Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa

Tommy Jensen <Jensen.Thomas@microsoft.com> Mon, 03 January 2022 18:07 UTC

From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: Paul Wouters <paul@nohats.ca>, Eric Orth <ericorth=40google.com@dmarc.ietf.org>
CC: ADD Mailing list <add@ietf.org>, Daniel Migault <mglt.ietf@gmail.com>
Thread-Topic: [EXTERNAL] Re: [Add] TTL of resolver.arpa
Thread-Index: AQHX91TXLgo/OxKlTUuaiSdt0s2d+6w+vcuAgBLrZVA=
Date: Mon, 03 Jan 2022 18:07:29 +0000
Message-ID: <SJ0PR00MB1318A7693D1BCE72AB05D4EAFA499@SJ0PR00MB1318.namprd00.prod.outlook.com>
References: <CADZyTkmMKJ=shoWZxEUeyt8vNAs6SWHOr9BGkr-+63=Gcv934w@mail.gmail.com> <CAMOjQcG7uHxzMFyGuH8RLY1i6aJ2gjWZWv3L7VQms_gDFJ6BqQ@mail.gmail.com> <dd7bd95-759a-29b5-d387-cc6b296bec2c@nohats.ca>
In-Reply-To: <dd7bd95-759a-29b5-d387-cc6b296bec2c@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-01-03T18:07:27Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d0ba2462-7103-4edf-9140-56bcde1b115d; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: efac1d8f-6490-4381-8da2-08d9cee3e832
x-ms-traffictypediagnostic: CO1PR00MB0980:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <CO1PR00MB0980E48D180FCB9C2BAD43A0FA499@CO1PR00MB0980.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: w3YdVHhV5Nzkir2yYOAC5JXaVtVd4aN2jxlrCVwC6dFkhtWxdZ/wThUf6npCGxxTttfedi2vsFjPTEp53cFw0gfpHv5lylXRB0iVbZhOgmcab3ASBMoqY4dTV9SQ8BDnzVu9CjJrqI/SFDlvU+AF6GDu+vufJdQnWDA/IcudHMlRCAzK7DqD9YCYNBe4O5lQjRHT1qt9HmiKdVBlCaUuLHaU1Vyy5jJ56lgA0OUb7vAiIkvkrToO9JXOIpPksY8MAL0Y9OTimgWOS8ZBpsRKC0Ggwv2MXJBZlJpWu61H0uPVTgNgVoFaUZve/HxLfXxT7NZ9pwyqVQ0MEeSjo6kOIaPYDRvtj7eof/MpFQSQR9xvdG92Czqmr203hirtlDu0PBViiOd5Y949SrewMTKK5/wpvniPnQ7NnMLhJKqvAb3/adV2sY+gjn4+LR3taGiCBHxIA6YeEeTvsQ+SMAbNCv65Mn2zYIJJGrPjfcZbF23Jb0gvr2y+P304/PCsvfz2hXT2codahJlYaSFJwmjN/bBUGJpQuelGvTjxavnEXmB1+T0+VQ12JVrq97UoPjOeQko7GaJeR5uMIXDtZsKN/zJTp20GUG6KYEZCJ0Ay6Yi0SqBkZR7oo9JnIq6jXxpn+HlLf9EWOaX2qAgUFctjx3VVdQ6srvOZKVA9mnpAc+VDdiBztbsF+Jpaa06XnvEjyFG+HtqWCgreEfmyXENqF5Dz9wBn4hHm8mvYvN6ZFaip0cx8zx2pOyVmpuQqQ1NNx7hwRHO3S+1g6xqMHCffUGl3+aotze1UXhgN21geu92Qrl18iQ43wsJPgersmSDCSsj08QC0Yvr53lGpzmg92A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR00MB1318.