[dnsext] Ghost domain names
Edward Lewis <Ed.Lewis@neustar.biz> Mon, 13 February 2012 18:58 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9C5221F866A; Mon, 13 Feb 2012 10:58:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1329159536; bh=MnOfxFKAM8Oca4CSTDP1YzY7XDWh6Vx9ltmfKYMYvQA=; h=Mime-Version:Message-Id:In-Reply-To:References:Date:To:From:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=gnTv/ZheVg9nyY/HH55nLdksuacDCfm/nbyzLAU4ivUL+mk9Kk3Am7d7mfKZB3E8T K71hxxpzvSuNb7AjJqz+RkXloCRMMtSyELAbQZdQnH8huXY0HXCqdxya0IoAaRrk5O DIXYU/KtybCvbwTeta5HveKSiAG40LZ5Ok0GvkkE=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CF6121F850D for <dnsext@ietfa.amsl.com>; Mon, 13 Feb 2012 10:58:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.214
X-Spam-Level:
X-Spam-Status: No, score=-106.214 tagged_above=-999 required=5 tests=[AWL=0.385, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDCGqP9eQJh3 for <dnsext@ietfa.amsl.com>; Mon, 13 Feb 2012 10:58:54 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 4993021F849C for <dnsext@ietf.org>; Mon, 13 Feb 2012 10:58:54 -0800 (PST)
Received: from Work-Laptop-2.local (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q1DIwqCT011952; Mon, 13 Feb 2012 13:58:52 -0500 (EST) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.203.246] by Work-Laptop-2.local (PGP Universal service); Mon, 13 Feb 2012 13:58:53 -0500
X-PGP-Universal: processed; by Work-Laptop-2.local on Mon, 13 Feb 2012 13:58:53 -0500
Mime-Version: 1.0
Message-Id: <a06240804cb5f0772c009@[192.168.128.21]>
In-Reply-To: <4F3945EE.6070008@ogud.com>
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl> <4F353676.6090702@ogud.com> <161E2DAB-4355-4ED8-826A-6C5A0F74CE52@icsi.berkeley.edu> <4F357920.2000008@ogud.com> <6EEB712F-42B8-4318-ABAD-C11A94F61CC6@verisign.com> <4F3945EE.6070008@ogud.com>
Date: Mon, 13 Feb 2012 13:58:50 -0500
To: dnsext@ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Cc: ed.lewis@neustar.biz
Subject: [dnsext] Ghost domain names
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
I looked briefly at the paper (http://www.isc.org/files/imce/ghostdomain_camera.pdf) and don't see this as a "vulnerability" but rather a result of a lack of revocation in the protocol. (The paper says as much.) Adding revocation isn't going to be easy. The IETF has never published a detailed document on how a cache should be managed. It's never been an "interoperability issue." (This came up at NANOG 54 again, as a result of http://www.nanog.org/meetings/nanog54/abstracts.php?pt=MTkwOCZuYW5vZzU0&nm=nanog54.) My assumption, and perhaps this is just an assumption, is that caches clip the TTL to be 1 week. At least that is what BIND was measured as doing at some time in the past. With this, anyone can then assume about a 1 week "fuzz" in the deletion of a domain name. Beyond that, it's going to get complicated. When this issue has come up in the path, it eventually goes into - what do you do about applications that persist in use of the data that has expired. Like an open SSH connection that lasts days and days when the AAAA record used to start it had a TTL of an hour? Or an open web page from which links are clicked. DNS-based data will get stale, the one control element we have is the TTL. I'd just write this: A general purpose DNS cache SHOULD limit the TTL of any record set it accepts to 1 week. An application using DNS data is RECOMMENDED to refresh the DNS data at least once per week. Why a week? It's convenient to write. A better time span would be to ask the TLD's what they are willing to accept as a "fuzz" factor when deactivating a domain name - and how long are they willing to retain historical registration records. But a week, otherwise, just seems good. I don't think this is a DNSEXT issue, I don't think a protocol change looms. Oh, and as far as TTL "stretching" aka, refreshing the set in the cache, this is a toss up. If a recursor is reacting to a referral, it won't have to look at any NS set unless it does not find the set in the cache. Maybe here the TTL of what's in the cache matters - I'd only consider fetching the NS set again if I think I'll need it before the currently held set TTLs out. With DNSSEC, I'd want to pre-fetch long enough I that I have a newly validated set in time to plop on top of the old set. I guess I'd never "stretch" a TTL, I'd get ready to bring on a new copy before losing the previous one. (Analogous to the process of re-freshing signatures in DNSSEC.) The issue seems to be - traceability and replaceability. Once a delegation is removed we need to continue to tie the delegation to the source until no cache has it around anymore. And we need to see all of the old delegation for a name to "go away" before reviving the name. I think that's the ultimately the goal. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 2012...time to reuse those 1984 calendars! _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] perhaps we should reintroduce "resimprov… paul vixie
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Frederico A C Neves
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Warren Kumari
- Re: [dnsext] perhaps we should reintroduce "resim… Stephane Bortzmeyer
- Re: [dnsext] perhaps we should reintroduce "resim… paul vixie
- Re: [dnsext] perhaps we should reintroduce "resim… W.C.A. Wijngaards
- Re: [dnsext] perhaps we should reintroduce "resim… Florian Weimer
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] perhaps we should reintroduce "resim… Nicholas Weaver
- Re: [dnsext] perhaps we should reintroduce "resim… Paul Hoffman
- Re: [dnsext] perhaps we should reintroduce "resim… Evan Hunt
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] perhaps we should reintroduce "resim… Blacka, David
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- [dnsext] Ghost domain names Edward Lewis
- Re: [dnsext] perhaps we should reintroduce "resim… Blacka, David
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] Ghost domain names Florian Weimer
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy
- Re: [dnsext] perhaps we should reintroduce "resim… Edward Lewis
- Re: [dnsext] perhaps we should reintroduce "resim… Paul Vixie
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy
- Re: [dnsext] perhaps we should reintroduce "resim… Mark Andrews
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy