Re: [dns-dir] Fwd: Re: Review request
Martin Stiemerling <martin.stiemerling@neclab.eu> Mon, 03 June 2013 09:09 UTC
Return-Path: <Martin.Stiemerling@neclab.eu>
X-Original-To: dns-dir@ietfa.amsl.com
Delivered-To: dns-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 56AC521F94BA for <dns-dir@ietfa.amsl.com>;
Mon, 3 Jun 2013 02:09:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.399
X-Spam-Level:
X-Spam-Status: No, score=-102.399 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, J_CHICKENPOX_35=0.6, J_CHICKENPOX_54=0.6,
RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ht84FAlf+HEM for
<dns-dir@ietfa.amsl.com>; Mon, 3 Jun 2013 02:09:47 -0700 (PDT)
Received: from mailer1.neclab.eu (mailer1.neclab.eu [195.37.70.40]) by
ietfa.amsl.com (Postfix) with ESMTP id 37F7521F86E9 for <dns-dir@ietf.org>;
Mon, 3 Jun 2013 02:09:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailer1.neclab.eu
(Postfix) with ESMTP id 21BB11042DE; Mon, 3 Jun 2013 11:08:29 +0200 (CEST)
X-Virus-Scanned: Amavisd on Debian GNU/Linux (netlab.nec.de)
Received: from mailer1.neclab.eu ([127.0.0.1]) by localhost (atlas-a.office.hd
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YosJBxnHKKIq;
Mon, 3 Jun 2013 11:08:29 +0200 (CEST)
Received: from ENCELADUS.office.hd (enceladus.office.hd [192.168.24.52]) by
mailer1.neclab.eu (Postfix) with ESMTP id 052F01041E1;
Mon, 3 Jun 2013 11:08:04 +0200 (CEST)
Received: from [10.1.1.190] (10.1.1.190) by skoll.office.hd (192.168.125.11)
with Microsoft SMTP Server (TLS) id 14.1.323.3; Mon, 3 Jun 2013 11:07:14 +0200
Message-ID: <51AC590E.4060303@neclab.eu>
Date: Mon, 3 Jun 2013 10:51:26 +0200
From: Martin Stiemerling <martin.stiemerling@neclab.eu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Olafur Gudmundsson <ogud@ogud.com>
References: <171C1602-F6CC-4A29-B5CA-EDB44B247995@ogud.com>
<515AA78F.7000202@neclab.eu> <20130521205348.GA14960@gw01.ehlo.wurstkaes.de>
In-Reply-To: <20130521205348.GA14960@gw01.ehlo.wurstkaes.de>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.1.1.190]
Cc: Sebastian Kiesel <ietf-alto@skiesel.de>,
IETF DNS Directorate <dns-dir@ietf.org>, Ted Lemon <Ted.Lemon@nominum.com>
Subject: Re: [dns-dir] Fwd: Re: Review request
X-BeenThere: dns-dir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNS directorate discussion list <dns-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-dir>,
<mailto:dns-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-dir>
List-Post: <mailto:dns-dir@ietf.org>
List-Help: <mailto:dns-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-dir>,
<mailto:dns-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2013 09:09:52 -0000
Hi Olafur, all, It would be good to get further feedback about Sebastian's email. The draft is intended to become a WG draft but this depends on the outcome of the DNS directorate review, i.e., if this is something that breaks or not. It is also good to get early expert feedback and not just at the end when we go for IETF last call and IESG revoew. Thanks, Martin On 05/21/2013 10:53 PM, Sebastian Kiesel wrote: > Dear Olafur, > > first of all, thanks for the extensive review of the Third-Party ALTO Server > Discovery draft. Martin Stiemerling, who is very busy these days, has > forwarded your comments to me as I am the main author. > > Let's start with your question #6 because it may have an impact > on the other questions: > >> This boat has probably sailed but I will ask it anyway: >> Question #6 Why not place the NAPTR records in the reverse tree? > > There were two reasons why we chose a two-step lookup > IP address --(PTR lookup)--> host name(s) --(U-NAPTR lookup(s))--> ALTO URI(s) > > > First, this draft is a spin-off from draft-ietf-alto-server-discovery. > Because of different deployment scenarios with different requirements, > the original plan was to specify a two-stage discovery procedure with > three options for the first stage: > > 1) Get a domain name by means of > 1a) manual configuration > 1b) DHCP option > 1c) PTR or SOA-mname lookup in in-addr.arpa. / ip6.arpa. > 2) Do a U-NAPTR lookup for the name yielded by step 1 > > Some WG members raised doubts whether 1c) would be feasible at all. > Therefore, it was decided to move 1c) into a seperate draft in order to > allow