[dns-operations] resimprove and Re: DNS Flush Protocol

Edward Lewis edward.lewis at icann.org
Thu Apr 2 14:38:13 UTC 2015

On 3/31/15, 13:49, "Paul Vixie" <paul at redbarn.org> wrote:

> the descendant's apex NS TTL has a higher credibility.

A nit - RFC 2181 uses trustworthiness, not credibility.  I had to "fix"
that in my discussions on the topic.  (Trying to stem terminology creep.)

>if you have an alternative in mind that uses some other existing
>transaction (like the delegation's TTL) then it could scale to the size
>of the current and future internet, and in that case i'd like to hear
>your thoughts.

I wouldn't propose such an alternative.  I don't think building on an
'existing transaction' will stand the test of time.

In brief, twisting a unused element of the protocol is something I'd be
cautious about.  (Such approaches have been tried before.)  Examples of
this have been round-robin ordering of records in a response, the 0x20
approach to reduce forgery of messages.  Sometimes this gets burned into
implementation and bites us later (round robin) and sometimes it doesn't
prove powerful enough (0x20).  I've not done comprehensive work on this
point, so, this is more feeling than proof.  The TTL of a record set is
meant to be an expectation of how long until it might change.  Using it
for other purposes triggers my ulcers.

The request to purge caches is not a function of the DNS protocol, it's a
function of the environment we operate in.  I don't see it needed in
private DNS set ups, and in other inter-networks there are controls to
reduce the need.  From this observation, I really wouldn't burn this into
the core protocol.  I prefer an external solution based on the
observations of how the Internet is put together(work /constantly/ in
progress) and on the observation that there's an apparent demand for a
control layer over the DNS.  (DNS 2.0 is Quixote's windmills, yes, there's
a more realistic chance of fixing the Internet's DNS environment.)

I don't think burning assumptions into the protocol about today's
situation and problems will benefit future situations.  That has backfired
before, it has made extending the protocol difficult.  (We seem to
increasingly assume that the global public Internet is the only use case
for DNS, which bothers me too.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150402/e220c8a3/attachment.bin>

More information about the dns-operations mailing list