IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

Nicholas Weaver <nweaver@icsi.berkeley.edu> Fri, 10 February 2012 15:58 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA3921F869D; Fri, 10 Feb 2012 07:58:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328889490; bh=RQe/XvwBJEWgINKiEWSJ1dT463e8kE1l5ayZaGiPnt0=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=TgPBQNYwyDaQKn43T4vSI1N5nW9c2elMwS9P32lDoAEMM3kIXLv9pXCmdGuQd+bWW 4+1/9TyLqLOJ1T/9V/6/sHSJz5GthiTdxD6hClmg8dPHFMeNA83Q0yvbNmaf5+kS5+ Ufh3jZWnUDY8OZNbA3kqK3KPZqVuHIS01LW4s2xw=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC31D21E800E for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 07:58:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_37=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JEfGVIFPuefs for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 07:58:09 -0800 (PST)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 0821521F8697 for <dnsext@ietf.org>; Fri, 10 Feb 2012 07:58:09 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id B70872C4010; Fri, 10 Feb 2012 07:58:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ha5+56kbtA8j; Fri, 10 Feb 2012 07:58:08 -0800 (PST)
Received: from d8-a2-5e-94-ef-80.dynamic.ucsd.edu (d8-a2-5e-94-ef-80.dynamic.ucsd.edu [128.54.10.56]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 638832C4002; Fri, 10 Feb 2012 07:58:08 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <4F353676.6090702@ogud.com>
Date: Fri, 10 Feb 2012 07:58:11 -0800
Message-Id: <161E2DAB-4355-4ED8-826A-6C5A0F74CE52@icsi.berkeley.edu>
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl> <4F353676.6090702@ogud.com>
To: Olafur Gudmundsson <ogud@ogud.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Feb 10, 2012, at 7:23 AM, Olafur Gudmundsson wrote:
> For Credibility Greater ">"  the following options make sense
> 	Store, Replace
> 
> For Credibility Equal "="   the following options make sense
> 	Ignore, Delete
> 
> For Credibility Less "<"
> 	Ignore
> 
> If you do Replace on NS on "=" you get ghost domains, because
> NS set and Glue are the only data that resolver will see in an answer that it potentially has in cache.
> If you insist on allowing "Replace" on equal then you MUST implement "Fetch NS from child" and "Fetch all glue" to combat the ghost domains and still have Kaminsky defense.

One other option:
replace-with-min-TTL:  A replacement cache entry's new TTL is min(current TTL on the entry, new TTL).


The problem with ghosted domains is not changing the NS RRSET, its that changing the NS RRSET is also resetting the TTL.  Yet given "Newer vs older data of the same credibility", isn't newer more meaningful (apart from the stickyness problem)?

But changing "replace" with "replace-with-min-ttl" means you're conservative on timeout in the case of disagreement between old and new.


And overall, I think replace-with-min-TTL should be standardized. Because even "Credibility > replace" can have a problem:  The parent wants a deliberate shorter TTL for the NS set, but the child can override it.  

For example, .com wants a 2 day TTL, but the child overrides it with a 7 day TTL, which still gives a 7-day 'no-revocation' window for any preseeded domains.  This could be even worse for various dynamic DNS services which allow delegation.

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email