IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

paul vixie <vixie@isc.org> Fri, 10 February 2012 09:01 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BC2921F8790; Fri, 10 Feb 2012 01:01:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328864489; bh=IOmmojKysQL64ZQgVp6DnDUScF1oi+vedtKqyCI5d4w=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=eIVGnLpnCb+JLbTIpFfGEvlNItFNR6FOU/P4i2Y4kMAr4c2pcxO0W4/EiDP8vau+d s6kCPGISZhToYHXJRmSLOm4lNSUJBEg8OuA8cwM+oTni8RhZJqxggJtEqDcTqt+EHL g9gwgne1litkpMBeuHXhyHdHfJDx7Z1iUjGU1Eeo=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8149B21F8790 for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 01:01:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MI60MpU9kEBL for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 01:01:27 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id A2DE421F878B for <dnsext@ietf.org>; Fri, 10 Feb 2012 01:01:26 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 50DEB5F989F; Fri, 10 Feb 2012 09:01:14 +0000 (UTC) (envelope-from vixie@isc.org)
Received: from [IPv6:2001:920:7000:1:e0e7:1f79:fa7b:447c] (unknown [IPv6:2001:920:7000:1:e0e7:1f79:fa7b:447c]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id E8A5D216C6E; Fri, 10 Feb 2012 09:01:11 +0000 (UTC) (envelope-from vixie@isc.org)
Message-ID: <4F34DCD0.2000500@isc.org>
Date: Fri, 10 Feb 2012 09:01:04 +0000
From: paul vixie <vixie@isc.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org>
In-Reply-To: <20120210084439.GB7284@laperouse.bortzmeyer.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On 2/10/2012 8:44 AM, Stephane Bortzmeyer wrote:
> On Thu, Feb 09, 2012 at 03:09:26PM +0000,
>  paul vixie <vixie@isc.org> wrote 
>  a message of 34 lines which said:
>
>> remove (B) and section 3, 
> Why? It seems fine to me (even if He-Who-Must-Not-Be-Named disagrees).

because arguing those merits will take time, and the other parts of the
proposal which are less controversial should not have to wait while
those arguments complete.

>> progress it not as an improvement but as a security and resiliency
>> requirement (so, a proposed standard) in the face of the "ghost domain"
>> problem.
> It seems to me that this draft does not currently address the ghost
> domain problem. It mandates revalidation at the parent when the
> records expire, but it does not say anything about the rules that
> allow an authoritative server to overwrite the old TTL with a new
> value, thus preventing expiration.
>
> Would it be a better idea to use this draft as a starting point to
> work on the issues proposed by the ghost domains paper? (Replacing >=
> by > in the credibility rules and other measures.)

i think there's some editorial flaw that leads to the above observation.
perhaps an explicit reference to RFC 2181 and some examples about how NS
replacement will work in light of credibility rules, would help explain
why this draft obviates the ghost domain problem.

for example the ghost problem appears to be about glue names (A/AAAA
RRsets referred to by NS RRs) whereas the resimprove solution set seems
to be only about the NS RRsets. but the effect of removing the NS RRsets
due to revalidation will be to purge the cache of any glue names which
were subdomains of those zone apexes.

paul
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email