Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

Running a Root Server Local to a Resolver
draft-ietf-dnsop-7706bis-12

Yes

Éric Vyncke

(Alexey Melnikov)

(Barry Leiba)

No Objection

Roman Danyliw

(Adam Roach)

(Alissa Cooper)

(Alvaro Retana)

(Benjamin Kaduk)

(Deborah Brungard)

(Mirja Kühlewind)

(Suresh Krishnan)

Recuse

Warren Kumari

Note: This ballot was opened for revision 07 and is now closed.

Éric Vyncke

Yes

Comment (2020-03-11 for -10) Sent

Thank you for the work put into this document. With the heavy load on this week telechat and the workload related to the cancellation of the IETF-107 in-person meeting, I must admit that this review was not as thorough as I had hope :-(

Please find below some non-blocking COMMENTs and NITs. An answer will be appreciated to my first comment (and possible the other ones).

I hope that this helps to improve the document,

Regards,

-éric

== COMMENTS ==

Out of curiosity, was it considered to run the 'mirror root' on one global anycast address of the root server, e.g., 2001:7fd::1, and modify the root cache to only have this one? (I am sure that you know that Linux can have a 'local' route for any IPv4/IPv6 address to the loopback)

-- Section 1 --
Very minor, s/their customers,/their clients,/ as there is not always a contract

s/during network attacks/during network attacks against the root servers/ ?

The sentence in parenthesis "(Although the..." is important and deserves a paragraph on its own IMHO.

-- Appendix B --
"were checked recently" means little thing... can you replace with "March 2020" ?

-- Section B.1 --
I would have preferred the use of "::1" rather than "127.12.12.12;" in the example...

Roman Danyliw

No Objection

Warren Kumari

Recuse

Comment (2020-02-28 for -07) Not sent

Recuse -- 'm an author...

Alexey Melnikov Former IESG member

Yes

Yes (for -10) Not sent

Barry Leiba Former IESG member

Yes

Yes (for -07) Unknown

Adam Roach Former IESG member

No Objection

No Objection (for -10) Not sent

Alissa Cooper Former IESG member

No Objection

No Objection (for -10) Not sent

Alvaro Retana Former IESG member

No Objection

No Objection (for -10) Not sent

Benjamin Kaduk Former IESG member

No Objection

No Objection (2020-03-12 for -10) Sent

Abstract

   Some DNS recursive resolvers have longer-than-desired round-trip
   times to the closest DNS root server; those resolvers may have
   difficulty getting responses from the root servers, such as during a
   network attack.  Some DNS recursive resolver operators want to
   prevent snooping by third parties of requests sent to DNS root
   servers.  Such resolvers can greatly decrease the round-trip time and

Can I suggest to s/Such resolvers/In both cases, resolvers/?

Section 1

   The primary goals of this design are to provide more reliable answers
   for queries to the root zone during network attacks, and to prevent
   queries and responses from being visible on the network.  This design
   will probably have little effect on getting faster responses to stub
   resolver for good queries on TLDs, because the TTL for most TLDs is
   usually long-lived (on the order of a day or two) and is thus usually
   already in the cache of the recursive resolver; the same is true for
   the TTL for negative answers from the root servers.  (Although the
   primary goal of the design is for serving the root zone, the method
   can be used for any zone.)

Are there any considerations of note when using this method for a zone
other than the root zone?

Section 1.1

(I expect the RFC Editor will change things to use a consistent
construction for the last five paragraphs, regarding "this document <X>"
vs. just "<X>".)

Section 2

      only respond to queries from the same host.  One way to assure not
      responding to queries from other hosts is to run an authoritative
      server for the root that responds only on one of the loopback
      addresses (that is, an address in the range 127/8 for IPv4 or ::1

nit(?): in principle there's nothing to stop such a service from
responding on more than one loopback address ... not that I can think of
a reason why one would want to.

Section 3

   There is a risk that a system using a local authoritative server for
   the root zone cannot refresh the contents of the root zone before the
   expire time in the SOA.  A system using a local authoritative server
   for the root zone MUST NOT serve stale data for the root zone.  To
   mitigate the risk that stale data is served, the local root server
   MUST immediately switch to using non-local root servers.

Immediately ... upon what condition?

Section 4

We should probably discuss the consequences for when the SHOULD NOT is
ignored and the glue records in the root zone are changed.

   As stated in Section 1, this design explicitly allows the local copy
   of the root zone information to be available only from resolvers on
   that host.  This has the security property of limiting damage to

nit: "allows [...] to be available only from" or "requires [...] to be
available only from"?  (Or "only allows [...] to be available from", of
course.)

Deborah Brungard Former IESG member

No Objection

No Objection (for -10) Not sent

Mirja Kühlewind Former IESG member

No Objection

No Objection (2020-03-10 for -10) Sent

Small editorial comment:
As this document obsoletes RFC7706 (and does not update it), section 1.1 should probably be called "Changes from RFC7706" (and not " Updates from RFC 7706").

Suresh Krishnan Former IESG member

No Objection

No Objection (for -10) Not sent

Running a Root Server Local to a Resolver draft-ietf-dnsop-7706bis-12

Running a Root Server Local to a Resolver
draft-ietf-dnsop-7706bis-12