IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

"Blacka, David" <davidb@verisign.com> Mon, 13 February 2012 18:59 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7E0621F8671; Mon, 13 Feb 2012 10:59:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1329159577; bh=QRS47QFhi20e9xNTNiPaYkor7OZXpiWZRSc7lopT9Lo=; h=From:To:Date:Message-ID:References:In-Reply-To:Content-ID: MIME-Version:Cc:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:Content-Type: Content-Transfer-Encoding:Sender; b=x87KFuKO45gCkSOd+LYA26ZWCk26ul6qLPaAlDt1/LxFn/bbvKFf+Dx8/ZsZ6ji3K 4uCxCi3FDgGcHKPXeJ5NYlppwmFlGIkZQ2bIdgo9orBCYyxG5omvKOIDStEDdj9/hz PLr80aXKHn1xw05z4kcS/isnPCv0SvCS44V7RCTw=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1AF521F850D for <dnsext@ietfa.amsl.com>; Mon, 13 Feb 2012 10:59:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.442
X-Spam-Level:
X-Spam-Status: No, score=-6.442 tagged_above=-999 required=5 tests=[AWL=-0.158, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jr1KtgIMDtxD for <dnsext@ietfa.amsl.com>; Mon, 13 Feb 2012 10:59:35 -0800 (PST)
Received: from exprod6og110.obsmtp.com (exprod6og110.obsmtp.com [64.18.1.25]) by ietfa.amsl.com (Postfix) with ESMTP id 61C8721F86B9 for <dnsext@ietf.org>; Mon, 13 Feb 2012 10:59:34 -0800 (PST)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob110.postini.com ([64.18.5.12]) with SMTP ID DSNKTzldleFj05VPDev4sEKcXoZFf1wEfgNg@postini.com; Mon, 13 Feb 2012 10:59:35 PST
Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id q1DIxTG7029531; Mon, 13 Feb 2012 13:59:29 -0500
Received: from dul1wnexcn04.vcorp.ad.vrsn.com ([10.170.12.139]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 13 Feb 2012 13:59:29 -0500
Received: from BRN1WNEXCAS01.vcorp.ad.vrsn.com ([10.173.152.205]) by dul1wnexcn04.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 13 Feb 2012 13:59:28 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0247.003; Mon, 13 Feb 2012 13:59:27 -0500
From: "Blacka, David" <davidb@verisign.com>
To: Olafur Gudmundsson <ogud@ogud.com>
Thread-Topic: [dnsext] perhaps we should reintroduce "resimprove"
Thread-Index: AQHM59A5eDlRDuocp0+Gh3hClcI8pJY2LeqAgABmLgCAAAmsgIAARc0AgAAvrwCABFf9AIAAHCuA
Date: Mon, 13 Feb 2012 18:59:27 +0000
Message-ID: <09D5B1C3-8A61-438B-94F1-B948D2A83706@verisign.com>
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl> <4F353676.6090702@ogud.com> <161E2DAB-4355-4ED8-826A-6C5A0F74CE52@icsi.berkeley.edu> <4F357920.2000008@ogud.com> <6EEB712F-42B8-4318-ABAD-C11A94F61CC6@verisign.com> <4F3945EE.6070008@ogud.com>
In-Reply-To: <4F3945EE.6070008@ogud.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-ID: <0CF9BDD90524C446BAE0B8062D4F85C5@verisign.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 13 Feb 2012 18:59:28.0433 (UTC) FILETIME=[9C81BA10:01CCEA81]
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Feb 13, 2012, at 12:18 PM, Olafur Gudmundsson wrote:

> <still no-hat>
>> 
>>> TTL stretching was a REAL BAD idea, and must be stamped out.
>> 
>> What do you mean by "TTL stretching"?  Are you inventing new DNS terms?
>> 
> Well I have been using this for a while, and I do recall where the definition originated. The issue this term is describing:

Did you mean "I don't recall"?

> When a resolver sees an RRset in an response, that it has in its cache,
> it compares the RRset's and if identical it updates the TTL to reflect the RRset in the response.

OK.  I agree this is a bad idea.  Although, in various implementation's defense, *why* it is a bad idea isn't necessarily obvious.  If you are thinking about improving the cache efficiency of your implementation, and not thinking about "cache pinning" problems, TTL stretching seems like a good idea.

>>>> But changing "replace" with "replace-with-min-ttl" means you're conservative on timeout in the case of disagreement between old and new.
>>> 
>>> I prefer that resolver perform Delete rather than this, that forces the resolver to reevaluate the delegation.
>> 
>> So, every time a zone operator modifies the apex NS RRset, resolvers around the world instantly (as they query the zone for positive answers) invalidate the cached NSs and go back to the parent.  That seems like suboptimal behavior to me.
> 
> I wish you would not use the word: optimal
> as that is setting a value judgment without explicitly saying what you are optimizing.
> In the past trying to do the optimal (packet count) thing vs the safest thing has got us in problems and I do not want to see that again.

In the past, doing overly aggressive things have caused serious problem, too.  My concern with the use of "Delete" it that is has the potential for creating packet storms when a busy zone changes its apex NS RRset.

> What happens depends both on the behavior of the resolver and the authoritative server that is asked.
> For example if the authoritative server is using Minimal-answer (i.e. no authority section on positive answers).
> Then the resolver does not see a new version of the NS set and is denied the opportunity to following ``optimizations''
> 	- discover that the NS set has changed
> 	- Stretch the TTL on the NS set

Sure, minimal-answer does solve a set of problems, but I don't understand the consequences of widespread use of that feature.

>>> In the case of resolver that does "Fetch NS" upon seeing the referral and adheres to RFC2181 credibility rules, it will always ignore NS set in authority section.
>> 
>> Fair enough, but why do I have to do that extra query in order to solve this problem?
> 
> Again here you are using value judgment as what is better:
> 	fewer queries vs safety

No, I'm suggesting that both are important.

> If all resolvers in 2007 had implemented "Fetch NS" and applied credibility rules Kaminsky attack would never have become an issue.
> 
> Similarly when authoritative severs use minimal answers the resolver only has the parent side NS set, what should the resolver do?
> keep the parent side NS or lookup the Childs NS set.

I don't know what they "should" do.  I suspect they keep the parent side NS, as that it what the resolution algorithm will naturally lead.

>>> If a zone wants changes to propagate quickly it should use a smaller TTL. Resolvers should implement a MAX TTL both to purge old data faster, and to adopt faster to changes.
>> 
>> Agreed.  However, I don't think there is any advice what a good max TTL value should be.  2 days? 7 days?
>> 
> 
> Personally I think 1 day if a fine upper bound.

What??? And disenfranchise the millions of 2 day TTLs??

>>> Do you want everyone that has a parent with 600-3600 TTL on parent side NS records to force that policy on all their children?
>> 
>> I don't, at least.  I'd like to preserve as much of the current DNS behavior here as we can (thus, I really don't like the bailiwick rule that the paper authors recommend, since it will force all zones to be parent-centric, which is a major change to current behavior.)
>> 
>> I would think that if the rule was:
>> 
>> Credibility>
>>    Replace, update TTL
>> Credibility ==
>>    Replace, keeping existing TTL
>> 
>> then you would get the desired behavior.  That is, the first NS RRset from the child would update the RRset as normal, allowing the child to have a different NS RRset and whatever TTL they choose.  And when the child changes their NS RRset, it propagates at the same speed it does today (faster than the TTL expiration).  But the resolver will always revaluate the parent delegation after at most 2 TTL intervals.
>> 
> 
> Of the two alternatives, I like "Fetch NS" much better than the logic above.

Why?  I'll admit to not really understanding exactly what "Fetch NS" entails.  When does the resolver decide to issue the NS queries?

> Having said that I also like "Minimal answers" for authoritative servers as that forces resolvers to act more predictably :-)

Clearly, you think that the current DNS behavior of returning the apex NS RRset in the authority section provides no value.  My position is that I don't know that it doesn't, and thus would not like to throw that protocol feature away unnecessarily.

--
David Blacka                          <davidb@verisign.com> 
Principal               Verisign Infrastructure Engineering




_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email