Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa
Daniel Migault <mglt.ietf@gmail.com> Wed, 05 January 2022 15:30 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D16F3A0CCE for <add@ietfa.amsl.com>; Wed, 5 Jan 2022 07:30:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00TSeYY_olm0 for <add@ietfa.amsl.com>; Wed, 5 Jan 2022 07:30:52 -0800 (PST)
Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 644A53A0CC0 for <add@ietf.org>; Wed, 5 Jan 2022 07:30:52 -0800 (PST)
Received: by mail-ua1-x935.google.com with SMTP id y4so12842783uad.1 for <add@ietf.org>; Wed, 05 Jan 2022 07:30:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cENbKwmZz9OzmiXZW3De2c5GN6VmPgxR76be+dY/1JY=; b=JF/SNlQgYsStjnDeqE43DPTYZ1cgjuVyf1ai2z5btLbcwtZOMFaqUntbolGlgj0yyQ O5LJ1dJSWllpDM8L3aS/Blh3Ses8IPBLpZ1URmSnmQVEKS/kqN1uXGMtKGgMLYh0h1Vh 02FXLZsx4t/xZz8haRG1q/Q5dwoD9TafaLUoQ4iwzUPwggCfg8TBU6RaaZgdRLG5RyAS O2bnYNndH3IejoDV1dx9MGrUxe0sgpyARUMOxzde5zIhdBuJ5qDa3TYAzx9jk6ZfTv1+ SoIxeur+QhiIZ3Xdw6ickc4Yed+gLhe2kTO11MHAJZiM9lFtwsv1MrMBsRvl/gQeAID3 sFKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cENbKwmZz9OzmiXZW3De2c5GN6VmPgxR76be+dY/1JY=; b=IqOeMYCxtIYgbh+7ToBuldzcpNKjtjZUehqpadX6GjZX/KVNRQP1+oEqJzjmdO0VtP ZXVVw34vrPDz+L0kOglrxc982B4hjpXadcO2C9ax5VwT4EFzbA4aL87xUuDy3ZAf75tk x7ZaONUAX+pn2xHw/iWgYt77jWkmiWyDpy/LL3rsFnTMwQVVXtLj4IOH1YwVeV55qv9q pMeKk1lfSp+ZNsqaq1/iHmXnpFjIgBXOAxf4cu3AiWzCZJKqgef5xapWKR+I+A6mbX4A nsmL3EDwa9Yfw1gXl5tkZJIg9ec7zUAifW1TttNzoG56yvPvhRjt7GeMmL+N5EEHuTZr lazA==
X-Gm-Message-State: AOAM5330yGn90rmCFWG2WtAqdWbL/1NEWciPDf8Ne7zhL+HP5iNC2QBT tuBSixlaynJsxWIHppwsD8iyfzvTz6llC6r5HsvOjAwJzI8=
X-Google-Smtp-Source: ABdhPJzDnT3rGP+xBcPc6s/lBiQcJrd8qKzLvyGz+o4YUwVX6nSwawlckMGYAtwOlirIuBTd9BGntaM5F5O7jKPKxzE=
X-Received: by 2002:a05:6102:1613:: with SMTP id cu19mr16630926vsb.39.1641396649691; Wed, 05 Jan 2022 07:30:49 -0800 (PST)
MIME-Version: 1.0
References: <SJ0PR00MB1318A7693D1BCE72AB05D4EAFA499@SJ0PR00MB1318.namprd00.prod.outlook.com> <9363D704-18FF-46CE-9B7A-38874C49D724@nohats.ca>
In-Reply-To: <9363D704-18FF-46CE-9B7A-38874C49D724@nohats.ca>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 05 Jan 2022 10:30:38 -0500
Message-ID: <CADZyTkkC2wY+38NjJ0OM-uCzeY6k3+2x9C3uiGphP0=opnVuFg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, Eric Orth <ericorth=40google.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003d902705d4d7703f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/MLj_Mit9AmWSbTwXb8cJIBhagE0>
Subject: Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 15:30:58 -0000
Hi, Just to follow-up the discussion. I think the protocol as currently defined results in connectivity issues when network provided resolvers are used. This seems to me an important issue that needs to be addressed by the discovery protocol itself - as opposed to relying on applications. The problem is that the response of the _dns.resolver.arpa is used to indicate the available encrypted resolver but that information remains only valid while the client remains attached to the same resolver. Typically, a mobile node re-using the response from one network - like a wifi network - to another network - ran network - will not be able to discover the resolvers in the new network as it will attempt to connect to the resolvers of the old network. A connection to the resolver of the old network is by definition not what the client expects and will result in no discovery or an unverified discovery. In both cases this is not what discovery was intended to be - facilitating the use of a corresponding encrypted resolver. More specifically, the resolver of the old network may be unreachable from the new network in which case the client cannot connect the associated encrypted resolver. If the resolver of the old network is reachable, its certificate will not have the IP of the resolver of the old network and the client MUST NOT automatically use that resolver ( section 4.2 ). The response provided by the resolver of the old network can be NXDOMAIN in which case the response is subject to negative caching or there is a response which is considered valid for TTL seconds. Usually TTL is an indication or commitment (from the authoritative server) the RRset will be valid during at least these TTL seconds. Such commitment is possible as 1) there is no authority for such domain and 2) the validity of the RRSet depends on the client as well as the resolver i.e min( connection time to the resolver, resolver commitment (TTL) ). In our case, the resolver does not have any indication on how long the client will be connected to that resolver, so the only plausible value here seems to be 0 TTL. Further investigations are probably needed for NXDOMAIN negative caching. There are two ways the NOERROR response can be solved: 1) using a domain name the resolver has some authority on - like a name based on the reverse ip address. or 2) using a 0 TTL. If I recall correctly, the choice or resolver.arpa was deliberately chosen to prevent some interactions with the authoritative DNS. The consequence is that there is no such authority. Regarding the arguments for not having a 0 TTL, that have been mentioned so far: * clients could flush their cash when changing the network. I agree with Paul W. this does not seem to be the case with many applications and cannot be a reliable hypothesis. * polling issue does not seem to me an issue either. The resolver.arpa query is only expected to be performed when the discovery occurs and I do not see the need to perform a discovery every TTL. The connectivity information of the resolver is retrieved using the target of the resolver.arpa. I am also wondering how the polling issue could be an issue when flushing the dns cache anytime we change network is not. Yours, Daniel On Mon, Jan 3, 2022 at 1:19 PM Paul Wouters <paul@nohats.ca> wrote: > On Jan 3, 2022, at 13:07, Tommy Jensen <Jensen.Thomas= > 40microsoft.com@dmarc.ietf.org> wrote: > > > > > >> I don't think the TTL means the resolver information is valid for > >> that TTL time. TTLs refer to cachability of DNS records, > > > > I fail to see how these two statements agree. What does it mean for a > record to be cacheable for a length of time, but not valid for the same > length of time? > > Let me rephrase. The fact that www.nohats.ca A record has a TTL of 3600 > does not mean the DNS is somehow guaranteeing there is a webserver on that > IP for the next 3600s. > > Phone books can have outdated phone numbers. Which is why you (used to) > get a new one every year. There was no guarantee on each individual phone > number being correct. > > The same is true for DNS. The TTL’s only meaning is “how long can I re-use > this record for, without discarding it”. Any other meaning you want to add > is not backed up by DNS specifications, and you’d have to modify core DNS > protocols if you wanted to do it here. > > > I think adding more explicit text to require clients to discard cached > values for resolver.arpa on network change makes perfect sense. > > How can you tell the record you received is fresh or cached ? You can only > tell by comparing the TTL to the authoritative server TTL, but in this case > there isn’t even a real authoritative record since every network would be > making up their own resolver.arpa records. > > Paul > -- Daniel Migault Ericsson
- [Add] TTL of resolver.arpa Daniel Migault
- Re: [Add] TTL of resolver.arpa Eric Orth
- Re: [Add] TTL of resolver.arpa Paul Wouters
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Tommy Jensen
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Paul Wouters
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Daniel Migault
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Ben Schwartz
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Tommy Jensen
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Daniel Migault
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Steffen Nurpmeso