Forwarded because it talks about
draft-bortzmeyer-dns-qname-minimisation
--- Begin Message ---
i'm not a member of the dns-privacy working group, so i'll say this
here, and i'll hope that stephane bortzmeyer will share it with the
dns-privacy working group and/or incorporate any ideas he finds useful
into his query minimization draft. i am speaking here in support of
query minimization.
---
Introduction
Quite aside from the privacy implications of using the full original
QNAME when iterating downward in the DNS graph toward an authoritative
node, there is at least one performance and at least one one security
consideration. These other considerations are sufficient unto themselves
to motivate a change in iteration logic to a query minimization approach.
Performance
Because the NXDOMAIN signal refers to the QNAME, it is not possible in
optimistic iteration (as described by the DNS standard) wherein the full
QNAME is sent to successively closer enclosers of that QNAME, for any
higher order server to indicate that the NXDOMAIN indication occurred
within a specific bailiwick. Therefore if a root name server receives a
query stream from some full resolver for A.CORP followed by B.CORP
followed by C.CORP, the result will be three NXDOMAINs, since .CORP does
not exist in the root zone.
Under query minimization, the root name servers would hear only one
question (for .CORP itself) to which it could answer NXDOMAIN, thus
opening up a negative caching opportunity in which the full resolver
could know a priori that neither B.CORP or C.CORP could exist. Thus in
this common case the total number of upstream queries under query
minimization would be counter-intuitively less than the number of
queries under optimistic iteration (as described in the DNS standard).
Security
Online criminals and infrastructure abusers sometimes create long-lived
records (e.g., WWW.BADGUY.COM, having a DNS TTL of 30 days) with the
intent that these records remain widely cached even after their
delegation (BADGUY.COM) suffers inevitable and irreversible take-down
outage. This because under optimistic iteration (as specified by the
DNS standard), the only DNS TTL which controls the caching and reuse of
a record is that record's own DNS TTL.
Under query minimization, the DNS TTL of each delegation (NS RRset) from
the root zone to the QNAME's authority zone will be discovered and can
be used as an upper bound for the DNS TTL of that NS RRset, even if that
NS RRset is later replaced by the child's apex NS RRset (per cache data
ranking as described in RFC 2181 5.4.1). Query minimization would
require that any delegation NS RRset which expires from cache be
reacquired during a full resolver's query processing, even if the DNS
TTL of a matching in-cache record has not yet expired. Thus, if
BADGUY.COM suffers from a takedown outage, all descendents such as
WWW.BADGUY.COM will become non-reusable, no matter what the descendent
records DNS TTLs were.
===
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
--- End Message ---
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
