IETF Logo Mail Archive

Re: [dnsext] Review of draft-ietf-dnsext-rfc1995bis-ixfr-00.txt (from Knot DNS team)

Matthijs Mekking <matthijs@nlnetlabs.nl> Thu, 19 April 2012 07:54 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3603321F84EC; Thu, 19 Apr 2012 00:54:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1334822052; bh=uMRwF3Qf3Xyj0kaM8OC+6rGaMi1OgEkz8AEymDqepC8=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=JoTfbpHN751S3eMZc+MWr0L9OzSQy/08y5Z0EGWp8UeiUv3+VGAMUdUJ1rLQoreLw g8uO8j0zkCoh7+aHfQ0VAlNvvy7d7WkESnpTpfLr0By2AJrxKPw+ozCRo/5D/N9de7 Mk9RKqwjJ3OZPjQuqj8JWrSfeTNA1qEeazYXxpDk=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBB0321F84EC for <dnsext@ietfa.amsl.com>; Thu, 19 Apr 2012 00:54:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.413
X-Spam-Level:
X-Spam-Status: No, score=-102.413 tagged_above=-999 required=5 tests=[AWL=-0.113, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oq4ywrvNj6-D for <dnsext@ietfa.amsl.com>; Thu, 19 Apr 2012 00:54:05 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 273A121F8498 for <dnsext@ietf.org>; Thu, 19 Apr 2012 00:54:04 -0700 (PDT)
Received: from [IPv6:2001:7b8:206:1:219:d1ff:feb1:85e8] (zoidberg.nlnetlabs.nl [IPv6:2001:7b8:206:1:219:d1ff:feb1:85e8]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id q3J7rxZk075421; Thu, 19 Apr 2012 09:54:00 +0200 (CEST) (envelope-from matthijs@nlnetlabs.nl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1334822043; bh=VNzdMX69/YykXeW43LKcJzBi/akShcA5u7hXIs73024=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=BLVBENRt2kwTQOcBrL0KxtT7Q8w8K5T0mDZjqkdFD/HLq53Gc0vvSb8DQqvwDMUD3 nHBxONu71MRP/cod5R66XgTV2nevDVaj11648GxY8h/6jbDPpGcNfYJlnKNlhKYxBE yEPNnwM19OcL9p2wz4fywZ66WM7hPLh1CxZdbEVU=
Message-ID: <4F8FC497.3030106@nlnetlabs.nl>
Date: Thu, 19 Apr 2012 09:53:59 +0200
From: Matthijs Mekking <matthijs@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: Alfred � <ah@TR-Sys.de>
References: <201204181900.VAA29701@TR-Sys.de>
In-Reply-To: <201204181900.VAA29701@TR-Sys.de>
X-Enigmail-Version: 1.4a1pre
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Thu, 19 Apr 2012 09:54:00 +0200 (CEST)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Review of draft-ietf-dnsext-rfc1995bis-ixfr-00.txt (from Knot DNS team)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/18/2012 09:00 PM, Alfred � wrote:
...
>> 3) Section 2, last paragraph - why has to RRSIG(SOA) [to] follow 
>> the SOA in the AXFR-fallback example?
> 
> Actually, there's no "MUST" requirement, but it is good practice in
> AXFR implementations to group RRsets together in AXFR responses, 
> and, according to the base DNSSEC specs, the RRSIG(SOA)
> conceptionally is part of the SOA RRset (except in the context of a
> query for RRSIG, which does not apply here).  However, server
> implementations have found it convenient to send RRsets as
> contiguous groups within AXFR responses (because of the manner they
> are stored, for grouped inclusion in ordinary DNS responses);
> similarly, for clients that choose to perform detailed plausibility
> checks of received zone content before serving a new version of the
> zone data, checking of consistency likely will comprise a check for
> equality of TTL values within RRsets (Section 5.2 of RFC 2181), and
> maybe even RRSIG verification, it is beneficial to receive the RRs
> of RRsets grouped together (so that common DRAM cache replacement
> algorithms make it much more likely to find the related RRs in the
> most high-speed memeory comonents present in the system, and hence
> processing will be much faster).  Since IXFR is all about speed and
> optimization of the zone synchronization process, such server
> behavior is very desirable in IXFR implementations as well.
> 
> Taking this into account, I have tentatively modified the draft 
> text to now say:
> 
> "In contrast, in the case of fallback to AXFR, the IXFR response 
> would typically convey, in order:" ^^^^^^^^^^^
> 
> But if implementers do strongly prefer to have IXFR clients find 
> RRsets grouped together, or at leaest to have the RRSIG(SOA) RRs 
> always be placed at the beginning (in the case of IXFR fallback to
> AXFR), we could make the RR order shown in the draft mandatory 
> (SHOULD or MUST) for IXFR servers.
> 
> Opinions from other implementers?

