Mark Andrews wrote on 2019-02-14 14:13:
...
the fact that i have to hotwire my RDNS cache with local zone glue in order to
reach my own servers when my comcast circuit is down or i can't currently reach
the .SU authorities to learn where VIX.SU is, should not only concern, but also
embarrass, all of us.
Having the local recursive server having a copy of the local zones was
always part of DNS’s deployment model. Having authoritative servers not be
recursive servers is not the same as recursive servers not being
authoritative for some zones.
i didn't expect you to need the broader example. the narrow example
where i can't find my own zones is trivial. it's when i can't find other
services whose dns is authoritatively served within my isp or my region,
because even though i have connectivity within that isp or that region,
there is a political or physical connectivity break between that isp or
that region and the rest of the world, for example, the servers for
TLD's and 2LD's and 3LD's whose delegators are outside my connectivity.
One thing we missed when adding NOTIFY was adding a NOTIFY-ALSO RRset. In
named we work around this by having a also-notify clause in the zone’s
configuration clause.
that won't help. an authority server must have a protocol by which they
can, at their own discretion, opportunistically invalidate prior
answers, and which can be trusted by the RDNS servers hearing those
invalidation messages.
DNS RRsets need two TTLs. 1) refresh after in case we need to update. 2) stop
believing
this result after. With a little bit of EDNS negotiation both can be
transmitted in
a response.
that won't help the case which is more common than connectivity splits,
which is where the old data has become harmful (key compromised, server
or network offline, emergency renumber or rehoming or rekeying required).
let's stop thinking of this as a root problem or a TLD problem. the
metadata an RDNS will need to reach and trust servers it can reach, may
be on the wrong side of a network partition. that includes the entire
NS/DS and DNSKEY/RRSIG chain, plus A/AAAA glue. we need partial zone
authority, like a mini-slave, where the RDNS has _subscribed_ to the
content it is keeping, and has a potential trust relationship with the
owner of that data. we can argue about whether it's like mini-IXFR in
which case it can answer authoritatively for the partial data it has
leased. but we should not be talking about second TTL's, or root-only
solutions like 7706.
vixie
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop