IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

Olafur Gudmundsson <ogud@ogud.com> Mon, 13 February 2012 17:18 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 736A221F854F; Mon, 13 Feb 2012 09:18:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1329153522; bh=SgWNKmxP6Rgn8Bxq+BToMhuHJgX1++UiwGpSm1i9g6k=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=CaQizL6sZbpr6Dpdtg5TAt28dkhy56OOsB12dLFo27xY+MdGVa29t02OHQQmTg4gd i6VvNpHvDWZbZnye4TiB5esjw7tMbjvBoYUt8Tq31DBLzAJagIQrZwIJ8Ot8UbBaCD 9PorlXutlFJOX++FA4qUGl7vqV3L6EfGZpUGsyzE=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3F2A21F854F for <dnsext@ietfa.amsl.com>; Mon, 13 Feb 2012 09:18:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.481
X-Spam-Level:
X-Spam-Status: No, score=-106.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKVEb-tN10lU for <dnsext@ietfa.amsl.com>; Mon, 13 Feb 2012 09:18:41 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id D914E21F8523 for <dnsext@ietf.org>; Mon, 13 Feb 2012 09:18:40 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q1DHIcNU011148 for <dnsext@ietf.org>; Mon, 13 Feb 2012 12:18:38 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4F3945EE.6070008@ogud.com>
Date: Mon, 13 Feb 2012 12:18:38 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: dnsext@ietf.org
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl> <4F353676.6090702@ogud.com> <161E2DAB-4355-4ED8-826A-6C5A0F74CE52@icsi.berkeley.edu> <4F357920.2000008@ogud.com> <6EEB712F-42B8-4318-ABAD-C11A94F61CC6@verisign.com>
In-Reply-To: <6EEB712F-42B8-4318-ABAD-C11A94F61CC6@verisign.com>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

<still no-hat>

On 10/02/2012 17:58, Blacka, David wrote:
>
> On Feb 10, 2012, at 3:08 PM, Olafur Gudmundsson wrote:
>>>
>>>
>>> The problem with ghosted domains is not changing the NS RRSET, its that changing the NS RRSET is also resetting the TTL.  Yet given "Newer vs older data of the same credibility", isn't newer more meaningful (apart from the stickyness problem)?
>>>
>> TTL stretching was a REAL BAD idea, and must be stamped out.
>
> What do you mean by "TTL stretching"?  Are you inventing new DNS terms?
>
Well I have been using this for a while, and I do recall where the 
definition originated. The issue this term is describing:

When a resolver sees an RRset in an response, that it has in its cache,
it compares the RRset's and if identical it updates the TTL to reflect 
the RRset in the response.


>>
>>> But changing "replace" with "replace-with-min-ttl" means you're conservative on timeout in the case of disagreement between old and new.
>>
>> I prefer that resolver perform Delete rather than this, that forces the resolver to reevaluate the delegation.
>
> So, every time a zone operator modifies the apex NS RRset, resolvers around the world instantly (as they query the zone for positive answers) invalidate the cached NSs and go back to the parent.  That seems like suboptimal behavior to me.

I wish you would not use the word: optimal
as that is setting a value judgment without explicitly saying what you 
are optimizing.
In the past trying to do the optimal (packet count) thing vs the safest 
thing has got us in problems and I do not want to see that again.

What happens depends both on the behavior of the resolver and the 
authoritative server that is asked.
For example if the authoritative server is using Minimal-answer (i.e. no 
authority section on positive answers).
Then the resolver does not see a new version of the NS set and is denied 
the opportunity to following ``optimizations''
	- discover that the NS set has changed
	- Stretch the TTL on the NS set

>
>> In the case of resolver that does "Fetch NS" upon seeing the referral and adheres to RFC2181 credibility rules, it will always ignore NS set in authority section.
>
> Fair enough, but why do I have to do that extra query in order to solve this problem?

Again here you are using value judgment as what is better:
	fewer queries vs safety
If all resolvers in 2007 had implemented "Fetch NS" and applied 
credibility rules Kaminsky attack would never have become an issue.

Similarly when authoritative severs use minimal answers the resolver 
only has the parent side NS set, what should the resolver do?
keep the parent side NS or lookup the Childs NS set.

>
>> If a zone wants changes to propagate quickly it should use a smaller TTL. Resolvers should implement a MAX TTL both to purge old data faster, and to adopt faster to changes.
>
> Agreed.  However, I don't think there is any advice what a good max TTL value should be.  2 days? 7 days?
>

Personally I think 1 day if a fine upper bound.

>>> And overall, I think replace-with-min-TTL should be standardized. Because even "Credibility>   replace" can have a problem:  The parent wants a deliberate shorter TTL for the NS set, but the child can override it.
>>>
>>> For example, .com wants a 2 day TTL, but the child overrides it with a 7 day TTL, which still gives a 7-day 'no-revocation' window for any preseeded domains.  This could be even worse for various dynamic DNS services which allow delegation.
>>>
>>>
>> well in the case of TLD's the TTL on referrals ranges from 600 (10min) to 345600 (4 days)  with 1 day as the median value and most common one.
>> Based on a sample of 180 google.<TLD>  domains out of 310 TLD's.
>>
>> Do you want everyone that has a parent with 600-3600 TTL on parent side NS records to force that policy on all their children?
>
> I don't, at least.  I'd like to preserve as much of the current DNS behavior here as we can (thus, I really don't like the bailiwick rule that the paper authors recommend, since it will force all zones to be parent-centric, which is a major change to current behavior.)
>
> I would think that if the rule was:
>
> Credibility>
>     Replace, update TTL
> Credibility ==
>     Replace, keeping existing TTL
>
> then you would get the desired behavior.  That is, the first NS RRset from the child would update the RRset as normal, allowing the child to have a different NS RRset and whatever TTL they choose.  And when the child changes their NS RRset, it propagates at the same speed it does today (faster than the TTL expiration).  But the resolver will always revaluate the parent delegation after at most 2 TTL intervals.
>

Of the two alternatives, I like "Fetch NS" much better than the logic above.
Having said that I also like "Minimal answers" for authoritative servers 
as that forces resolvers to act more predictably :-)

	Olafur
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email