OpenDNSSEC 1.4.0a1 does indeed now transfer the zone in the order such
that signatures follow the corresponding RRsets immediately. However,
due to a change in the way we store the data in the backup files, that
might change into first send all the RRsets, followed by all NSEC(3)s
and finally all RRSIGs, because that's the order they are stored.

You argue that this is disadvantageous for the IXFR client, but that
is depending on the implementation I guess. In our case, it would be
beneficial for the IXFR server to do otherwise. So at least, I would
disagree with making the RR order more mandatory.

Best regards,
  Matthijs

>> 4) Section 6.2 - missing RFC2119 language; shoulds and mays are
>> small caps, is that intentional?
> 
> The server's purging behavior is difficult to test externally. It
> is strongly recommended to use RFC 2119 terms sparingly and only in
> cases where the behavior is needed for interoperability and can be
> tested by observing externally visible behavior.
> 
> The mandatory rules on "fallback to AXFR" IMO are sufficient to 
> ensure interoperability, and IXFR-ONLY is dedicated to address 
> efficiency issues that plague deployments in specific
> circumstances, so the details of IXFR server purging behavior seem
> to be local to implementations, subject to implementation-specific
> resource management strategies and resource restrictions, and hence
> out of the bailiwick of RFC 2119.  ( :-) )
> 
> However, if the WG feels strong about having more detailed, yet 
> testable, requirements regarding the purging and condensation 
> strategy of IXFR servers (Sections 6.2 and 6.3 of the I-D), the
> draft of course can be modified accordingly.
> 
> 
>> 
>> 5) And today new question have arrised: "What should IXFR client
>> do if it receives incomplete multichunked IXFR response?" A)
>> discard whole transfer and start over; B) save usable chunks
>> (e.g. use data to update zone from sn_o to sn_o+x, where sn_o+x <
>> sn_n)
> 
> Section 7.1 already is explicit in saying that an IXFR client
> "MAY" follow strategy B).  In particular, the draft says:
> 
> |7.  Client Behavior | |  [...] | |7.1.  Zone Integrity | |  The
> elaborations on Zone Integrity for AXFR in Section 6 of RFC 5936 |
> [RFC5936] apply in a similar fashion for IXFR. | |  However, during
> the receipt of an incremental IXFR response, and upon |  successful
> processing of an SOA RR that serves as a sentinel for the |  end of
> any change information chunk, an IXFR client MAY immediately |
> apply and commit to stable storage the SOA serial number change |
> described by that chunk (and previous chunks, if not already
> done). |  This operation MUST externally appear as an atomar
> operation. | |  [...]
> 
> Please revisit the full text in Section 7.1 for the detailed 
> considerations and tell us whether that is sufficient.
> 
>> 
>> Ondrej on behalf of Lubos
>> 
>> P.S.: Our Knot DNS team (different people than one of the authors
>> of this document) will do a full review in WGLC.
> 
> Thanks in advance!
> 
> I hope that the chairs will proceed to issue WGLC on the upcoming 
> next draft version; experience has show that this is a strong 
> incentive for the WG to take a closer look at the document and 
> commenting on it.
> 
>> ... <snip>  {original draft announcement}  </snip>
> 
> 
> Kind regards, Alfred.
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPj8SWAAoJEA8yVCPsQCW5LYoIAK4OhT010si9+fBGzn8Rh4kd
GYg5JRb+m2jswA/XfpktRrhWDWjea9xCXdh6QvZRQeHn/cPRQ0xw2XLHdFXKU5GT
zHjXboYWNZTRnh1mDJdkGwLD5oYv0aOSAVMEeTnasDlmgR6St3IqIIQSlKZoeCS2
zThrdERTprzDjmjlcmZJZMc8h6pM2vQ7cpa5f98wATabBkwFIcu/9KZjbAfpUVbF
4RZu3HW4Wv75QjipXrMhtQVyaU2iNWznAvfXs4OOoIZwss7tcyoBz+cCMUXYxLKR
JZLc2/l0+o3Cw/XBHXivF7XwrUtEsELYmW8SkLk+pLQRDBv2nUo0jsAVWC8dCTE=
=b94B
-----END PGP SIGNATURE-----
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email