IETF Logo Mail Archive

Re: [Iotops] Status update on MUD-IoT-DNS-Considerations

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 16 July 2021 16:16 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D1763A3C28; Fri, 16 Jul 2021 09:16:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BdeWMyD-wY4O; Fri, 16 Jul 2021 09:16:31 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 123D23A3C26; Fri, 16 Jul 2021 09:16:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 773F338A6B; Fri, 16 Jul 2021 12:19:34 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id WgbIpklFAyqv; Fri, 16 Jul 2021 12:19:31 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 43D1038A6A; Fri, 16 Jul 2021 12:19:31 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id B1B3A407; Fri, 16 Jul 2021 12:16:25 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eliot Lear <lear@lear.ch>, Robert Kisteleki <robert@ripe.net>, opsawg@ietf.org, iotops@ietf.org
In-Reply-To: <afca8d4d-eed7-d39c-3fe2-47e43b2b5a17@lear.ch>
References: <25526.1626054262@localhost> <a3bb99b1-b575-244c-f434-9696aa5b771d@lear.ch> <f3f619a0-b8ef-882c-691f-96c70f8b04ee@ripe.net> <b02e993b-3823-b01c-8c9f-08a65eab4bfe@lear.ch> <20862.1626382966@localhost> <afca8d4d-eed7-d39c-3fe2-47e43b2b5a17@lear.ch>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Fri, 16 Jul 2021 12:16:25 -0400
Message-ID: <31992.1626452185@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/ZbqZfgHTv7DeGGUMC5s-8vpntRI>
Subject: Re: [Iotops] Status update on MUD-IoT-DNS-Considerations
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 16:16:37 -0000

Eliot Lear <lear@lear.ch> wrote:
    > I think the deployments also have to be somewhat forgiving in terms of
    > maintaining an ACL some period beyond TTL.  It would make a good paper to
    > understand just how much.

Yes, I agree.  When one does a DNS lookup, the TTL one gets back is the
amount of time that it's valid in that cache.
At the point where it expires, one should do another lookup of that QNAME.

If an A or AAAA is now gone, I think that that maintaining a positive ACL
for another TTL worth makes sense.
If it was a negative ACL (traffic forbidden), then I'd remove it immediately.
(MUD doesn't really do negative ACLs)

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.8.7 | Report a Bug | By Email