Re: [dnsext] perhaps we should reintroduce "resimprove"
Olafur Gudmundsson <ogud@ogud.com> Fri, 10 February 2012 15:23 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD5A21F855B; Fri, 10 Feb 2012 07:23:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328887434; bh=HM7CvQW/u7Vc26hXyd0BWZrAB3Mt4S3O0Bqba4ne+4E=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=MJ4uCOXzkft6lXw/x9RXBIO/m6LoH/KjOdlnVciW3xwDEb4t8tBmQjxfMDKbLi+3e O7Lj/DnvXpk9UTL8cNZRdrKwDSI+r1+Z3lfpLnIQIQm/sFJSKAKLsLZEEog661BlXz hBxOARGtrU9lKHIVB0VPTv9IQRoPzxp5qfhkm+rE=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E96121F86A8 for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 07:23:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.469
X-Spam-Level:
X-Spam-Status: No, score=-106.469 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLoFfny3TzY9 for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 07:23:38 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 2153A21F8554 for <dnsext@ietf.org>; Fri, 10 Feb 2012 07:23:37 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q1AFNYrT084428 for <dnsext@ietf.org>; Fri, 10 Feb 2012 10:23:34 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4F353676.6090702@ogud.com>
Date: Fri, 10 Feb 2012 10:23:34 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: dnsext@ietf.org
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl>
In-Reply-To: <4F34E0BF.9060305@nlnetlabs.nl>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On 10/02/2012 04:17, W.C.A. Wijngaards wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Stephane, > > On 02/10/2012 09:44 AM, Stephane Bortzmeyer wrote: >> It seems to me that this draft does not currently address the ghost >> domain problem. It mandates revalidation at the parent when the >> records expire, but it does not say anything about the rules that >> allow an authoritative server to overwrite the old TTL with a new >> value, thus preventing expiration. >> >> Would it be a better idea to use this draft as a starting point to >> work on the issues proposed by the ghost domains paper? (Replacing>= >> by> in the credibility rules and other measures.) > > This replacement is wrong. We must have '=' in>= to pick up zone > changes from the same server. We must have revalidation at the parent > for the ghost-domain problem, it is simply a case of having the NS TTL > expire (i.e. meaning, the NS RRset can be replaced with a newer one but > the NS TTL does not increase). > > Best regards, > Wouter > <no-hat> Strictly speaking when a resolver gets a RRset there are 4 different actions it can take: Store: Applicable when the RRset does not exist Replace: Applicable when there is a prior set Ignore: always an option Delete: This says that the resolver has lost confidence in the cached. For Credibility Greater ">" the following options make sense Store, Replace For Credibility Equal "=" the following options make sense Ignore, Delete For Credibility Less "<" Ignore If you do Replace on NS on "=" you get ghost domains, because NS set and Glue are the only data that resolver will see in an answer that it potentially has in cache. If you insist on allowing "Replace" on equal then you MUST implement "Fetch NS from child" and "Fetch all glue" to combat the ghost domains and still have Kaminsky defense. Olafur _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] perhaps we should reintroduce "resimprov… paul vixie
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Frederico A C Neves
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Warren Kumari
- Re: [dnsext] perhaps we should reintroduce "resim… Stephane Bortzmeyer
- Re: [dnsext] perhaps we should reintroduce "resim… paul vixie
- Re: [dnsext] perhaps we should reintroduce "resim… W.C.A. Wijngaards
- Re: [dnsext] perhaps we should reintroduce "resim… Florian Weimer
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] perhaps we should reintroduce "resim… Nicholas Weaver
- Re: [dnsext] perhaps we should reintroduce "resim… Paul Hoffman
- Re: [dnsext] perhaps we should reintroduce "resim… Evan Hunt
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] perhaps we should reintroduce "resim… Blacka, David
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- [dnsext] Ghost domain names Edward Lewis
- Re: [dnsext] perhaps we should reintroduce "resim… Blacka, David
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] Ghost domain names Florian Weimer
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy
- Re: [dnsext] perhaps we should reintroduce "resim… Edward Lewis
- Re: [dnsext] perhaps we should reintroduce "resim… Paul Vixie
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy
- Re: [dnsext] perhaps we should reintroduce "resim… Mark Andrews
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy