I've been working recently on a new IETF draft document on Delegation
Revalidation by DNS Resolvers, with collaborators Paul Vixie, CEO of
Farsight Security, and Ralph Dolmans, software engineer at NLnetLabs.
The document can be found at:
The central ideas in the draft are not new. Paul and others proposed
much of this in the 2010, and Wouter Wijngaards proposed something
similar in 2009 in his resolver mitigations draft. The ideas remain
useful though, and we feel they should be standardized in the IETF.
We are attempting to do that now, with some specific refinements
having to do with addressing DNSSEC related details, and not imposing
a speed bottleneck in resolver implementations.
There is a range of different behaviors in resolver implementations
in how they process zone delegations today, and one of the goals of
the draft is to see if we can agree on more commonality and predictability,
in a way that conforms correctly to the DNS protocol.
The main recommendations in the draft are to: (1) deterministically
prefer the authoritative child NS set over the non-authoritative,
unsigned, delegating NS set in the parent, (2) revalidate the delegation
at the expiration of the parent NS set TTL, to promptly detect when the
parent has re-delegated the zone elsewhere (or removed the delegation).
We announced the work on the
DNS-OARC operations mailing list,
and subsequently on the
IETF DNS Operations working group list. The resulting email threads
on each are useful reading to gauge the reactions of DNS experts in the
larger community. Most find the draft useful, so I think the prospects
for working group adoption and moving it forward through the IETF consensus
process are good.
We subsequently did a presentation on the proposal at the April 23rd
IETF DNS Operations interim meeting.
video/audio are available.