Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa
Daniel Migault <mglt.ietf@gmail.com> Wed, 05 January 2022 18:32 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B22023A0A87 for <add@ietfa.amsl.com>; Wed, 5 Jan 2022 10:32:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zB8hEMFq1cz for <add@ietfa.amsl.com>; Wed, 5 Jan 2022 10:32:37 -0800 (PST)
Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com [IPv6:2607:f8b0:4864:20::931]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C08A3A0A8B for <add@ietf.org>; Wed, 5 Jan 2022 10:32:37 -0800 (PST)
Received: by mail-ua1-x931.google.com with SMTP id p37so70463261uae.8 for <add@ietf.org>; Wed, 05 Jan 2022 10:32:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EPg6St8aDSP57w/wX+UP7XoD12n94Z2gFTiGM/2L3KE=; b=UslKkGdndEzrRxdif7wVi0oLGygWDvVxbr+yrKyRR5k1F6HmeDcxZc5OFRdDx0Btup o8MP6Wncm8gOerz5q4UHzI9vWOuvvcNGySAspSaQMlb9985eAixCi6R2M1/8TbizpKnM v7oO7Q4DqgFsWigwDNCdwzZsHIcFkhxzgvkHyx6UMHR87R+5VjgO5OL5O7Y7mjHfY/cY yDNLxaDZiiTstb3IWXqgNNk8fy9dlrYcZL/S/1ORlxhDOS/w19EJqD1+6Kj46lsaS6PN 0dvKom73kgHLXom7ffyp9XKNtp7b0yJphT9LeEfkPoLcc8+8Oaf9hukgZQgvYDi1UlEe e4nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EPg6St8aDSP57w/wX+UP7XoD12n94Z2gFTiGM/2L3KE=; b=ZiXCm/0RPDpyiF19g5+gro7L569zNmPIMN4p78I6o5Fk5hp2Wmyuaq3VKWCg/Maz/q HkGoc5ULHJzWfHF5vt1voHR17OfA/HtYMjWo7M7TeCfJW/gT9CHbbfHEDIIPezxLPEyc DF2WatrU13V6GDY0rGINVWxU5imeKMS8Qb9qy4h1cDbiehgiExs0EaRUb19RY+Y59ux9 8iJAeO4KmYIn5gO3QIPNtlr1pHFh4PNZyw3sf0b/lusCXwPZDH1FAlS3FLzUO4WHN7TY tRU9ID1qLTLdYpnuwtvPp3G/pC9rBIJcguLhqBy1mV0lQkOflBmcxRMGLDHgGIRAvlQ3 w4JQ==
X-Gm-Message-State: AOAM5327Y+G9ilsrQXNSIIIVK0yZpjKHQ0OWsEN3f1VGgnPZZOnEvxnq OC5c9HNBQYqfJgy8QI+RII0/NJMqD+D6YwJ2ETYwPWhjlOA=
X-Google-Smtp-Source: ABdhPJz+AkV/uJZD/CrsBlUaDrNIlPL/gfEGk+tOws7p/Lbb03OpoMcE6FvKQxfrlQjqOOtWLOhfA1FqRJbT0xn1g4c=
X-Received: by 2002:ab0:2bd1:: with SMTP id s17mr5525433uar.37.1641407555306; Wed, 05 Jan 2022 10:32:35 -0800 (PST)
MIME-Version: 1.0
References: <SJ0PR00MB1318A7693D1BCE72AB05D4EAFA499@SJ0PR00MB1318.namprd00.prod.outlook.com> <9363D704-18FF-46CE-9B7A-38874C49D724@nohats.ca> <CADZyTkkC2wY+38NjJ0OM-uCzeY6k3+2x9C3uiGphP0=opnVuFg@mail.gmail.com> <CAHbrMsDVRmZAZfe2y6uN5mkG0B9+j1f_95zYZwj9-OzVicg2+g@mail.gmail.com>
In-Reply-To: <CAHbrMsDVRmZAZfe2y6uN5mkG0B9+j1f_95zYZwj9-OzVicg2+g@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 05 Jan 2022 13:32:24 -0500
Message-ID: <CADZyTkmcj4ekGGaMc_CtgW9kXKw_gdd2ENq19O=yaB+GqVXjTg@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: Paul Wouters <paul@nohats.ca>, ADD Mailing list <add@ietf.org>, Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, Eric Orth <ericorth=40google.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000044081c05d4d9faba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Vbyvl_2B1xHvhIxYMFMh1JVPRFk>
Subject: Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 18:32:42 -0000
On Wed, Jan 5, 2022 at 11:53 AM Ben Schwartz <bemasc@google.com> wrote: > On Wed, Jan 5, 2022 at 10:31 AM Daniel Migault <mglt.ietf@gmail.com> > wrote: > ... > >> The problem is that the response of the _dns.resolver.arpa is used to >> indicate the available encrypted resolver but that information remains only >> valid while the client remains attached to the same resolver. >> > > I concur, but I don't see this as a problem. > The text says: """ I think the protocol as currently defined results in connectivity issues when network provided resolvers are used. This seems to me an important issue that needs to be addressed by the discovery protocol itself - as opposed to relying on applications. The problem is that the response of the _dns.resolver.arpa is