IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

Olafur Gudmundsson <ogud@ogud.com> Fri, 10 February 2012 15:23 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD5A21F855B; Fri, 10 Feb 2012 07:23:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328887434; bh=HM7CvQW/u7Vc26hXyd0BWZrAB3Mt4S3O0Bqba4ne+4E=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=MJ4uCOXzkft6lXw/x9RXBIO/m6LoH/KjOdlnVciW3xwDEb4t8tBmQjxfMDKbLi+3e O7Lj/DnvXpk9UTL8cNZRdrKwDSI+r1+Z3lfpLnIQIQm/sFJSKAKLsLZEEog661BlXz hBxOARGtrU9lKHIVB0VPTv9IQRoPzxp5qfhkm+rE=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E96121F86A8 for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 07:23:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.469
X-Spam-Level:
X-Spam-Status: No, score=-106.469 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLoFfny3TzY9 for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 07:23:38 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 2153A21F8554 for <dnsext@ietf.org>; Fri, 10 Feb 2012 07:23:37 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q1AFNYrT084428 for <dnsext@ietf.org>; Fri, 10 Feb 2012 10:23:34 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4F353676.6090702@ogud.com>
Date: Fri, 10 Feb 2012 10:23:34 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: dnsext@ietf.org
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl>
In-Reply-To: <4F34E0BF.9060305@nlnetlabs.nl>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On 10/02/2012 04:17, W.C.A. Wijngaards wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Stephane,
>
> On 02/10/2012 09:44 AM, Stephane Bortzmeyer wrote:
>> It seems to me that this draft does not currently address the ghost
>> domain problem. It mandates revalidation at the parent when the
>> records expire, but it does not say anything about the rules that
>> allow an authoritative server to overwrite the old TTL with a new
>> value, thus preventing expiration.
>>
>> Would it be a better idea to use this draft as a starting point to
>> work on the issues proposed by the ghost domains paper? (Replacing>=
>> by>  in the credibility rules and other measures.)
>
> This replacement is wrong.  We must have '=' in>= to pick up zone
> changes from the same server.  We must have revalidation at the parent
> for the ghost-domain problem, it is simply a case of having the NS TTL
> expire (i.e. meaning, the NS RRset can be replaced with a newer one but
> the NS TTL does not increase).
>
> Best regards,
>     Wouter
>

<no-hat>

Strictly speaking when a resolver gets a RRset there are 4 different 
actions it can take:
	
Store: Applicable when the RRset does not exist
Replace: Applicable when there is a prior set
Ignore: always an option
Delete: This says that the resolver has lost confidence in the cached.

For Credibility Greater ">"  the following options make sense
	Store, Replace

For Credibility Equal "="   the following options make sense
	Ignore, Delete

For Credibility Less "<"
	Ignore

If you do Replace on NS on "=" you get ghost domains, because
NS set and Glue are the only data that resolver will see in an answer 
that it potentially has in cache.
If you insist on allowing "Replace" on equal then you MUST implement 
"Fetch NS from child" and "Fetch all glue" to combat the ghost domains 
and still have Kaminsky defense.

	Olafur

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email