IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

Olafur Gudmundsson <ogud@ogud.com> Fri, 10 February 2012 20:08 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E176C21F884A; Fri, 10 Feb 2012 12:08:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328904486; bh=5yziWg7nm+QaV09CLnWZXjpG83qaWknNjtHARi02iIo=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=qlAtt+SrSpLhE8Niyy0lB+vR7jjqSZRdflo1EIZmI+VH8XiydNan7Y90V+BpP+pz3 ZruxABypGX86026eWPoy6mDlPCUQC79syH6t5wAp/eP3Hl23lkaXbcMOW6S/HTp0Je 9bMho3MKAJk4MSzmZ1YagneRKBiKgrnkjkXcoNgU=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A7C521F884A for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 12:08:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.184
X-Spam-Level:
X-Spam-Status: No, score=-106.184 tagged_above=-999 required=5 tests=[AWL=-0.185, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t8EijQ-32l0e for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 12:08:03 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 678E521F882D for <dnsext@ietf.org>; Fri, 10 Feb 2012 12:08:03 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q1AK818N086745 for <dnsext@ietf.org>; Fri, 10 Feb 2012 15:08:02 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4F357920.2000008@ogud.com>
Date: Fri, 10 Feb 2012 15:08:00 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: dnsext@ietf.org
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl> <4F353676.6090702@ogud.com> <161E2DAB-4355-4ED8-826A-6C5A0F74CE52@icsi.berkeley.edu>
In-Reply-To: <161E2DAB-4355-4ED8-826A-6C5A0F74CE52@icsi.berkeley.edu>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

<still no-hat>
On 10/02/2012 10:58, Nicholas Weaver wrote:
>
> On Feb 10, 2012, at 7:23 AM, Olafur Gudmundsson wrote:
>> For Credibility Greater ">"  the following options make sense
>> 	Store, Replace
>>
>> For Credibility Equal "="   the following options make sense
>> 	Ignore, Delete
>>
>> For Credibility Less "<"
>> 	Ignore
>>
>> If you do Replace on NS on "=" you get ghost domains, because
>> NS set and Glue are the only data that resolver will see in an answer that it potentially has in cache.
>> If you insist on allowing "Replace" on equal then you MUST implement "Fetch NS from child" and "Fetch all glue" to combat the ghost domains and still have Kaminsky defense.
>
> One other option:
> replace-with-min-TTL:  A replacement cache entry's new TTL is min(current TTL on the entry, new TTL).
>
>
> The problem with ghosted domains is not changing the NS RRSET, its that changing the NS RRSET is also resetting the TTL.  Yet given "Newer vs older data of the same credibility", isn't newer more meaningful (apart from the stickyness problem)?
>
TTL stretching was a REAL BAD idea, and must be stamped out.

> But changing "replace" with "replace-with-min-ttl" means you're conservative on timeout in the case of disagreement between old and new.

I prefer that resolver perform Delete rather than this, that forces the 
resolver to reevaluate the delegation.
In the case of resolver that does "Fetch NS" upon seeing the referral 
and adheres to RFC2181 credibility rules, it will always ignore NS set 
in authority section.

If a zone wants changes to propagate quickly it should use a smaller 
TTL. Resolvers should implement a MAX TTL both to purge old data faster, 
and to adopt faster to changes.

>
>
> And overall, I think replace-with-min-TTL should be standardized. Because even "Credibility>  replace" can have a problem:  The parent wants a deliberate shorter TTL for the NS set, but the child can override it.
>
> For example, .com wants a 2 day TTL, but the child overrides it with a 7 day TTL, which still gives a 7-day 'no-revocation' window for any preseeded domains.  This could be even worse for various dynamic DNS services which allow delegation.
>
>
well in the case of TLD's the TTL on referrals ranges from 600 (10min) 
to 345600 (4 days)  with 1 day as the median value and most common one.
Based on a sample of 180 google.<TLD> domains out of 310 TLD's.

Do you want everyone that has a parent with 600-3600 TTL on parent side 
NS records to force that policy on all their children?

	Olafur
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email