Delegation Revalidation by DNS Resolvers

1 minute read

I’ve been working recently on a new IETF draft document on Delegation Revalidation by DNS Resolvers, with collaborators Paul Vixie, CEO of Farsight Security, and Ralph Dolmans, software engineer at NLnetLabs. The document can be found at: https://tools.ietf.org/html/draft-huque-dnsop-ns-revalidation-01

The central ideas in the draft are not new. Paul and others proposed much of this in the 2010, and Wouter Wijngaards proposed something similar in 2009 in his resolver mitigations draft. The ideas remain useful though, and we feel they should be standardized in the IETF. We are attempting to do that now, with some specific refinements having to do with addressing DNSSEC related details, and not imposing a speed bottleneck in resolver implementations.

There is a range of different behaviors in resolver implementations in how they process zone delegations today, and one of the goals of the draft is to see if we can agree on more commonality and predictability, in a way that conforms correctly to the DNS protocol.

The main recommendations in the draft are to: (1) deterministically prefer the authoritative child NS set over the non-authoritative, unsigned, delegating NS set in the parent, (2) revalidate the delegation at the expiration of the parent NS set TTL, to promptly detect when the parent has re-delegated the zone elsewhere (or removed the delegation).

We announced the work on the DNS-OARC operations mailing list, and subsequently on the IETF DNS Operations working group list. The resulting email threads on each are useful reading to gauge the reactions of DNS experts in the larger community. Most find the draft useful, so I think the prospects for working group adoption and moving it forward through the IETF consensus process are good.

We subsequently did a presentation on the proposal at the April 23rd IETF DNS Operations interim meeting. Slides and video/audio are available.