headers
George Barwood | 2 Jul 2009 17:49
Picon
Favicon

[dnsext] Clarification on RFC 2181

RFC 2181, section 5.4.1 makes it clear that the NS from a child is 
"more trustworthy" than a NS from the parent. I have some issues with this 
notion of "trust", since both parent and child must be trusted regardless. 
But leaving that aside, it seems that problems can arise if glue A records
expire before NS records.

Example:

example.com 432000 NS ns.example.com
ns.example.com 1000 A 1.2.3.4

Suppose a resolver has fetched these records from the child zone.
Now suppose that administrator changes the zone to

example.com 432000 NS ns1.example.com
ns1.example.com 1000 A 1.2.3.4

and updates the parent and child zone files.

When the original A record expires from the resolver cache, the original NS 
record will remain for some time, but there is no hope of resolving it. 
The resolver will go to the parent, and receive the new NS and A record, 
but since the child NS has priority by RFC 2181, the NS will not be replaced, 
and there will be a blackout until the original NS record expires.

Section 5.4 does state 
"The challenge for the server is to determine which of the data sets is
 correct, if one is, and retain that, while ignoring the other."

It seems to me that to avoid problems newly fetched data from the Parent
(Continue reading)

Permalink | Reply | 23 comments |
headers
Edward Lewis | 2 Jul 2009 18:20
Favicon

Re: [dnsext] Clarification on RFC 2181

At 16:49 +0100 7/2/09, George Barwood wrote:

>and updates the parent and child zone files.
You are confusing authoritative zones and the cache.

In RFC 1034, 4.3.2, take a note of step 2:

   2. Search the available zones for the zone which is the nearest
      ancestor to QNAME.  If such a zone is found, go to step 3,
      otherwise step 4.
And step 4:

   4. Start matching down in the cache.  If QNAME is found in the
      cache, copy all RRs attached to it that match QTYPE into the
      answer section.  If there was no delegation from
      authoritative data, look for the best one from the cache, and
      put it in the authority section.  Go to step 6.
The cache is not divided into zones, like the authoritative data is.  The significance is that the authoritative data is first divided by zone, then by "location" in the zone.  The cache is just a tree representing all else it has.  (The name with the NS set is not linked to the name in the NS set, owning the A record.)  And then there's the negative cache.  (This is why cache servers can't act like authorities.)

>When the original A record expires from the resolver cache, the original NS
>record will remain for some time, but there is no hope of resolving it.
There is hope.  There is always hope.  The server in question simply asks for the needed A (/address) record.

>The resolver will go to the parent, and receive the new NS and A record,
>but since the child NS has priority by RFC 2181, the NS will not be replaced,
>and there will be a blackout until the original NS record expires.
The NS is not replaced because you aren't asking for that.  You do use the A record to ask the query again.

>Section 5.4 does state
>"The challenge for the server is to determine which of the data sets is
> correct, if one is, and retain that, while ignoring the other."
>
>It seems to me that to avoid problems newly fetched data from the Parent
>should replace old child data, but this seems contrary to 5.4.1.
>
>So I'm feeling somewhat conflicted/confused - help!
>¶‹§²æìr¸›zǧu©ž²Æ zÚ'jg®Šiz»+z«ž²Ú)²'­~ŠàÂ+a¶
Permalink | Reply | 18 comments |
headers
Paul Vixie | 2 Jul 2009 18:18

Re: [dnsext] Clarification on RFC 2181

> From: "George Barwood" <george.barwood <at> blueyonder.co.uk>
> Date: Thu, 2 Jul 2009 16:49:03 +0100

> ..., it seems that problems can arise if glue A records expire before NS
> records.
> 
> Example:
> 
> example.com 432000 NS ns.example.com
> ns.example.com 1000 A 1.2.3.4
> 
> Suppose a resolver has fetched these records from the child zone.
> Now suppose that administrator changes the zone to
> 
> example.com 432000 NS ns1.example.com
> ns1.example.com 1000 A 1.2.3.4
> 
> and updates the parent and child zone files.
> 
> When the original A record expires from the resolver cache, the original
> NS record will remain for some time, but there is no hope of resolving
> it.  The resolver will go to the parent,

why?  the resolver already has a zone cut, it has no reason to iterate
through the parent until the zone cut (NS+A) in its cache expires.