used to indicate the available encrypted resolver but that information remains only valid while the client remains attached to the same resolver. """ It seems pretty clear that the issue was mentioned in the paragraph above. The "problem" in the second paragraph should be read as "the reason for the problem". Please let me know if that is confusing in English. > > Typically, a mobile node re-using the response from one network - like a >> wifi network - to another network - ran network - will not be able to >> discover the resolvers in the new network as it will attempt to connect to >> the resolvers of the old network. >> > > Yes. This is an error on the client's part. The DDR response is only > valid and applicable for the interface configuration on which it was > discovered. If you think it's unclear, we can add text reminding clients > of this restriction. > I do not see any such text in the draft, can you point me to the text you are referring to so that I can check whether that is clear or not. I find it very complex to require a DNS client to have a DNS cache that is independent from the network address and another cache specific for a given interface. I am not convinced at this time it is reasonable to assume such a mechanism will be implemented by any DNS client. For my information I am wondering if you have any reference on how I can configure in chrome names that are bound to an interface as opposed to names that are not bound to an interface. > > Regarding the arguments for not having a 0 TTL, that have been mentioned >> so far: >> * clients could flush their cash when changing the network. I agree with >> Paul W. this does not seem to be the case with many applications and cannot >> be a reliable hypothesis. >> > > Clients either have to (a) restrict DDR records to the network on which > they were resolved, or (b) implement a fast fallback mechanism if the > resolver unexpectedly becomes unavailable and tolerate a brief outage > during reinitialization. > Again, this seems way more complex to assume every DNS client will implement it correctly. Setting a TTL to 0 works for sure with any DNS client. > > * polling issue does not seem to me an issue either. The resolver.arpa >> query is only expected to be performed when the discovery occurs and I do >> not see the need to perform a discovery every TTL. >> > > I do see this need. Networks are permitted to change their > configuration. Long-lived clients need to know how to stay up to date, > ideally updating before the old configuration becomes invalid. > It is unclear how a TTL set to 0 prevents the network from being configured - It actually removes any commitments. The resolvers information is updated every TTL where TTL designates the TTL of the domainname of the resolvers ( doh.resolver.example.com). If the provided parameters do not match the client policies a new discovery is performed. Are you suggesting that DDR is performed every TTL where TTL is the TTL of _dns.resolver.arpa. Yours, Daniel -- Daniel Migault Ericsson
- [Add] TTL of resolver.arpa Daniel Migault
- Re: [Add] TTL of resolver.arpa Eric Orth
- Re: [Add] TTL of resolver.arpa Paul Wouters
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Tommy Jensen
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Paul Wouters
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Daniel Migault
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Ben Schwartz
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Tommy Jensen
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Daniel Migault
- Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Steffen Nurpmeso