On 2/14/19 6:51 PM, Paul Vixie wrote:
i want the metadata i need to reach and trust assets on my side of any connectivity loss event, to be kept in warm storage, and made subject to trusted invalidation on an opportunistic basis, at the discretion of the authority operators who own the data i have warm copies of.
Please explain how "warm storage" relates to priming issues. Does warm mean that it's something you have queried? Or does it also include pertinent (meta)data for interesting things (but not everything) that you've not yet queried?
in practice this means DS/NS and DNSKEY/RRSIG and AAAA/A from my static trust anchor(s) down to any data i used recently or frequently (or by some other priority scheme), and i want it to look a bit like the single transaction mode of IXFR plus the single transaction mode of NOTIFY.no topology information as to actual connectivity will be modeled or estimated or needed. what matters is whether i can still reach all internet resources on my side of a break in connectivity (whether local or regional or distant), without needing any information that's otherwise only available on the far side of the connectivity break.
Does "still reach all internet resources on my side of the break" include things that you've not yet queried for?
I'm wondering if a fancier cache of some sort would suffice.Specifically I wonder if BIND (et al) can maintain a FIFO (like) list of QNAMEs, moving the current QNAME to the start of the list, and proactively refreshing the first 10 / 100 / 1000 / pick a number in such a way as to not alter the list position when refreshing.
This obviously has a priming problem as a QNAME won't be subject for refresh until /after/ it has been queried the first time. This is why I question your use of the word "warm".
Perhaps this can be implemented as part of the existing garbage collection process that remove expired cache entries. If the data to be purged is in the FIFO, then refresh it and cache the results without moving it to the head of the FIFO.
The other thing that I might add to this is something to artificially prime the cache by querying for specific names off of a user definable list.
How close would something like this be to what you're wanting to see?This would re-use existing mechanism and methodology. It wouldn't see changes in data until after cache expiration. But this is SoP for caches now.
thanks for asking; i am happy to clarify. DNS infrastructure should not be centralized, even if its content remains centrally coordinated by ICANN. (block chain people keep telling me that ICANN will be obsolete, but i'm not taking a position on that, only on data resiliency.)
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
