IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

"Blacka, David" <davidb@verisign.com> Fri, 10 February 2012 22:58 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C11521F8527; Fri, 10 Feb 2012 14:58:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328914731; bh=lWImp2FJ4+Tbo1reemf37usA+uJLG79zWI8WsttmhF8=; h=From:To:Date:Message-ID:References:In-Reply-To:MIME-Version:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=B+Amo+ATg9rRKg/ujEuFAofl+gLZtKYP3+7qQ9LrJ8jN47K+apEbU69O+0djdTsdV irI4THkYlZSq0iOlYOk5InrNh7Payz1gnBM0htHoSKUpOLOHw9mD69Ce5UIuCnWJh9 Ql7eqbs1FktwkWztLxMtzNzNArMuI9YzRdaUwoTY=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A38121F8522 for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 14:58:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ksrmxEpZIxWP for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 14:58:48 -0800 (PST)
Received: from exprod6og106.obsmtp.com (exprod6og106.obsmtp.com [64.18.1.191]) by ietfa.amsl.com (Postfix) with ESMTP id A6DF921F8527 for <dnsext@ietf.org>; Fri, 10 Feb 2012 14:58:45 -0800 (PST)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob106.postini.com ([64.18.5.12]) with SMTP ID DSNKTzWhJGScdOD4MyxkYyjhW8kvHplLUUG9@postini.com; Fri, 10 Feb 2012 14:58:47 PST
Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id q1AMwfuG022569; Fri, 10 Feb 2012 17:58:41 -0500
Received: from dul1wnexcn04.vcorp.ad.vrsn.com ([10.170.12.139]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 10 Feb 2012 17:58:42 -0500
Received: from BRN1WNEXCAS02.vcorp.ad.vrsn.com ([10.173.152.206]) by dul1wnexcn04.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 10 Feb 2012 17:58:41 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0247.003; Fri, 10 Feb 2012 17:58:40 -0500
From: "Blacka, David" <davidb@verisign.com>
To: Olafur Gudmundsson <ogud@ogud.com>
Thread-Topic: [dnsext] perhaps we should reintroduce "resimprove"
Thread-Index: AQHM59A5eDlRDuocp0+Gh3hClcI8pJY2LeqAgABmLgCAAAmsgIAARc0AgAAvrwA=
Date: Fri, 10 Feb 2012 22:58:40 +0000
Message-ID: <6EEB712F-42B8-4318-ABAD-C11A94F61CC6@verisign.com>
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl> <4F353676.6090702@ogud.com> <161E2DAB-4355-4ED8-826A-6C5A0F74CE52@icsi.berkeley.edu> <4F357920.2000008@ogud.com>
In-Reply-To: <4F357920.2000008@ogud.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
MIME-Version: 1.0
X-OriginalArrivalTime: 10 Feb 2012 22:58:41.0249 (UTC) FILETIME=[88366510:01CCE847]
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============4176301783086953973=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Feb 10, 2012, at 3:08 PM, Olafur Gudmundsson wrote:
>> 
>> 
>> The problem with ghosted domains is not changing the NS RRSET, its that changing the NS RRSET is also resetting the TTL.  Yet given "Newer vs older data of the same credibility", isn't newer more meaningful (apart from the stickyness problem)?
>> 
> TTL stretching was a REAL BAD idea, and must be stamped out.

What do you mean by "TTL stretching"?  Are you inventing new DNS terms?

> 
>> But changing "replace" with "replace-with-min-ttl" means you're conservative on timeout in the case of disagreement between old and new.
> 
> I prefer that resolver perform Delete rather than this, that forces the resolver to reevaluate the delegation.

So, every time a zone operator modifies the apex NS RRset, resolvers around the world instantly (as they query the zone for positive answers) invalidate the cached NSs and go back to the parent.  That seems like suboptimal behavior to me.

> In the case of resolver that does "Fetch NS" upon seeing the referral and adheres to RFC2181 credibility rules, it will always ignore NS set in authority section.

Fair enough, but why do I have to do that extra query in order to solve this problem?

> If a zone wants changes to propagate quickly it should use a smaller TTL. Resolvers should implement a MAX TTL both to purge old data faster, and to adopt faster to changes.

Agreed.  However, I don't think there is any advice what a good max TTL value should be.  2 days? 7 days?

>> And overall, I think replace-with-min-TTL should be standardized. Because even "Credibility>  replace" can have a problem:  The parent wants a deliberate shorter TTL for the NS set, but the child can override it.
>> 
>> For example, .com wants a 2 day TTL, but the child overrides it with a 7 day TTL, which still gives a 7-day 'no-revocation' window for any preseeded domains.  This could be even worse for various dynamic DNS services which allow delegation.
>> 
>> 
> well in the case of TLD's the TTL on referrals ranges from 600 (10min) to 345600 (4 days)  with 1 day as the median value and most common one.
> Based on a sample of 180 google.<TLD> domains out of 310 TLD's.
> 
> Do you want everyone that has a parent with 600-3600 TTL on parent side NS records to force that policy on all their children?

I don't, at least.  I'd like to preserve as much of the current DNS behavior here as we can (thus, I really don't like the bailiwick rule that the paper authors recommend, since it will force all zones to be parent-centric, which is a major change to current behavior.)

I would think that if the rule was:

Credibility >
   Replace, update TTL
Credibility ==
   Replace, keeping existing TTL

then you would get the desired behavior.  That is, the first NS RRset from the child would update the RRset as normal, allowing the child to have a different NS RRset and whatever TTL they choose.  And when the child changes their NS RRset, it propagates at the same speed it does today (faster than the TTL expiration).  But the resolver will always revaluate the parent delegation after at most 2 TTL intervals.

--
David Blacka                          <davidb@verisign.com> 
Principal               Verisign Infrastructure Engineering





_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email