idnits 2.17.1 draft-ietf-dnsop-serve-stale-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC1034], [RFC1035], [RFC2181]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. -- The draft header indicates that this document updates RFC1034, but the abstract doesn't seem to directly say this. It does mention RFC1034 though, so this could be OK. -- The draft header indicates that this document updates RFC1035, but the abstract doesn't seem to directly say this. It does mention RFC1035 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC1034, updated by this document, for RFC5378 checks: 1987-11-01) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 08, 2019) is 1722 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 7719 (Obsoleted by RFC 8499) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSOP Working Group D. Lawrence 3 Internet-Draft Oracle 4 Updates: 1034, 1035 (if approved) W. Kumari 5 Intended status: Standards Track P. Sood 6 Expires: February 9, 2020 Google 7 August 08, 2019 9 Serving Stale Data to Improve DNS Resiliency 10 draft-ietf-dnsop-serve-stale-06 12 Abstract 14 This draft defines a method (serve-stale) for recursive resolvers to 15 use stale DNS data to avoid outages when authoritative nameservers 16 cannot be reached to refresh expired data. It updates the definition 17 of TTL from [RFC1034], [RFC1035], and [RFC2181] to make it clear that 18 data can be kept in the cache beyond the TTL expiry and used for 19 responses when a refreshed answer is not readily available. One of 20 the motivations for serve-stale is to make the DNS more resilient to 21 DoS attacks, and thereby make them less attractive as an attack 22 vector. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on February 9, 2020. 41 Copyright Notice 43 Copyright (c) 2019 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 4. Standards Action . . . . . . . . . . . . . . . . . . . . . . 4 62 5. Example Method . . . . . . . . . . . . . . . . . . . . . . . 4 63 6. Implementation Considerations . . . . . . . . . . . . . . . . 6 64 7. Implementation Caveats . . . . . . . . . . . . . . . . . . . 8 65 8. Implementation Status . . . . . . . . . . . . . . . . . . . . 9 66 9. EDNS Option . . . . . . . . . . . . . . . . . . . . . . . . . 9 67 10. Security Considerations . . . . . . . . . . . . . . . . . . . 10 68 11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 69 12. NAT Considerations . . . . . . . . . . . . . . . . . . . . . 10 70 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 71 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 72 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 15.1. Normative References . . . . . . . . . . . . . . . . . . 11 74 15.2. Informative References . . . . . . . . . . . . . . . . . 11 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 77 1. Introduction 79 Traditionally the Time To Live (TTL) of a DNS resource record has 80 been understood to represent the maximum number of seconds that a 81 record can be used before it must be discarded, based on its 82 description and usage in [RFC1035] and clarifications in [RFC2181]. 84 This document proposes that the definition of the TTL be explicitly 85 expanded to allow for expired data to be used in the exceptional 86 circumstance that a recursive resolver is unable to refresh the 87 information. It is predicated on the observation that authoritative 88 answer unavailability can cause outages even when the underlying data 89 those servers would return is typically unchanged. 91 We describe a method below for this use of stale data, balancing the 92 competing needs of resiliency and freshness. 94 2. Terminology 96 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 98 "OPTIONAL" in this document are to be interpreted as described in BCP 99 14 [RFC2119] [RFC8174] when, and only when, they appear in all 100 capitals, as shown here. 102 For a comprehensive treatment of DNS terms, please see [RFC7719]. 104 3. Background 106 There are a number of reasons why an authoritative server may become 107 unreachable, including Denial of Service (DoS) attacks, network 108 issues, and so on. If a recursive server is unable to contact the 109 authoritative servers for a query but still has relevant data that 110 has aged past its TTL, that information can still be useful for 111 generating an answer under the metaphorical assumption that "stale 112 bread is better than no bread." 114 [RFC1035] Section 3.2.1 says that the TTL "specifies the time 115 interval that the resource record may be cached before the source of 116 the information should again be consulted", and Section 4.1.3 further 117 says the TTL, "specifies the time interval (in seconds) that the 118 resource record may be cached before it should be discarded." 120 A natural English interpretation of these remarks would seem to be 121 clear enough that records past their TTL expiration must not be used. 122 However, [RFC1035] predates the more rigorous terminology of 123 [RFC2119] which softened the interpretation of "may" and "should". 125 [RFC2181] aimed to provide "the precise definition of the Time to 126 Live", but in Section 8 was mostly concerned with the numeric range 127 of values and the possibility that very large values should be 128 capped. (It also has the curious suggestion that a value in the 129 range 2147483648 to 4294967295 should be treated as zero.) It closes 130 that section by noting, "The TTL specifies a maximum time to live, 131 not a mandatory time to live." This is again not [RFC2119]-normative 132 language, but does convey the natural language connotation that data 133 becomes unusable past TTL expiry. 135 Several recursive resolver operators currently use stale data for 136 answers in some way, including Akamai. A number of recursive 137 resolver packages (including BIND, Know, OpenDNS, Unbound) provide 138 options to use stale data. Apple MacOS can also use stale data as 139 part of the Happy Eyeballs algorithms in mDNSResponder. The 140 collective operational experience is that it provides significant 141 benefit with minimal downside. 143 4. Standards Action 145 The definition of TTL in [RFC1035] Sections 3.2.1 and 4.1.3 is 146 amended to read: 148 TTL a 32-bit unsigned integer number of seconds that specifies the 149 duration that the resource record MAY be cached before the source 150 of the information MUST again be consulted. Zero values are 151 interpreted to mean that the RR can only be used for the 152 transaction in progress, and should not be cached. Values SHOULD 153 be capped on the orders of days to weeks, with a recommended cap 154 of 604,800 seconds (seven days). If the data is unable to be 155 authoritatively refreshed when the TTL expires, the record MAY be 156 used as though it is unexpired. 158 Interpreting values which have the high order bit set as being 159 positive, rather than 0, is a change from [RFC2181]. Suggesting a 160 cap of seven days, rather than the 68 years allowed by [RFC2181], 161 reflects the current practice of major modern DNS resolvers. 163 When returning a response containing stale records, a recursive 164 resolver MUST set the TTL of each expired record in the message to a 165 value greater than 0, with 30 seconds RECOMMENDED. 167 Answers from authoritative servers that have a DNS Response Code of 168 either 0 (NoError) or 3 (NXDomain) and the Authoritative Answers (AA) 169 bit set MUST be considered to have refreshed the data at the 170 resolver. Answers from authoritative servers that have any other 171 response code SHOULD be considered a failure to refresh the data and 172 therefor leave any previous state intact. 174 5. Example Method 176 There is more than one way a recursive resolver could responsibly 177 implement this resiliency feature while still respecting the intent 178 of the TTL as a signal for when data is to be refreshed. 180 In this example method four notable timers drive considerations for 181 the use of stale data: 183 o A client response timer, which is the maximum amount of time a 184 recursive resolver should allow between the receipt of a 185 resolution request and sending its response. 187 o A query resolution timer, which caps the total amount of time a 188 recursive resolver spends processing the query. 190 o A failure recheck timer, which limits the frequency at which a 191 failed lookup will be attempted again. 193 o A maximum stale timer, which caps the amount of time that records 194 will be kept past their expiration. 196 Most recursive resolvers already have the query resolution timer, and 197 effectively some kind of failure recheck timer. The client response 198 timer and maximum stale timer are new concepts for this mechanism. 200 When a request is received by a recursive resolver, it should start 201 the client response timer. This timer is used to avoid client 202 timeouts. It should be configurable, with a recommended value of 1.8 203 seconds as being just under a common timeout value of 2 seconds while 204 still giving the resolver a fair shot at resolving the name. 206 The resolver then checks its cache for any unexpired records that 207 satisfy the request and returns them if available. If it finds no 208 relevant unexpired data and the Recursion Desired flag is not set in 209 the request, it should immediately return the response without 210 consulting the cache for expired records. Typically this response 211 would be a referral to authoritative nameservers covering the zone, 212 but the specifics are implementation dependent. 214 If iterative lookups will be done, then the failure recheck timer is 215 consulted. Attempts to refresh from non-responsive or otherwise 216 failing authoritative nameservers are recommended to be done no more 217 frequently than every 30 seconds. If this request was received 218 within this period, the cache may be immediately consulted for stale 219 data to satisfy the request. 221 Outside the period of the failure recheck timer, the resolver should 222 start the query resolution timer and begin the iterative resolution 223 process. This timer bounds the work done by the resolver when 224 contacting external authorities, and is commonly around 10 to 30 225 seconds. If this timer expires on an attempted lookup that is still 226 being processed, the resolution effort is abandoned. 