IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Fri, 10 February 2012 09:17 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F71121F8663; Fri, 10 Feb 2012 01:17:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328865477; bh=AIuQfh4Zkh8e1qZVkn9xkgFHTzkMbP7QIQXFE9QukSw=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=Ftrcr1CsGjOUQctEa2mL8nMk9AJVWjJZjZRV5toyjg/NxSi6xmtKsOmaea1P6Ncaw 6Mzq+f+dMUrFBy/ym3258RuSBvCVJnr/Ah0ZVkV5ncVUHxQspK3e68a5Ed+lUIovsb DoqGinfp0W6o0dlzTIViW4VWThPnZJpcH3F/Mj/4=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F9F721F8663 for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 01:17:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.687
X-Spam-Level:
X-Spam-Status: No, score=-1.687 tagged_above=-999 required=5 tests=[AWL=-0.183, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Jb83rhBp-Yn for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 01:17:54 -0800 (PST)
Received: from rotring.dds.nl (rotring.dds.nl [85.17.178.138]) by ietfa.amsl.com (Postfix) with ESMTP id 82E6121F864F for <dnsext@ietf.org>; Fri, 10 Feb 2012 01:17:54 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by rotring.dds.nl (Postfix) with ESMTP id 0A92458D20 for <dnsext@ietf.org>; Fri, 10 Feb 2012 10:17:53 +0100 (CET)
Received: from [192.168.254.3] (195-241-9-117.adsl.dds.nl [195.241.9.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rotring.dds.nl (Postfix) with ESMTPSA id 0EE8158D13 for <dnsext@ietf.org>; Fri, 10 Feb 2012 10:17:47 +0100 (CET)
Message-ID: <4F34E0BF.9060305@nlnetlabs.nl>
Date: Fri, 10 Feb 2012 10:17:51 +0100
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111101 SUSE/3.1.16 Thunderbird/3.1.16
MIME-Version: 1.0
To: dnsext@ietf.org
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org>
In-Reply-To: <20120210084439.GB7284@laperouse.bortzmeyer.org>
X-Enigmail-Version: 1.1.2
X-Virus-Scanned: clamav-milter 0.97.3 at rotring
X-Virus-Status: Clean
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stephane,

On 02/10/2012 09:44 AM, Stephane Bortzmeyer wrote:
> It seems to me that this draft does not currently address the ghost
> domain problem. It mandates revalidation at the parent when the
> records expire, but it does not say anything about the rules that
> allow an authoritative server to overwrite the old TTL with a new
> value, thus preventing expiration.
> 
> Would it be a better idea to use this draft as a starting point to
> work on the issues proposed by the ghost domains paper? (Replacing >=
> by > in the credibility rules and other measures.)

This replacement is wrong.  We must have '=' in >= to pick up zone
changes from the same server.  We must have revalidation at the parent
for the ghost-domain problem, it is simply a case of having the NS TTL
expire (i.e. meaning, the NS RRset can be replaced with a newer one but
the NS TTL does not increase).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPNOC/AAoJEJ9vHC1+BF+NkM0P/2nD+lSLsjAF0lf1gFEJpUh5
w2GUOFeGbPnuLdz/ohf3b/da50/H3va8XjXFZfgbo+4C1A8nawmMc1IGn6SRIJ+0
50WVZ7la5Yi8v1Ud88UWAeqZohp4dvB4jUcY7exe+5/o7UFNPt7OFdUjQHVjT3ua
IH2AEoy78W4/cBurwcUe2mS5SQ+ihUeNyLhAXmsZiZK9DJDXkPhJQwCJqEvjy8AO
/tpD2jn/dNncbM09UMBCxVaBvB0VBsywG9HoY4Q3vpCbc0/21CxhqtS2FSoTgtJK
a6afKcJ1TNBWSlXqSg3JwGdVsTABzrlh8JIdd7cKBf6uyzQzK+BhsEra9CcTmYjG
MQ2KdZsxCKdfuTWFpsdZKDTCnMuCp3PBK582zzOIv/+HxI9nAR4+QYHec9+l5faI
YWcsQb/zaf+l6TFJg1nB0DoieGqLO+zwO+o5wJ3M2wrr+FIuKgVs8pyw1q8hVRou
w4uCwOEfV5cuL9+IivzC5w/RM58TKNihcHLqQ0fyeBpQd5ZKjwgo5AYmMMr+n5Jg
MszACzTzDHfb01S23FFgxzFfMw4zq6M9LOKrrxVOPZ73CVQYbuHsEpxgona04srD
oFe8UDdb2O478JkmAO7y6H+ZKVXxCzbM9oSGlEFVZWZbmtMYAlxa1cmhW5GwRuM1
Bc8M+hKwKiiqPgEtSC2e
=Ir1l
-----END PGP SIGNATURE-----
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email