IETF Logo Mail Archive

Re: [Add] What to do in this potential working group

Ray Bellis <ray@bellis.me.uk> Thu, 22 August 2019 09:37 UTC

Return-Path: <ray@bellis.me.uk>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56228120813 for <add@ietfa.amsl.com>; Thu, 22 Aug 2019 02:37:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=portfast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SgCs-UjN5ryq for <add@ietfa.amsl.com>; Thu, 22 Aug 2019 02:37:19 -0700 (PDT)
Received: from mail.portfast.net (mail.portfast.net [IPv6:2a03:9800:20:1::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28B6E1200B2 for <add@ietf.org>; Thu, 22 Aug 2019 02:37:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=portfast.net; s=dkim; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:To:Subject:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=i7jeyvyf7qUt0MNl4Kgsatx3Qd4kUw75Skru3l3TyAM=; b=VMei4+48K8fMsT3bu8Vh5CFazb upgP3XlCgUd1OhS4iLgSE81uMQr1pvJ3FkuTn/JA/+tIzHtVy6ObIgCTi8VEDkZ8SnH+tTVBUm2/E 16JMo7HIODHfvsQpQb/cM73bPGLbiRPJPuPHfLlHbT3UPhtNEgqYvqsz3neQOXUs+Sgk=;
Received: from [88.212.170.135] (port=63547 helo=Rays-MacBook-Pro.local) by mail.portfast.net ([188.246.200.9]:465) with esmtpsa (fixed_plain:ray@bellis.me.uk) (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) id 1i0jWt-0005VG-TO (Exim 4.89) for add@ietf.org (return-path <ray@bellis.me.uk>); Thu, 22 Aug 2019 09:37:15 +0000
To: add@ietf.org
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <8f856492-f5da-9a02-f76d-67c2795b2ecc@cs.tcd.ie> <CA+9kkMD2h94zU9i-Gx5bkqc7np29A=zUnZKq3HkG0zVMzLFkxQ@mail.gmail.com> <4505d6b8-0521-dd2f-245d-8fa73e2313c3@cs.tcd.ie>
From: Ray Bellis <ray@bellis.me.uk>
Message-ID: <52f571ea-9884-ba23-76c5-246fa668ef68@bellis.me.uk>
Date: Thu, 22 Aug 2019 10:37:15 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <4505d6b8-0521-dd2f-245d-8fa73e2313c3@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/snpJCfKgr38v0-wD3bPpEbhaHXs>
Subject: Re: [Add] What to do in this potential working group
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 09:37:21 -0000


On 21/08/2019 21:41, Stephen Farrell wrote:

> But that wasn't quite what I intended. ISTM clear that having O(1)
> TRRs in the world would be over-concentrated. I think it's maybe
> equally clear that with a different per-LAN recursive (which is
> kinda like today) it'd be extremely hard to authenticate those
> as TRR-like entities - so perhaps O(10^7) is too many TRRs. I do
> think considering "how many TRR-like things would be good" is a
> relevant (research?) question that could affect protocol design
> and implementations and deployments.
> 
> For example, if there's an answer at all and O(100) were that
> answer, that might change how a DoT/DoH client might usefully
> spread it's queries over those vs. if the answer were O(10^4).

There's a possible scaling issue here.

To allow efficient use of CDNs it is necessary for some form of client 
geo-location to occur.   It's already been observed in the Samknows 
report[1] that Cloudflare's lack of support for EDNS-Client-Subnet [2] 
(RFC 7871) leads to suboptimal performance when accessing non-CF hosted 
content.

If every network has a "nearby" recursor (whether that be using normal 
DNS, or DoH) then ECS is not required becase the IP address of the 
recursor serves as a good proxy for that of the client.  In that sense, 
O(10^7) is a good thing.

However, RFC 7871 envisaged that the ECS option would only be exchanged 
between consenting servers.   It also says "it is expected that only a 
few Recursive Resolvers will need to use ECS" and alludes to ECS only be 
exchanged on specific agreement between recursive operators and 
authoritative operators.  At the moment we're about O(5) global DNS 
operators, and O(30) major CDNs.

But, if you're talking about getting to the O(100) scale of TRR 
operators all of whom are receiving queries from clients all over the 
world then that's a lot of bilateral agreements and configurations that 
would need to be set up, and a lot of ECS meta-information buzzing 
around the network.

Ray

[1] https://samknows.com/blog/dns-over-https-performance

[2] Cloudflare use Anycast for their CDN instead of "stupid DNS
     tricks", so they don't need ECS.

v2.23.0 | Report a Bug | By Email