>                                           and receive the new NS and A
> record, 

as above, it won't be receiving any such new NS+A until it has a reason
to iterate through the parent again, which means, until after the current
in-cache NS+A expires.

> but since the child NS has priority by RFC 2181, the NS will not
> be replaced, and there will be a blackout until the original NS record
> expires.
> 
> Section 5.4 does state 
> "The challenge for the server is to determine which of the data sets is
>  correct, if one is, and retain that, while ignoring the other."
> 
> It seems to me that to avoid problems newly fetched data from the Parent 
> should replace old child data, but this seems contrary to 5.4.1.
> 
> So I'm feeling somewhat conflicted/confused - help!

for this question to be sequitur, you'd have to assume that the recursive
server was going to periodically revalidate its cached delegation points.

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
Permalink | Reply | 1 comment |
headers
George Barwood | 2 Jul 2009 18:41
Picon
Favicon

Re: [dnsext] Clarification on RFC 2181

 
----- Original Message -----
Sent: Thursday, July 02, 2009 5:20 PM
Subject: Re: [dnsext] Clarification on RFC 2181

 
>>When the original A record expires from the resolver cache, the original NS
>>record will remain for some time, but there is no hope of resolving it.
 
> There is hope.  There is always hope.  The server in question simply asks for the needed A (/address) record.
 
I think you missed the point of the example:
 
ns.example.com 1000 A 1.2.3.4
 
no longer exists in any zone file. The new record is
 
ns1.example.com 1000 A 1.2.3.4
 
So asking for the old record will never succeed.
The old NS RRset is useless, no good, unstuck, hopeless, dead and buried.
 
Permalink | Reply | 16 comments |
headers
Edward Lewis | 2 Jul 2009 19:00
Favicon

Re: [dnsext] Clarification on RFC 2181

At 17:41 +0100 7/2/09, George Barwood wrote:

So asking for the old record will never succeed.
The old NS RRset is useless, no good, unstuck, hopeless, dead and buried.
 
The failure there is in the operations, not the protocol, for removing the old A record before caches have time to learn a new (NS) set.

Kind of like "Your car will allow you to steer into that tree.  Just don't do it."
-- --
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
Permalink | Reply | 1 comment |
headers
George Barwood | 2 Jul 2009 19:10
Picon
Favicon

Re: [dnsext] Clarification on RFC 2181


----- Original Message ----- 
From: "Paul Vixie" <vixie <at> isc.org>
To: <namedroppers <at> ops.ietf.org>
Sent: Thursday, July 02, 2009 5:18 PM
Subject: Re: [dnsext] Clarification on RFC 2181 


>> From: "George Barwood" <george.barwood <at> blueyonder.co.uk>
>> Date: Thu, 2 Jul 2009 16:49:03 +0100
> 
>> ..., it seems that problems can arise if glue A records expire before NS
>> records.
>> 
>> Example:
>> 
>> example.com 432000 NS ns.example.com
>> ns.example.com 1000 A 1.2.3.4
>> 
>> Suppose a resolver has fetched these records from the child zone.
>> Now suppose that administrator changes the zone to
>> 
>> example.com 432000 NS ns1.example.com
>> ns1.example.com 1000 A 1.2.3.4
>> 
>> and updates the parent and child zone files.
>> 
>> When the original A record expires from the resolver cache, the original
>> NS record will remain for some time, but there is no hope of resolving
>> it.  The resolver will go to the parent,
> 
> why?  the resolver already has a zone cut, it has no reason to iterate
> through the parent until the zone cut (NS+A) in its cache expires.

Because the A record has expired. The NS record ( TTL 432000 )
will expire later than the A record (TTL 1000 ), and that is a potential problem.