228 If the answer has not been completely determined by the time the 229 client response timer has elapsed, the resolver should then check its 230 cache to see whether there is expired data that would satisfy the 231 request. If so, it adds that data to the response message with a TTL 232 greater than 0 (as specified in Section 4). The response is then 233 sent to the client while the resolver continues its attempt to 234 refresh the data. 236 When no authorities are able to be reached during a resolution 237 attempt, the resolver should attempt to refresh the delegation and 238 restart the iterative lookup process with the remaining time on the 239 query resolution timer. This resumption should be done only once 240 during one resolution effort. 242 Outside the resolution process, the maximum stale timer is used for 243 cache management and is independent of the query resolution process. 244 This timer is conceptually different from the maximum cache TTL that 245 exists in many resolvers, the latter being a clamp on the value of 246 TTLs as received from authoritative servers and recommended to be 247 seven days in the TTL definition in Section 4. The maximum stale 248 timer should be configurable, and defines the length of time after a 249 record expires that it should be retained in the cache. The 250 suggested value is between 1 and 3 days. 252 6. Implementation Considerations 254 This document mainly describes the issues behind serving stale data 255 and intentionally does not provide a formal algorithm. The concept 256 is not overly complex, and the details are best left to resolver 257 authors to implement in their codebases. The processing of serve- 258 stale is a local operation, and consistent variables between 259 deployments are not needed for interoperability. However, we would 260 like to highlight the impact of various implementation choices, 261 starting with the timers involved. 263 The most obvious of these is the maximum stale timer. If this 264 variable is too large it could cause excessive cache memory usage, 265 but if it is too small, the serve-stale technique becomes less 266 effective, as the record may not be in the cache to be used if 267 needed. Shorter values, even less than a day, can effectively handle 268 the vast majority of outages. Longer values, as much as a week, give 269 time for monitoring systems to notice a resolution problem and for 270 human intervention to fix it; operational experience has been that 271 sometimes the right people can be hard to track down and 272 unfortunately slow to remedy the situation. 274 Increased memory consumption could be mitigated by prioritizing 275 removal of stale records over non-expired records during cache 276 exhaustion. Implementations may also wish to consider whether to 277 track the names in requests for their last time of use or their 278 popularity, using that as an additional factor when considering cache 279 eviction. A feature to manually flush only stale records could also 280 be useful. 282 The client response timer is another variable which deserves 283 consideration. If this value is too short, there exists the risk 284 that stale answers may be used even when the authoritative server is 285 actually reachable but slow; this may result in sub-optimal answers 286 being returned. Conversely, waiting too long will negatively impact 287 user experience. 289 The balance for the failure recheck timer is responsiveness in 290 detecting the renewed availability of authorities versus the extra 291 resource use for resolution. If this variable is set too large, 292 stale answers may continue to be returned even after the 293 authoritative server is reachable; per [RFC2308], Section 7, this 294 should be no more than five minutes. If this variable is too small, 295 authoritative servers may be rapidly hit with a significant amount of 296 traffic when they become reachable again. 298 Regarding the TTL to set on stale records in the response, 299 historically TTLs of zero seconds have been problematic for some 300 implementations, and negative values can't effectively be 301 communicated to existing software. Other very short TTLs could lead 302 to congestive collapse as TTL-respecting clients rapidly try to 303 refresh. The recommended value of 30 seconds not only sidesteps 304 those potential problems with no practical negative consequences, it 305 also rate limits further queries from any client that honors the TTL, 306 such as a forwarding resolver. 