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(8676002)(8936002)(2906002)(66946007)(66446008)(33656002)(38070700005)(4326008)(110136005)(38100700002)(66556008)(10290500003)(66476007)(122000001)(86362001)(52536014)(66574015)(5660300002)(316002)(64756008)(54906003)(26005)(83380400001)(966005)(71200400001)(7696005)(6506007)(76116006)(55016003)(9686003)(508600001)(82960400001)(82950400001)(186003)(53546011)(8990500004)(20210929001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: K9emiJkmjJBVZG1m2v586XdsvZ8zVg0BcWiE1Mz5GSPZUeS8nFyC6P/nUxSVtmJfei9ztjS+nF3LINzWgzAq5U/xUUzW9uA/IghUmbCmHuEzuxFJSQKzA9pB/J1YujowXA/D5eanhXLtkytpMaYkJGNcWyRI40fp4v3fziM8EWmSrJm6fcClBWe7puXJTAf/wRppynZZmVV/Nt9w02zT/5qRBCoKJlFy3bmmwj7sbP4/nC1bWMYKod11Wx42v9CqUHrluEdcRt95nCw//qQwpFBxud5cwq7QFRKrbgCOLOVhdcZrI2/nDTGfcDH/ediDwWvh20vF0ifY2sOFe6xEFW32xqqeyy0rq8vPEQ+qpUhBjLF0jFm8Gq6iIadbCrrh0zbxesCgDpAOoXgkQ6lPacGXqmmk2bDoK9f/AlnZCiO2LeFJrdYuTjEZ8yNkb3h2N5iZLqOkkDLCquh59M6T33xT+ZV0ZSXKQ+udZ6+yzWdZV5fGuUuGkal0QV2aJ4pdi160VgtjLRTDtxkgonfPELj4vHJ3F5lotZTcLFYnLpgm/vSceYF5erxFChmg9Wp4DI8TALlyvXKYIxGhvsCqcolnk2R9Zr3m2oMlsWw7iJawTcjwj0Mahc6taFHRVXyMl8dCoEHl9zW6uesHnByE3SYUL0r9dw4XkE4KI6p17DZ6LZUiF5UMQ55MUpZFEZPG58Q6ic7x0wFkOfOeKwzqcQk58E4FecTqteXvq1tBnDIYHXWDU/IX5qWk1F0tpqEiRVSVR69dV+TojUsi/8hE1pZeq6/RQxO9ZDyTlno4CIBvZTiy96DXqRdjhxe0PaG8oXLTTay0mQsAyTQxkpQWkTm0ZsYAxL3m1gsifm5BDXyhsvkPiJkFoa2nPCBigquuh9L+yKcPQJ91MLxJwO656UAviJW2QqJvBmjzlTiw4LKyQmU4Jx5onog4J0sxcPOuvT47ClZZqb5m7P61jVK1noHk+HatfCBZm5vs6py3X+CyPGzBwrRDKjGkSmKLb5WOT7swKIugFsdNHRtnxKAgo7NjqPICHXXHDp9fYosSZZFo1UAr/DGxsmMV8EA5NeacTysAY1iWqZIqpP91GgkRkitdOAqn5V1F69GWivAQhTyn1wJTIzHby/9RBtjPevhicgo0egI2gm1lqLkj6XTczbZnk0V3u+F15bEQwaUyOUVVPwQ+ROIZYUlIPpcwrvUwshs+0KeLgU15aure27XBiI7X8+RBOXAOSAKl3ghPHxQ96RF6eMfGo72QXHSbcts+IS2SEvLAZqfELORPAbjG9IzLbgaT1vnZewanfXUYgPyVeSuATuMIzczGkXOXpgQ4FEPiw6u+X0Vwf/UmZA4UTyL6sq6cd/QoFUMA5yO+xOUJwYDgmchBJ25tOfa673FlnRGiq3nnme7mndeA0gmcT5nRqcTDDXdy1C+oh9AjPKJ22t8cDvWZ8S9PxrIHX7NcxbkUQjYssU0QG3Z4Xe1x8jZVzinaJ9cjyem2ZvzCZHEFICTrZ9FPDEDmHoSsRBuRwWVVOBHETf8XuzaecjjUcAsYHG75hKYtFCvj/gSLU2TMlcCTAURPLW2ZTfVCKhV9SWf2cPpN7HvJSZMtvh4cmGJoB33PAsetnOeaeedNeiY=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR00MB1318.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: efac1d8f-6490-4381-8da2-08d9cee3e832
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2022 18:07:29.7111 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GZxcxfbRUC1RTfn3CaHtpiWYpV+Lu5j+g24W51b9V1cke0GruZqtsXQ1g8jmNVxrZWTIyA7YiMrisXDvGXCw5A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR00MB0980
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/ndRNg98-SRUW8-RyrhTy0me4yeE>
Subject: Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jan 2022 18:07:43 -0000

