Linda, I think this idea has merit and is worth exploring (I had something like this in mind while brainstorming at the microphone at the recent DNS-OARC workshop).
I would suggest that it is not necessary to add a special message from the resolver to the authoritative server to indicate that it has cached information. We may be able to save a round trip by instead using an EDNS option in the question message, letting the authoritative server know that the resolver intends to cache the information and will be willing to clear the cache if the server asks it to. I don't think the authority server ever needs to actually send the new data, only to request that the resolvers remove entries from cache (including negative entries). The resolver can re-fetch records and cache them normally at that point. There are a lot of security considerations here. On the resolver side, there needs to be a way to insure that only the authoritative server can clear cache entries. I am not 100% sure, but I think that if a resolver saves the IP address that it got a given RR from, and requires either TCP or DNS cookies on the cache clearing message, that this will be prevented. On the authoritative side I think there are more concerns. First, there needs to be a way to prevent both reflection and amplification attacks. Again, I think TCP or DNS cookies is probably sufficient for this, and should be a requirement. Second, how can the authoritative server limit the amount of entries that it contains? For example, if an attacker has a /48 of IPv6 space, then how do we prevent that attacker from registering more and more synchronized resolvers, causing resource exhaustion on the authoritative server? A similar attack is possible for servers with lots of owner names (either by having large zones or lots of small zones). For example, an attacker who knows a lot of these names can request notification of each of those names, which will take a lot of state on the server, and also possibly create a huge number of outbound packets. This can possibly be avoided by either limiting the total number of notifies registered per resolver, or perhaps by making the notification per *server* rather than per RR (the second one will have a cost because it may mean removing a *lot* of records from a resolver cache). Finally, I think the guarantees need to be made explicit. We should not count on authoritative servers honoring the request for notification, either due to reboots or administrative preferences or other reasons. Interesting stuff! :) Cheers, -- Shane On Fri, 3 Jul 2015 10:14:50 +0800 wang.c...@zte.com.cn wrote: > Dear Suzanne & Tim, > > I have just submitted a new draft which tries to work out how to > synchronize the RRs information between resolvers and DNS servers. > The link is as follow and I would like to request a 5-min slot in > the upcoming f2f meeting. Would you please keep it in mind and try to > give me a chance to present it? > > ( > https://www.ietf.org/internet-drafts/draft-huang-dnsop-synchronization-resolver-server-00.txt > , 5 minutes, Linda Wang) > > Thanks very much:) > > Best Regards, > Linda Wang > > > internet-dra...@ietf.org 写于 2015-07-03 09:46:46: > > > internet-dra...@ietf.org > > 2015-07-03 09:46 > > > > 收件人 > > > > "Cui Wang" <wang.c...@zte.com.cn>, "Sunliang Huang" > > <huang.sunli...@zte.com.cn>, "Cui Wang" <wang.c...@zte.com.cn>, "Wei > > Meng" <meng.w...@zte.com.cn>, "Sunliang Huang" > > <huang.sunli...@zte.com.cn>, "Wei Meng" <meng.w...@zte.com.cn>, > > > > 抄送 > > > > 主题 > > > > New Version Notification for draft-huang-dnsop-synchronization- > > resolver-server-00.txt > > > > > > A new version of I-D, > draft-huang-dnsop-synchronization-resolver-server-00.txt > > has been successfully submitted by Cui Wang and posted to the > > IETF repository. > > > > Name: draft-huang-dnsop-synchronization-resolver-server > > Revision: 00 > > Title: Synchroniztion between resolvers and servers > > Document date: 2015-07-02 > > Group: Individual Submission > > Pages: 14 > > URL: https://www.ietf.org/internet-drafts/draft-huang- > > dnsop-synchronization-resolver-server-00.txt > > Status: https://datatracker.ietf.org/doc/draft-huang-dnsop- > > synchronization-resolver-server/ > > Htmlized: https://tools.ietf.org/html/draft-huang-dnsop- > > synchronization-resolver-server-00 > > > > > > Abstract: > > This document proposes how to synchronize the RRs in the resolvers > > along with the RRs in the authoritative servers when changes are > > occurred on the RRs in the authoritative servers. > > > > > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > The IETF Secretariat > > > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
