I reviewed draft-bortzmeyer-dnsop-poisonlicious-00 as I have an interest in being able to link DNS caches together.
The protocol is still a bit underspecified, and I have lots of concerns here. For one, it talks about successfull DNS resolution, where I think perhaps it should talk about "when it has data to place in its cache". In any way, this might be tricky in cases of very low TTL, eg TTL=0. I think it should perhaps only do this for TTL >= some value. It talks about "data that it is sure of". I think it is important to consider two different use cases. One where the DNS caches are all under a single administrative domain. There you can perhaps trust each cache implicitly. But to me the more interesting case is where you link untrusted caches, eg in an "ntp pool" style agreement. There I think the "data that it is sure of" should really only be DNSSEC validated data (and glue) and not "AA data". And in that case the receiving DNS resolver should still validate the data given (and so perhaps the sender should send these with "chain data", eg all the data neccessary to validate and resolve it from the root key. Note that TSIG/SIG0 would also not be very useful in the cache of untrusted caches. Nothing is said about using long lived TCP sessions, which it probably should do. All in all, I am not yet sure if doing this via the DNS protocol is the right way, versus a database backend sync (eg redis/valkey). If it is, I wonder if we couldn't time this in batches and do a more IXFR style transfer, eg "all new cache data since XXXX". Anyway, an interesting topic to explore. I hope we end up with something deployable :) Paul _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
