Re: [dnsext] perhaps we should reintroduce "resimprove"
Olafur Gudmundsson <ogud@ogud.com> Mon, 13 February 2012 17:18 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 736A221F854F; Mon, 13 Feb 2012 09:18:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1329153522; bh=SgWNKmxP6Rgn8Bxq+BToMhuHJgX1++UiwGpSm1i9g6k=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=CaQizL6sZbpr6Dpdtg5TAt28dkhy56OOsB12dLFo27xY+MdGVa29t02OHQQmTg4gd i6VvNpHvDWZbZnye4TiB5esjw7tMbjvBoYUt8Tq31DBLzAJagIQrZwIJ8Ot8UbBaCD 9PorlXutlFJOX++FA4qUGl7vqV3L6EfGZpUGsyzE=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3F2A21F854F for <dnsext@ietfa.amsl.com>; Mon, 13 Feb 2012 09:18:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.481
X-Spam-Level:
X-Spam-Status: No, score=-106.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKVEb-tN10lU for <dnsext@ietfa.amsl.com>; Mon, 13 Feb 2012 09:18:41 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id D914E21F8523 for <dnsext@ietf.org>; Mon, 13 Feb 2012 09:18:40 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q1DHIcNU011148 for <dnsext@ietf.org>; Mon, 13 Feb 2012 12:18:38 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4F3945EE.6070008@ogud.com>
Date: Mon, 13 Feb 2012 12:18:38 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: dnsext@ietf.org
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl> <4F353676.6090702@ogud.com> <161E2DAB-4355-4ED8-826A-6C5A0F74CE52@icsi.berkeley.edu> <4F357920.2000008@ogud.com> <6EEB712F-42B8-4318-ABAD-C11A94F61CC6@verisign.com>
In-Reply-To: <6EEB712F-42B8-4318-ABAD-C11A94F61CC6@verisign.com>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
<still no-hat> On 10/02/2012 17:58, Blacka, David wrote: > > On Feb 10, 2012, at 3:08 PM, Olafur Gudmundsson wrote: >>> >>> >>> The problem with ghosted domains is not changing the NS RRSET, its that changing the NS RRSET is also resetting the TTL. Yet given "Newer vs older data of the same credibility", isn't newer more meaningful (apart from the stickyness problem)? >>> >> TTL stretching was a REAL BAD idea, and must be stamped out. > > What do you mean by "TTL stretching"? Are you inventing new DNS terms? > Well I have been using this for a while, and I do recall where the definition originated. The issue this term is describing: When a resolver sees an RRset in an response, that it has in its cache, it compares the RRset's and if identical it updates the TTL to reflect the RRset in the response. >> >>> But changing "replace" with "replace-with-min-ttl" means you're conservative on timeout in the case of disagreement between old and new. >> >> I prefer that resolver perform Delete rather than this, that forces the resolver to reevaluate the delegation. > > So, every time a zone operator modifies the apex NS RRset, resolvers around the world instantly (as they query the zone for positive answers) invalidate the cached NSs and go back to the parent. That seems like suboptimal behavior to me. I wish you would not use the word: optimal as that is setting a value judgment without explicitly saying what you are optimizing. In the past trying to do the optimal (packet count) thing vs the safest thing has got us in problems and I do not want to see that again. What happens depends both on the behavior of the resolver and the authoritative server that is asked. For example if the authoritative server is using Minimal-answer (i.e. no authority section on positive answers). Then the resolver does not see a new version of the NS set and is denied the opportunity to following ``optimizations'' - discover that the NS set has changed - Stretch the TTL on the NS set > >> In the case of resolver that does "Fetch NS" upon seeing the referral and adheres to RFC2181 credibility rules, it will always ignore NS set in authority section. > > Fair enough, but why do I have to do that extra query in order to solve this problem? Again here you are using value judgment as what is better: fewer queries vs safety If all resolvers in 2007 had implemented "Fetch NS" and applied credibility rules Kaminsky attack would never have become an issue. Similarly when authoritative severs use minimal answers the resolver only has the parent side NS set, what should the resolver do? keep the parent side NS or lookup the Childs NS set. > >> If a zone wants changes to propagate quickly it should use a smaller TTL. Resolvers should implement a MAX TTL both to purge old data faster, and to adopt faster to changes. > > Agreed. However, I don't think there is any advice what a good max TTL value should be. 2 days? 7 days? > Personally I think 1 day if a fine upper bound. >>> And overall, I think replace-with-min-TTL should be standardized. Because even "Credibility> replace" can have a problem: The parent wants a deliberate shorter TTL for the NS set, but the child can override it. >>> >>> For example, .com wants a 2 day TTL, but the child overrides it with a 7 day TTL, which still gives a 7-day 'no-revocation' window for any preseeded domains. This could be even worse for various dynamic DNS services which allow delegation. >>> >>> >> well in the case of TLD's the TTL on referrals ranges from 600 (10min) to 345600 (4 days) with 1 day as the median value and most common one. >> Based on a sample of 180 google.<TLD> domains out of 310 TLD's. >> >> Do you want everyone that has a parent with 600-3600 TTL on parent side NS records to force that policy on all their children? > > I don't, at least. I'd like to preserve as much of the current DNS behavior here as we can (thus, I really don't like the bailiwick rule that the paper authors recommend, since it will force all zones to be parent-centric, which is a major change to current behavior.) > > I would think that if the rule was: > > Credibility> > Replace, update TTL > Credibility == > Replace, keeping existing TTL > > then you would get the desired behavior. That is, the first NS RRset from the child would update the RRset as normal, allowing the child to have a different NS RRset and whatever TTL they choose. And when the child changes their NS RRset, it propagates at the same speed it does today (faster than the TTL expiration). But the resolver will always revaluate the parent delegation after at most 2 TTL intervals. > Of the two alternatives, I like "Fetch NS" much better than the logic above. Having said that I also like "Minimal answers" for authoritative servers as that forces resolvers to act more predictably :-) Olafur _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] perhaps we should reintroduce "resimprov… paul vixie
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Frederico A C Neves
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Warren Kumari
- Re: [dnsext] perhaps we should reintroduce "resim… Stephane Bortzmeyer
- Re: [dnsext] perhaps we should reintroduce "resim… paul vixie
- Re: [dnsext] perhaps we should reintroduce "resim… W.C.A. Wijngaards
- Re: [dnsext] perhaps we should reintroduce "resim… Florian Weimer
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] perhaps we should reintroduce "resim… Nicholas Weaver
- Re: [dnsext] perhaps we should reintroduce "resim… Paul Hoffman
- Re: [dnsext] perhaps we should reintroduce "resim… Evan Hunt
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] perhaps we should reintroduce "resim… Blacka, David
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- [dnsext] Ghost domain names Edward Lewis
- Re: [dnsext] perhaps we should reintroduce "resim… Blacka, David
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] Ghost domain names Florian Weimer
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy
- Re: [dnsext] perhaps we should reintroduce "resim… Edward Lewis
- Re: [dnsext] perhaps we should reintroduce "resim… Paul Vixie
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy
- Re: [dnsext] perhaps we should reintroduce "resim… Mark Andrews
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy