Hi Stéphane, On 3/23/25 12:10, Stephane Bortzmeyer wrote:
On Sun, Mar 23, 2025 at 04:05:29AM -0700, [email protected] <[email protected]> wrote a message of 36 lines which said:Title: Synchronizing caches of DNS resolvers Authors: Stéphane Bortzmeyer Willem Toorop Babak Farrokhi Moin Rahman Name: draft-bortzmeyer-dnsop-poisonlicious-00.txtThis proposal, which comes from a project at the DNS hackathon last week-end, may be of interest for this group.
Indeed quite interesting. Some thoughts from a non-resolver person: - I assume the transmission will contain the TTL as decremented in the sending peer's cache. - A resolver might learn that a record is gone before the TTL expires, e.g., when it does prefetch and receives a negative response. For insecure zones, (how) do you imagine this to be shared? (Perhaps with TTL=0 and empty rdata?) - Dynamic-DNS-style deletion could be imagined, too. - Like Paul, I was also thinking of a long-lived IXFR-style stream. RRset deletions also needs to be signaled, but SOA records used in IXFR are not available. (TTL=0 and empty rdata might work as well.) Perhaps finally a use for another CLASS! - IXFR is relative to a zone. An optimized copy of it opens the possibility for (1) interested peers to subscribe for cache updates from another peer, (2) limited to certain parts of the tree, by sending a corresponding IXFR-style query. The query could also communicate other parameters (like min TTL of interest, or whether to include subzones). This allows the receiving peer to somewhat manage what's happening, depending on load and interest, rather than being indiscriminately flooded with everyone else's knowledge. - As for Paul's suggestion of DNSSEC validation on the receiving side (outside a trusted set), I imagine that's somewhat expensive because records need to be collected before they can be sent. OTOH, maybe a push for RFC 7901 logic! ... but the issue seems explicitly out of scope of your draft. - As for multicast over an encrypted channel, I'm not sure how that would work given that usually a Diffie-Hellman exchange or similar would be included (which is p2p-specific). All to be taken as brainstorming, very bad ideas may be included. Cheers, Peter -- https://desec.io/ _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