308 Another implementation consideration is the use of stale nameserver 309 addresses for lookups. This is mentioned explicitly because, in some 310 resolvers, getting the addresses for nameservers is a separate path 311 from a normal cache lookup. If authoritative server addresses are 312 not able to be refreshed, resolution can possibly still be successful 313 if the authoritative servers themselves are up. For instance, 314 consider an attack on a top-level domain that takes its nameservers 315 offline; serve-stale resolvers that had expired glue addresses for 316 subdomains within that TLD would still be able to resolve names 317 within those subdomains, even those it had not previously looked up. 319 The directive in Section 4 that only NoError and NXDomain responses 320 should invalidate any previously associated answer stems from the 321 fact that no other RCODEs which a resolver normally encounters makes 322 any assertions regarding the name in the question or any data 323 associated with it. This comports with existing resolver behavior 324 where a failed lookup (say, during pre-fetching) doesn't impact the 325 existing cache state. Some authoritative servers operators have said 326 that they would prefer stale answers to be used in the event that 327 their servers are responding with errors like ServFail instead of 328 giving true authoritative answers. Implementers MAY decide to return 329 stale answers in this situation. 331 Since the goal of serve-stale is to provide resiliency for all 332 obvious errors to refresh data, these other RCODEs are treated as 333 though they are equivalent to not getting an authoritative response. 335 Although NXDomain for a previously existing name might well be an 336 error, it is not handled that way because there is no effective way 337 to distinguish operator intent for legitimate cases versus error 338 cases. 340 During discussion in the IETF, it was suggested that, if all 341 authorities return responses with RCODE of Refused, it may be an 342 explicit signal to take down the zone from servers that still have 343 the zone's delegation pointed to them. Refused, however, is also 344 overloaded to mean multiple possible failures which could represent 345 transient configuration failures. Operational experience has shown 346 that purposely returning Refused is a poor way to achieve an explicit 347 takedown of a zone compared to either updating the delegation or 348 returning NXDomain with a suitable SOA for extended negative caching. 349 Implementers MAY nonetheless consider whether to treat all 350 authorities returning Refused as preempting the use of stale data. 352 7. Implementation Caveats 354 Stale data is used only when refreshing has failed in order to adhere 355 to the original intent of the design of the DNS and the behaviour 356 expected by operators. If stale data were to always be used 357 immediately and then a cache refresh attempted after the client 358 response has been sent, the resolver would frequently be sending data 359 that it would have had no trouble refreshing. Because modern 360 resolvers use techniques like pre-fetching and request coalescing for 361 efficiency, it is not necessary that every client request needs to 362 trigger a new lookup flow in the presence of stale data, but rather 363 that a good-faith effort has been recently made to refresh the stale 364 data before it is delivered to any client. 366 It is important to continue the resolution attempt after the stale 367 response has been sent, until the query resolution timeout, because 368 some pathological resolutions can take many seconds to succeed as 369 they cope with unavailable servers, bad networks, and other problems. 370 Stopping the resolution attempt when the response with expired data 371 has been sent would mean that answers in these pathological cases 372 would never be refreshed. 374 The continuing prohibition against using data with a 0 second TTL 375 beyond the current transaction explicitly extends to it being 376 unusable even for stale fallback, as it is not to be cached at all. 378 Be aware that Canonical Name (CNAME) and DNAME [RFC6672] records 379 mingled in the expired cache with other records at the same owner 380 name can cause surprising results. This was observed with an initial 381 implementation in BIND when a hostname changed from having an IPv4 382 Address (A) record to a CNAME. The version of BIND being used did 383 not evict other types in the cache when a CNAME was received, which 384 in normal operations is not a significant issue. However, after both 385 records expired and the authorities became unavailable, the fallback 386 to stale answers returned the older A instead of the newer CNAME. 388 8. Implementation Status 390 [RFC Editor: per RFC 6982 this section should be removed prior to 391 publication.] 393 The algorithm described in Section 5 was originally implemented as a 394 patch to BIND 9.7.0. It has been in production on Akamai's 395 production network since 2011, and effectively smoothed over 396 transient failures and longer outages that would have resulted in 397 major incidents. The patch was contributed to Internet Systems 398 Consortium and the functionality is now available in BIND 9.12 via 399 the options stale-answer-enable, stale-answer-ttl, and max-stale-ttl. 401 Unbound has a similar feature for serving stale answers, but will 402 respond with stale data immediately if it has recently tried and 403 failed to refresh the answer by pre-fetching. 