To:
Olafur Gudmundsson <ogud@ogud.com>
Cc:
James Gould <jgould@verisign.com>, EPP Provreg <ietf-provreg@cafax.se>
From:
Howard Eland <heland@afilias.info>
Date:
Tue, 16 Feb 2010 15:33:42 -0600
In-Reply-To:
<4B7AF7A9.3030602@ogud.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: [ietf-provreg] Re: draft-gould-rfc4310bis-04.txt Submitted for Review
On Feb 16, 2010, at 1:53 PM, Olafur Gudmundsson wrote: > On 16/02/2010 1:00 PM, Howard Eland wrote: >> Hi James, >> >> Thanks for the ping about this issue. >> >> Transfers (specifically, those that involve changes to a DNS provider) >> are a complex issue, and are of a much bigger scope than what we can >> accomplish in 4310-bis. For a transfer involving glue (in which the IP >> address of the glue record would change), there is the issue of TTL on >> the glue record. Regardless of how well a registrant turns down the TTL >> for the RS and RRSIG records, it will still be subject to glue TTL, >> which, as I mentioned, is out of scope for us. Thus, the ability to set >> the TTL on DS and RRSIGs is not sufficient to ensure a smooth transfer. >> >> There is also the ability for registrars (or registrants, through their >> registrar GUI) to misuse theTTL value. I would not want to see a TTL of >> 0, nor would I want to see $HUGE_VAL. In fact, short DS and RRSIG TTLs >> could cause an inordinate amount of queries to hit the parent name >> server, resulting in amplification attacks. This could, of course, be >> controlled by server policy, but that policy may hinder the ability of >> the registrant to turn down the TTL, which defeats the purpose. > > Howard, > as you mention above this is big issue. > While I'm sympathetic to your concerns on possible flood of DS questions, that would only take place if the DNSKEY in the child also > had a small TTL and the child was a popular domain :-) If they're in the middle of a transfer, and they are turning down the TTL of the DS record, I'm assuming they're also turning down the corresponding DNSKEYs, so I think that scenario is still very plausible. WIthin the TLD namespace, there are many popular domains (I realize that this may not be the case for all implementors, though). > > My suggestion is suggest that each parent set a resonable default and > a floor on how low the TTL can be set, the child would be allowed to > seletct at TTL between these two numbers. Possibly, if a reasonable tradeoff can be made here. Of course, if we have wording about server policy being able to define the floor and ceiling, then technically operators could force it to be a single value, if they so desired. -Howard > > Olafur > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se