IETF Logo Mail Archive

Re: [Add] Mozilla's DoH resolver policy

Ted Hardie <ted.ietf@gmail.com> Fri, 12 April 2019 17:55 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17F89120260 for <add@ietfa.amsl.com>; Fri, 12 Apr 2019 10:55:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXzM_dCBwEtW for <add@ietfa.amsl.com>; Fri, 12 Apr 2019 10:55:03 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 920921200B1 for <add@ietf.org>; Fri, 12 Apr 2019 10:55:03 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id n11so9249429ioh.1 for <add@ietf.org>; Fri, 12 Apr 2019 10:55:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SwEdZ3ZfeMspKZRJ4JBsN1oN2DGPQ1mAjbrOen8tJH0=; b=E+Lm6ZFsjawawsxWHjXWy3uWnbre8JKFEXRo2stDTwVnBlZ0zY7AfjVXw/NZh59wot eRRMxGZz0Xd9ED6b5luF3Kc/8dtRGac3hmOZqg3/Nz6oi81ePSQyrRMNB5CsZvtGlYi2 B3PqVksVTprMzjMj4s7/cjW8GouNcEN6u22GoQ4tbO9IBqxEds+nsmks9AsWZd+WJYD8 WN2IOwZmCFykE1+O4ugUPwgRBaoHfrOpQEKKI+e9dKix1Rp96DTw5lrNIit3bLCtyRcY 180u7rDaoQWhT0UBDTIqmRVplW9OoowHB+c/r4KQDKgMSIW6NVjvcXWMNib+qJdfIZ1J 5y8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SwEdZ3ZfeMspKZRJ4JBsN1oN2DGPQ1mAjbrOen8tJH0=; b=FszTwqbLu7Xj1Qhsi+UDH/XPLefDqJeHHEqcqNiVSJJJJFte6Iqfl4gyRVDjmaBQKP 9vvMH9Uppi+ZmNRjrohP3foSkBEcq7CjSP1fCgUf6Q+HTRqk4JyJ8TUlbsV0JeQFvRj1 SOE6u3CSu67jCLTMoNwaQz32YuykYvBVPMNNcrec8NInq9HAmz0dSTJ7DWZwxAqDvl0q rVLWt23kk88l+eyiLtUj4+Kq0dYgs6G9SezrkUEtmtRv55QlmNsUxMoyu8rV3kxKvKuq 0gbLxzr5YRUnDDv07NIAilx3XF+xJ01jk6O1qk0XgROJJLWkr6lpyFKJG+VtB1KZQ4Sl UdtA==
X-Gm-Message-State: APjAAAXwOjRVIRtrOMGdAC/ugA8ceiO5ytfeMgIegk79G0U2c01lKyI3 tLSpuUjtu+M5nnVW9pLcBqNKU6xZk4U5C+P4YMFFvw==
X-Google-Smtp-Source: APXvYqw8AKUrxXcQr9bEa5Z2Hb+weT6NCF4rcXO6ScUk0HH6vwVZUytomOL0WwOl2IOJaJjFE/Av4kNUBGEdIqGE05k=
X-Received: by 2002:a6b:6f09:: with SMTP id k9mr633645ioc.163.1555091702619; Fri, 12 Apr 2019 10:55:02 -0700 (PDT)
MIME-Version: 1.0
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <994839978.18707.1554973716877@appsuite.open-xchange.com> <af5f5c76-0095-65a0-39d1-d29d4bb0e906@mozilla.com> <ybl36mn8b54.fsf@w7.hardakers.net> <f9d0cd98-db0c-7f42-d351-d9a5002c4765@mozilla.com>
In-Reply-To: <f9d0cd98-db0c-7f42-d351-d9a5002c4765@mozilla.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Fri, 12 Apr 2019 10:54:35 -0700
Message-ID: <CA+9kkMAobw2giYO=8pbLVi4ms0Ru+nYwhV5DGxLCwaUdX6EQyQ@mail.gmail.com>
To: Peter Saint-Andre <stpeter@mozilla.com>
Cc: Wes Hardaker <wjhns1@hardakers.net>, add@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008725b8058659003f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/imfVMJjvpdTXLT7GULswH8DklDk>
Subject: Re: [Add] Mozilla's DoH resolver policy
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 17:55:06 -0000

Howdy,

On Fri, Apr 12, 2019 at 10:14 AM Peter Saint-Andre <stpeter@mozilla.com>
wrote:

>
> > Have you considered randomly rotating all queries
> > through every item in the list,
>
> We've considered random rotation but "there are problems with this".
>
>
So, I assume Wes didn't mean sending all queries to all entities on the
list, because that would be wasteful of bandwidth and very leaky of
information.  I think he meant "random rotation", which is the question you
answered.

But the reality is that folks have been dealing with the DNS round-robin
problem a long time and the change in transport protocols doesn't change
the parameters of the problem that much.  Generally speaking, you are
optimizing for reduced latency.  I think it was Duane Wessels who
introduced the "ladder race" method, which works pretty well over time;
there are also lots of variations of it.

Ladder race works by starting from a list, either with a known default or
no default.  You pick two for the first query and race them.  The winner
becomes the default and is raced against a random member of the list for
the next query or after a period of time--in this case, I'd suggest basing
that time period on the HTTPS set up time (e.g. 5x the set-up time).  Once
you have raced the entire list, you have a resolver choice that has the
lowest latency for that particular client.  You then re-race after a longer
elapsed period of time; if you get the same choice, you lengthen the time
between races.  Every time the race returns the same choice, the signal
that this is a stable choice increases and the time lengthens.  If there is
a change, you drop back to a shorter race time.

What this should do is associate the clients with the lowest latency
resolver.  If a resolver gets busy, its latency will increase and it will
go down in the races and shed clients, so this is a blended signal of
network distance and resolver load.  It will vary over time, but there are
lots of clients for whom that variation won't result in a change in
assigned server.

In this case, you also don't need all the servers to speak the same
protocol; you could blend DoT and DoH servers into the same list.  That
might actually reward the use of DoT where it is not blocked, because the
response time for a cache fill is likely to be a bit better (as there is
less overhead without the mime-type processing in DoH).

Mechanisms like ladder race and its variations basically provide you some
way gathering data to make the choice in a way that optimize what you want;
the key is doing it in a way that is friendly enough to the resolvers and
the network. But I don't think this is a new problem, even if this code is
new to Firefox.

regards,

Ted

v2.23.0 | Report a Bug | By Email