405 Knot Resolver has a demo module here: https://knot- 406 resolver.readthedocs.io/en/stable/modules.html#serve-stale 408 Details of Apple's implementation are not currently known. 410 In the research paper "When the Dike Breaks: Dissecting DNS Defenses 411 During DDoS" [DikeBreaks], the authors detected some use of stale 412 answers by resolvers when authorities came under attack. Their 413 research results suggest that more widespread adoption of the 414 technique would significantly improve resiliency for the large number 415 of requests that fail or experience abnormally long resolution times 416 during an attack. 418 9. EDNS Option 420 During the discussion of serve-stale in the IETF, it was suggested 421 that an EDNS option should be available to either explicitly opt-in 422 to getting data that is possibly stale, or at least as a debugging 423 tool to indicate when stale data has been used for a response. 425 The opt-in use case was rejected as the technique was meant to be 426 immediately useful in improving DNS resiliency for all clients. 428 The reporting case was ultimately also rejected because even the 429 simpler version of a proposed option was still too much bother to 430 implement for too little perceived value. 432 10. Security Considerations 434 The most obvious security issue is the increased likelihood of DNSSEC 435 validation failures when using stale data because signatures could be 436 returned outside their validity period. This would only be an issue 437 if the authoritative servers are unreachable, the only time the 438 techniques in this document are used, and thus does not introduce a 439 new failure in place of what would have otherwise been success. 441 Additionally, bad actors have been known to use DNS caches to keep 442 records alive even after their authorities have gone away. This 443 potentially makes that easier, although without introducing a new 444 risk. 446 In [CloudStrife], it was demonstrated how stale DNS data, namely 447 hostnames pointing to addresses that are no longer in use by the 448 owner of the name, can be used to co-opt security such as to get 449 domain-validated certificates fraudulently issued to an attacker. 450 While this document does not create a new vulnerability in this area, 451 it does potentially enlarge the window in which such an attack could 452 be made. A proposed mitigation is that certificate authorities 453 should fully look up each name starting at the DNS root for every 454 name lookup. Alternatively, CAs should use a resolver that is not 455 serving stale data. 457 11. Privacy Considerations 459 This document does not add any practical new privacy issues. 461 12. NAT Considerations 463 The method described here is not affected by the use of NAT devices. 465 13. IANA Considerations 467 There are no IANA considerations. 469 14. Acknowledgements 471 The authors wish to thank Robert Edmonds, Tony Finch, Bob Harold, 472 Tatuya Jinmei, Matti Klock, Jason Moreau, Giovane Moura, Jean Roy, 473 Mukund Sivaraman, Davey Song, Paul Vixie, Ralf Weber and Paul Wouters 474 for their review and feedback. 476 Paul Hoffman deserves special thanks for submitting a number of Pull 477 Requests. 479 15. References 481 15.1. Normative References 483 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 484 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 485 . 487 [RFC1035] Mockapetris, P., "Domain names - implementation and 488 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 489 November 1987, . 491 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 492 Requirement Levels", BCP 14, RFC 2119, 493 DOI 10.17487/RFC2119, March 1997, 494 . 496 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 497 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 498 . 500 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 501 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, 502 . 504 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 505 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 506 May 2017, . 508 15.2. Informative References 510 [CloudStrife] 511 Borgolte, K., Fiebig, T., Hao, S., Kruegel, C., and G. 512 Vigna, "Cloud Strife: Mitigating the Security Risks of 513 Domain-Validated Certificates", ACM 2018 Applied 514 Networking Research Workshop, DOI 10.1145/3232755.3232859, 515 July 2018, . 519 [DikeBreaks] 520 Moura, G., Heidemann, J., Mueller, M., Schmidt, R., and M. 521 Davids, "When the Dike Breaks: Dissecting DNS Defenses 522 During DDos", ACM 2018 Internet Measurement Conference, 523 DOI 10.1145/3278532.3278534, October 2018, 524 . 526 [RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the 527 DNS", RFC 6672, DOI 10.17487/RFC6672, June 2012, 528 . 530 [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 531 Terminology", RFC 7719, DOI 10.17487/RFC7719, December 532 2015, . 534 Authors' Addresses 536 David C Lawrence 537 Oracle 539 Email: tale@dd.org 541 Warren "Ace" Kumari 542 Google 543 1600 Amphitheatre Parkway 544 Mountain View CA 94043 545 USA 547 Email: warren@kumari.net 549 Puneet Sood 550 Google 552 Email: puneets@google.com