I agree with Eric that recommending a TTL of zero seems awfully heavy and likely to lead to flooding resolvers with unnecessary traffic (or worse, hard coded TTLs in effect on clients which means sticky settings which the resolver has no visibility into).

> I don't think the TTL means the resolver information is valid for
> that TTL time. TTLs refer to cachability of DNS records,

I fail to see how these two statements agree. What does it mean for a record to be cacheable for a length of time, but not valid for the same length of time?

I think adding more explicit text to require clients to discard cached values for resolver.arpa on network change makes perfect sense. I think the existing text for the use of the SVCB record's TTL is sufficient to prevent DoS by DDR, but suggestions are welcome.

Thanks,
Tommy

> -----Original Message-----
> From: Add <add-bounces@ietf.org> On Behalf Of Paul Wouters
> Sent: Wednesday, December 22, 2021 9:06 AM
> To: Eric Orth <ericorth=40google.com@dmarc.ietf.org>
> Cc: ADD Mailing list <add@ietf.org>; Daniel Migault <mglt.ietf@gmail.com>
> Subject: [EXTERNAL] Re: [Add] TTL of resolver.arpa
> 
> On Wed, 22 Dec 2021, Eric Orth wrote:
> 
> > Many clients already do stuff like clear the cache on network change
> 
> which is wrong of course, because a roaming phone or laptop would leave a
> very district dns lookup trail based on joining a network with an empty cache
> and many browser tabs open.
> 
> > or DNS config change, so such a policy is unnecessary for them.
> 
> but for them, harmless.
> 
> >   And when the network and resolver haven't changed, it is still
> > undesirable for the client to poll that resolver more frequently than
> > the TTL, so using their cache implementations is the obvious way for clients to
> implement this desired behavior.
> 
> I agree that "network change" could be used to trigger the cache removal of
> resolver.arpa specifically. Athough, I don't really see why using TTL
> 0 is a problem. I don't think the TTL means the resolver information is valid for
> that TTL time. TTLs refer to cachability of DNS records, and must not be used as
> time validity tool for third party information or services, such as an encrypted
> DNS resolver service. Or rephrased, if you would use it like that, and your DHCP
> server hands out resolver.arpa with TTL 7200, the DHCP server would be
> commiting the DNS resolver to be operational on the IP for 2hours and it may
> not be shut down. That seems wrong to me as the DNS resolver and DHCP
> server have no direct communication link (or protocol) to exchange that
> information.
> 
> Paul
> 
> > On Wed, Dec 22, 2021 at 9:45 AM Daniel Migault <mglt.ietf@gmail.com>
> wrote:
> >       Hi,
> >
> > I am wondering if some additional text is not needed regarding the TTL
> > of the _dns.resolver.arpa RRset. As resolver.arpa is not owned by
> > anyone, this information should not be cached. If one device is
> > changing network for example, we should make sure the mobile will not
> consider the resolver.arpa response performed on a previous network.
> Similarly, when a dns client performs simultaneous discovery on different
> resolvers. Should we recommend/mandate the DNS client to set this TTL to 0
> and not cache the response ?
> >
> > _dns.resolver.arpa  7200  IN SVCB 1 doh.example.net (
> >         alpn=h2 dohpath=/dns-query{?dns} )
> >
> > Yours,
> > Daniel
> > --
> > Daniel Migault
> > Ericsson
> > --
> > Add mailing list
> > Add@ietf.org
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> >
> ietf.org%2Fmailman%2Flistinfo%2Fadd&amp;data=04%7C01%7CJensen.Thoma
> s%4
> >
> 0microsoft.com%7Cbc990e72debb401e9bf408d9c56d6a73%7C72f988bf86f14
> 1af91
> >
> ab2d7cd011db47%7C1%7C0%7C637757896178734219%7CUnknown%7CTWF
> pbGZsb3d8ey
> >
> JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
> C300
> >
> 0&amp;sdata=l3q6Hk5smPvGBbgnkOcsiyzrlqG10k%2BOV4curdr3Mxo%3D&am
> p;reser
> > ved=0
> >
> >
> >
> 
> --
> Add mailing list
> Add@ietf.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ie
> tf.org%2Fmailman%2Flistinfo%2Fadd&amp;data=04%7C01%7CJensen.Thomas
> %40microsoft.com%7Cbc990e72debb401e9bf408d9c56d6a73%7C72f988bf86f
> 141af91ab2d7cd011db47%7C1%7C0%7C637757896178734219%7CUnknown
> %7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw
> iLCJXVCI6Mn0%3D%7C3000&amp;sdata=l3q6Hk5smPvGBbgnkOcsiyzrlqG10k%
> 2BOV4curdr3Mxo%3D&amp;reserved=0

[Add] TTL of resolver.arpa Daniel Migault
Re: [Add] TTL of resolver.arpa Eric Orth
Re: [Add] TTL of resolver.arpa Paul Wouters
Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Tommy Jensen
Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Paul Wouters
Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Daniel Migault
Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Ben Schwartz
Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Tommy Jensen
Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Daniel Migault
Re: [Add] [EXTERNAL] Re: TTL of resolver.arpa Steffen Nurpmeso