ID: <df503160-d805-93fc-030d-75f690ed8279@cis-india.org>
Date: Tue, 29 Oct 2019 18:35:52 +0530
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------B65A6658CD2C69270160C10C"
Content-Language: en-US
X-Virus-Scanned: by clamav at smarthost1.samage.net
X-Scan-Signature: 5da6e32037d0514ee08d4e707879a9ed
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/mYV3SyIQDwd7aZZZh1xvapQw6XQ>
Subject: [hrpc] Applying RFC8280 to draft-ietf-dnsop-serve-stale
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "mail@nielstenoever.net" <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 13:06:38 -0000
Hi all, This email documents some of the learnings from the application of the questions in RFC8280 and draft-irtf-hrpc-guidelines to draft-ietf-dnsop-serve-stale. “Serving Stale Data to Improve DNS Resiliency” (draft-ietf-dnsop-serve-stale) [0] discusses recursive DNS resolvers serving “stale” data, along with use cases and considerations, and an example implementation for the same. In the context of this draft, “stale data” is used to refer to DNS records for which the specified TTL have elapsed, and where no authoritative server can be reached immediately for retrieving a fresh answer. A stated motivation behind implementing serve-stale is that of making the DNS “more resilient to DoS attacks.” Connectivity ------------ Serving DNS records past their TTL can have positive implications when recursive resolvers cannot immediately reach an authoritative server for refreshing cached data. The rationale behind serving stale relies on the presumption that the underlying information will be identical to that which is stored in the recursive resolver’s cache. Thus, serving stale data can act as a failover mechanism for failures or downtime on part of authoritative servers. If implemented properly, serve-stale should not have a detrimental effect on DNS resolution times for clients. Security -------- Stale records can allow malicious actors to keep “keep their [command and control] systems artificially alive even if the parent has removed the C&C domain name,” as pointed out by Ray Bellis. [1] In the same email, Bellis also stated that serving stale records “must be predicated on the presence of a valid delegation from the parent zone.” [1] The presence of this delegation would provide a layer of agency to the operators of a given parent zone. Another concern raised by some [2] was that DNS attacks, such as traffic hijacking, tampering or spoofing could potentially be prolonged if serve-stale is used, and that such attacks may potentially be encouraged by the publication of the document. These concerns are broadly acknowledged in the “Security Considerations” section of the draft. Conclusion ---------- This document presents a practice of some major DNS operators, who have had operational benefits from serving stale DNS data. The intended status for this document is that of a “Proposed Standard.” (See [RFC7127] for a definition) Davey Song had previously raised the concern that serve-stale may be better suited for publication as an informational or experimental document, rather than it being a part of the standards track [2]. I initially agreed with this point [3], however, considering that the intended status for serve-stale is that of a Proposed Standard, which [RFC7127] defines as a specification that is “stable, has resolved known design choices,” which “has received significant community review, and appears to enjoy enough community interest to be considered valuable,” I believe that the current intended status of the RFC is suitable and appropriate. This, however, has led to an interesting learning that can potentially be adapted to draft-irtf-hrpc-guidelines. The guidelines may benefit from a section exploring the different impacts a specification may have with consideration the intended status of publication. Publication of a particular RFC under a certain status has certain consequences. For instance, publication as an Internet Standard as part of the Standards Track may signal to implementers that the specification has a certain level of maturity, operational experience, and consensus. Similarly, publication of a specification an experimental document as part of the non-standards track would signal to the community that the document “may be intended for eventual standardization but [may] not yet [be] ready,” [BCP9]. [BCP9] further defines when a document should be considered for publication as “experimental” (section 4.2.1) or “informational” (section 4.2.2). I believe the guidelines draft may benefit from the inclusion of text exploring considerations for the intended status of a specification. [0] https://datatracker.ietf.org/doc/draft-ietf-dnsop-serve-stale/ [1] https://mailarchive.ietf.org/arch/msg/dnsop/7lvN6sLwNzkxWh48wPelAFqWTAg [2] https://mailarchive.ietf.org/arch/msg/dnsop/MENMA0etqVTIcBBnpc7RiWhJVqk [3] https://mailarchive.ietf.org/arch/msg/dnsop/Zxa8EcjlaQtz4z-h7b3bgfyTux0 [RFC7127] https://tools.ietf.org/html/rfc7127 [BCP9] https://tools.ietf.org/html/bcp9 Regards, Karan Saini
- [hrpc] Applying RFC8280 to draft-ietf-dnsop-serve… Karan Saini
- Re: [hrpc] Applying RFC8280 to draft-ietf-dnsop-s… Joseph Lorenzo Hall