>>                                           and receive the new NS and A
>> record, 
> 
> as above, it won't be receiving any such new NS+A until it has a reason
> to iterate through the parent again, which means, until after the current
> in-cache NS+A expires.
> 
>> but since the child NS has priority by RFC 2181, the NS will not
>> be replaced, and there will be a blackout until the original NS record
>> expires.
>> 
>> Section 5.4 does state 
>> "The challenge for the server is to determine which of the data sets is
>>  correct, if one is, and retain that, while ignoring the other."
>> 
>> It seems to me that to avoid problems newly fetched data from the Parent 
>> should replace old child data, but this seems contrary to 5.4.1.
>> 
>> So I'm feeling somewhat conflicted/confused - help!
> 
> for this question to be sequitur, you'd have to assume that the recursive
> server was going to periodically revalidate its cached delegation points.
> 
> --
> to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
>¶‹§²æìr¸›zǧu©ž²Æ zÚ'jg®Šiz»+z«ž²Ú)²'­~ŠàÂ+a¶°¢·nžË›±Êâmè§jȧ‚W¥Šwš²Ø^™ë,j­{[¡Üš­Èb½èm¶Ÿÿ¢›"z×è®åŠËlþv¦yÚ覗«
Permalink | Reply | 0 comments |
headers
Olafur Gudmundsson | 2 Jul 2009 20:08

Re: [dnsext] Clarification on RFC 2181


On Thu, 2 Jul 2009, George Barwood wrote:

> RFC 2181, section 5.4.1 makes it clear that the NS from a child is
> "more trustworthy" than a NS from the parent. I have some issues with this
> notion of "trust", since both parent and child must be trusted regardless.
> But leaving that aside, it seems that problems can arise if glue A records
> expire before NS records.
>
> Example:
>
> example.com 432000 NS ns.example.com
> ns.example.com 1000 A 1.2.3.4
>
> Suppose a resolver has fetched these records from the child zone.
> Now suppose that administrator changes the zone to
>
> example.com 432000 NS ns1.example.com
> ns1.example.com 1000 A 1.2.3.4
>
> and updates the parent and child zone files.

Operator error, there is nothing that the protocol can do to prevent
mistakes like this cause problems.

DNS has number of timing windows that have to be respected or
things cani/will go wrong, in this case:
ns.example.com should not have been removed until after all instances
of the prior NS set had expired from caches.

 	Olafur

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
Permalink | Reply | 1 comment |
headers
bert hubert | 2 Jul 2009 20:34
Picon

Re: [dnsext] Clarification on RFC 2181

On Thu, Jul 2, 2009 at 6:41 PM, George
Barwood<george.barwood <at> blueyonder.co.uk> wrote:
> So asking for the old record will never succeed.
> The old NS RRset is useless, no good, unstuck, hopeless, dead and buried.

You'll find that all 'heavy duty' resolvers have code to deal with
'useless rrsets' to make sure parents are (re-)consulted, but not too
often.

    Bert

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
Permalink | Reply | 13 comments |
headers
George Barwood | 2 Jul 2009 21:10
Picon
Favicon

Re: [dnsext] Clarification on RFC 2181

----- Original Message -----
 
> The failure there is in the operations, not the protocol, for removing the old A record before caches have time to learn a new (NS) set.
 
Well it's true that administrators can avoid the problem by being more careful.
But it's quite a subtle problem, so I think it's good ( more robust ) if caches
can continue to work in this situation. There may well be administrators
who are not sufficiently well informed to avoid the problem.
 
I agree with Section 5.4

"The challenge for the server is to determine which of the data sets is
 correct, if one is, and retain that, while ignoring the other."
 
I'm just not convinced the prescription given in 5.4.1 is the right way to achieve this.
 
It may very well be that my suggestion ( allowing newly fetched parent data to 
replace old child data ) has problems as well, but I haven't spotted any yet.
Please do say if you can see why this is a bad idea.
 


 
Permalink | Reply | 0 comments |
headers
Internet-Drafts | 2 Jul 2009 22:00
Picon
Favicon

I-D Action:draft-ietf-dnsext-dnsproxy-06.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the DNS Extensions Working Group of the IETF.

	Title           : DNS Proxy Implementation Guidelines
	Author(s)       : R. Bellis
	Filename        : draft-ietf-dnsext-dnsproxy-06.txt
	Pages           : 14
	Date            : 2009-07-02

This document provides guidelines for the implementation of DNS
proxies, as found in broadband gateways and other similar network
devices.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnsproxy-06.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Attachment (draft-ietf-dnsext-dnsproxy-06.txt): message/external-body, 70 bytes
_______________________________________________
I-D-Announce mailing list
I-D-Announce <at> ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Permalink | Reply | 0 comments |

Gmane