Re: [DNSOP] Last Call: <draft-ietf-dnsop-serve-stale-07.txt> (Serving Stale Data to Improve DNS Resiliency) to Proposed Standard
Puneet Sood <puneets@google.com> Wed, 18 September 2019 16:07 UTC
Return-Path: <puneets@google.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C4CB120881 for <ietf@ietfa.amsl.com>; Wed, 18 Sep 2019 09:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0g3EVryIcHao for <ietf@ietfa.amsl.com>; Wed, 18 Sep 2019 09:06:59 -0700 (PDT)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0779C120890 for <ietf@ietf.org>; Wed, 18 Sep 2019 09:06:58 -0700 (PDT)
Received: by mail-vs1-xe36.google.com with SMTP id l2so168099vsr.8 for <ietf@ietf.org>; Wed, 18 Sep 2019 09:06:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wixKdzSiCBXw2m1TyS4XZ4oMMQ6C7ow0ONxcuD9a5Kw=; b=KOU2WWx/jqJukzW3zaRuBtRhZ5E4OsWCjJ4cfdUwt4uaOiAta6juwxOTjY4uuLGopM WlF/N4nKsiazPv6uHm3p1s/zKnpbqv5rrTWHNQV/fNt71/p0A6NCszWl/6iu0EK0zTzZ Vlvyp00jfsnvRkeVwgc8UlQj+VkeZdGIZshLAddTSk5LZlv7SGZku72uMbIjavJtNMxI E/FxUbrTA2pIUTJd/PPCttcQc+Mwnt6xMLPkZWhtowAsAymFe/+YGwnrEe42wAapdf0a hYZtKRPDcfUYlNr+m092SW2v80EBYuaTleSt7z0/Pr5C08bh6/m4FKEroteSEosAGAEP KqoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wixKdzSiCBXw2m1TyS4XZ4oMMQ6C7ow0ONxcuD9a5Kw=; b=K83IIiN1AUVQYUpWBtObzxjYA7+oIFhxVqrRUSodeLQrEIC1dr8lmyBl0RdnXB9NQw /tTMvSqhGxFJQwY3bn3WB1maqRrFGaI0ZtvYAwWUMXPZSC4UT8HYweu664PJk7QXr0ui +tyrm9DOs97flKDdkDHLDjgXdegUoNlfB5wo3NawpTiMb8XERRrja3E7O08DRpdRVyWP xDVWXQmE1sXyqH9QKoLgtwGd0U6nPxpi8hd5XBX7zmtTfGmd3xFJjK2LzndKWkM0oinl cc/gFCdujsBGU9YKQEYmEeOcQtY5hiVQ6Di55qaBOUsj4wGJw1YJnxSFTliHgip4Ne39 Ke8w==
X-Gm-Message-State: APjAAAUPWzvoUq9iXQA3bOap6t+nxRHgZXwRoBlf3vg0WORoyT8gJWUF BiET3aJO07vmTa0f7WeAwJSpWYDac7rDswqqVkTY0A==
X-Google-Smtp-Source: APXvYqwC0HC/7OUxNMOi/pCHB/ndDFcmEv3j+w+ty3GyN2IGI5EuqsKXeegOD0MNwAgbBDRKOAueuVC2UPAZGci25og=
X-Received: by 2002:a67:1a41:: with SMTP id a62mr2809684vsa.54.1568822817408; Wed, 18 Sep 2019 09:06:57 -0700 (PDT)
MIME-Version: 1.0
References: <156821841762.13409.15153693738152466982.idtracker@ietfa.amsl.com> <91411A04-4DD6-47D6-A4CC-AD8747B21361@dukhovni.org>
In-Reply-To: <91411A04-4DD6-47D6-A4CC-AD8747B21361@dukhovni.org>
From: Puneet Sood <puneets@google.com>
Date: Wed, 18 Sep 2019 12:06:45 -0400
Message-ID: <CA+9_gVsiegDYNaxgipqqfACd394=C7Tf6htj8FfNbzAtw411LA@mail.gmail.com>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-serve-stale-07.txt> (Serving Stale Data to Improve DNS Resiliency) to Proposed Standard
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
Cc: ietf@ietf.org, draft-ietf-dnsop-serve-stale@ietf.org, IETF DNSOP WG <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/wY8RS9OaUz4IK4cDVXvrqIQlgdw>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 16:07:01 -0000
On Wed, Sep 11, 2019 at 2:32 PM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > > On Sep 11, 2019, at 12:13 PM, The IESG <iesg-secretary@ietf.org> wrote: > > > > 'Serving Stale Data to Improve DNS Resiliency' <draft-ietf-dnsop-serve-stale-07.txt> > > It looks to me like the list of resolvers that implement "Serve Stale" > in Section 3 contains a typo. Should "Know" be "Knot"? Done > > A number of recursive > resolver packages (including BIND, Know, OpenDNS, Unbound) provide > options to use stale data. > > I am a bit puzzled by the lack of text that motivates treating TTLs > with the high bit set as positive? Why is this desirable, and why > in this draft? What is the connection between TTLs with the high > bit set and Serve Stale? If some resolver inadvertently returns > stale data whose TTL has expired, it might return a negative TTL, > and treating that as "0" seems safer than as 137 years (likely > then capped to 7 days). Discussed separately. > > Finally, in security considerations, there's no mention of > the potential security impact of stale negative responses. > Specifically, stale denial of existence of newly published > TLSA records can delay their visibility to clients, and > degrade transport security until the fresh records are > finally available. With RFC7672 MTA-to-MTA SMTP, a ServFail > answer would avoid the downgrade and either use a different > MX host or defer the delivery until such time as fresh records > become available. That said, this exposure exists only in a > limited time window when TLSA records are initially published. Added wording for negative caching to the first paragraph of "Security Considerations". -Puneet > > -- > Viktor. >
- Re: [DNSOP] Last Call: <draft-ietf-dnsop-serve-st… Viktor Dukhovni
- Re: Last Call: <draft-ietf-dnsop-serve-stale-07.t… S Moonesamy
- Re: [DNSOP] Last Call: <draft-ietf-dnsop-serve-st… Tony Finch
- Re: [DNSOP] Last Call: <draft-ietf-dnsop-serve-st… Viktor Dukhovni
- Re: Last Call: <draft-ietf-dnsop-serve-stale-07.t… Stephane Bortzmeyer
- Re: Last Call: <draft-ietf-dnsop-serve-stale-07.t… Stephane Bortzmeyer
- Re: Last Call: <draft-ietf-dnsop-serve-stale-07.t… Viktor Dukhovni
- Re: Last Call: <draft-ietf-dnsop-serve-stale-07.t… Puneet Sood
- Re: [DNSOP] Last Call: <draft-ietf-dnsop-serve-st… Puneet Sood