<div dir="ltr"><div>Even if we get faster updates to the resolvers, I see two other issues:</div><div>- the clients will still hold DNS entries in their cache.</div><div>- registrars set a ttl of 1 or 2 days on the delegation NS and glue records, and don't give users any way to change that.</div><div><br></div>I have to wonder if the simplest and most effective solution is to recommend that the resolvers set:<div><br></div><div><div>max-ncache-ttl number;</div><div>max-cache-ttl number;</div></div><div>(for some number like say an hour or less?)</div><div><br></div><div>With all the pre-fetching and bogus queries, I wonder if the increase in traffic would really be significant or not. Is it possible to estimate or test?<br></div><div><br></div><div>This can be done today on resolvers, with no requirements for anything new, and no change to auth servers or clients (at least clients that respect the ttl, others cannot be helped no matter what we do on the DNS servers).</div><div><br></div><div class="gmail_extra"><div><div class="gmail_signature">-- <br>Bob Harold<br><br></div></div>
<br><div class="gmail_quote">On Fri, Mar 27, 2015 at 4:32 PM, Paul Vixie <span dir="ltr"><<a href="mailto:paul@redbarn.org" target="_blank">paul@redbarn.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
George Michaelson wrote:<br>
> OK. thats a good motivation. Nicely stated.<br>
><br>
> Models based on in-band proof(s) of possession might then in some<br>
> sense, be better. While I hate meta-protocol usage, since we don't<br>
> have a c&c channel that zone owners share with resolver owners, it<br>
> might be a tool in the locker.<br>
><br>
> How do you feel about state in the resolver to rendesvous on? Because<br>
> if we can do DNS 'query knocking' with held state, we can signal both<br>
> intentionality, and proof of possession. Obvious DoS risk of making a<br>
> resolver hold state but its probably no worse than the Amp Attack<br>
> risks.<br>
><br>
> Or if we have held-open session, then sequences of queries can be more<br>
> meaningful. I connect, I prove something doesn't exist with zero TTL,<br>
> I perform state change in the zone and re-query which shows you I<br>
> effected change for a prior query..<br>
<br>
</span>i put a fair amount of thought into this in 2002, and i could not come<br>
up with a scalable secure protocol, with either push or pull, with<br>
either subscriptions or registrations. therefore i decided that the only<br>
thing we could do is "hold up".<br>
<br>
in the "hold up" model, the TTL's of the above-the-zone-cut NS RRset<br>
(so, the delegation from the ancestor zone) would control a redelegation<br>
check in the caching resolver. essentially this NS RRset would be<br>
cached, and when it expires, then a subsequent iterative lookup (even if<br>
it was for an in-cache RRset) would cause the caching resolver to use<br>
the zone's closest unexpired ancestor as the "closest enclosing NS<br>
RRset", and to forward the query to that set of name servers. if those<br>
name servers answer with a delegation as they must previously have done,<br>
then the iterative lookup would be answered from cache, and the<br>
above-the-zone-cut NS RRset would be replaced in cache with the new one<br>
just refreshed. if on the other hand the NS RRset has changed (or is no<br>
longer present), then all cached data at or below that name would be<br>
purged, and the iterative lookup would be restarted without that cached<br>
data present.<br>
<br>
the idea here is that a 1-day TTL on all in-zone data would cause it to<br>
be retained for 1-day just as now, but, if there was a 1-hour (or<br>
10-minute) TTL on the ancestor's delegation NS RRset to this zone, then<br>
there would be a delegation refresh every hour (or every ten minutes, or<br>
whatever the TTL was set to) such that if the delegation was altered or<br>
removed, then all cached data received from the prior set of delegated<br>
servers, would be dropped.<br>
<br>
if combined with a registry TTL setting of ten minutes or 30 minutes or<br>
similar, this would allow for:<br>
<br>
1. rapid removal of criminal DNS content from all cooperating caches,<br>
upon DNS "takedown";<br>
2. rapid removal of incorrect DNS content from all cooperating caches,<br>
upon DNS "oops".<br>
<br>
the cost of these delegation refresh checks would be minimal compared to<br>
the incredible flood of garbage queries we see at all registry-level<br>
authority servers today. even if we doubled the number of valid queries,<br>
which is unlikely, it would still be noise compared to the invalid,<br>
endlessly-repeating queries.<br>
<br>
so, low pain, great gain, no security concerns other than predictable<br>
timeouts (which could be randomized, if kaminsky-style attacks are a<br>
concern), no privacy concerns, no loss of performance for cache "hot<br>
spots", no central registration or subscription or clearinghouse.<br>
<br>
years later (so, in 2010), i wrote this up as one of three similar<br>
improvements, here:<br>
<br>
<a href="http://datatracker.ietf.org/doc/draft-vixie-dnsext-resimprove/" target="_blank">http://datatracker.ietf.org/doc/draft-vixie-dnsext-resimprove/</a><br>
<br>
but, i think noone understood it, so it languished. (note, it's only 4<br>
pages long, so, an easy read.)<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Paul Vixie<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br>
dns-jobs</a> mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br>
</div></div></blockquote></div><br></div></div>