working on and finalizing the documents at different paces. > > > > Second, we (the draft authors) had some hallway discussions with DNS > operators at IETF meetings about two years ago, and we were told that > putting non-PTR records in the reverse tree has deployment issues, e.g., > with management software that creates the reverse tree automatically > from the forward tree. On the other hand, RFCs 4025, 4255, and 4322 > already do specify non-PTR records in the reverse trees. > > > > Now that the first argument does not apply anymore we don't feel strong > about the second one. We have running proof-of-concept client-side code > and BIND 9 based server-side configuration files for both variants (see > flow charts at the end of this email), but what is the DNS experts' > advise regarding deployment issues? Should we stick with the PTR+NAPTR > variant, or switch to searching the NAPTR in the reverse tree? > > > > For more answers and counter questions, please see inline: > > > On Tue, Apr 02, 2013 at 11:40:31AM +0200, Martin Stiemerling wrote: >> >> >> >> -------- Original Message -------- >> Subject: Re: [dns-dir] Review request >> Date: Fri, 29 Mar 2013 10:13:37 -0400 >> From: Olafur Gudmundsson <ogud@ogud.com> >> To: Brian Haberman <brian@innovationslab.net> >> CC: IETF DNS Directorate <dns-dir@ietf.org>rg>, Ted Lemon >> <Ted.Lemon@nominum.com>om>, Martin Stiemerling >> <martin.stiemerling@neclab.eu> >> >> I reviewed the document and this is a well written clear document >> with some deficiencies. >> >> The introduction is real good at explaining what the document is attempting. > > thanks. > >> The procedure(s) proposed are based of the implicit assumption that >> provisioning of reverse DNS is >> somehow related to service provision for another protocol, which may >> or may not be the case. > > Our point of view is that for the ALTO application we need a delegation > hierarchy for ALTO servers, which corresponds to the delegation of > IP address ranges to ISPs or other organisations. > > As the DNS reverse tree delegation already follows the address space > delegation (more or less), we think it is natural to use it as a basis > for our discovery problem. We sequentially try two different discovery > approaches: first PTR/NAPTR to allow fine-grained discovery, then > SOA/NAPTR to allow function without having to add many resource records > to the DNS. > >> Question #1: How is dual stack handled in queries? >> in sequence or in parallel ? >> if sequence which one first ? >> >> Question #2 What about hosts with multiple links? > > The short answer is: > > Dual stack and multihoming basically is the same situation: > The third party usually will use 3pdisc only after receiving an > inbound connection from the actual client. It uses the connection's > source address as parameter for 3pdisc and it will not be aware > of the fact that the client has other addresses as well. > > > For a longer discussion, please see Section 3.1.2. of > draft-kist-alto-3pdisc-03, which we have published recently > (you have reviewed the -02 version; the -03 version has several > clarifications and deployment considerations but the algorithm > didn't change). > > >> The procedures expect hope to get back PTR records and the name in >> the PTR record >> is used for further lookups. (good) >> The fundamental question is are all attempts to find PTR exhausted >> before going to next step? >> >> Question #3: what about the case when there are multiple PTR records >> in the answer? > > The algorithm is called with one IP address as parameter, even in the > case of multihoming/dual stack (see above). Finding the PTRs associated > with said IP address is one lookup. Then, we do a NAPTR lookup on every > yielded host name. This is the only loop in the algorithm. If all of > that fails, we do at most two more lookups for the SOA/NAPTR-based > "Plan B". So, if there are N PTR records associated with an IP address, > the procedure causes at most N+3 DNS lookups. > >> If the lookup fails the procedure hopes to find SOA record in the >> negative answer, >> extracts from the SOA record the name of the "Master DNS server" MNAME, >> and uses that name to do further lookups. >> >> Comment #1: Master DNS servers are not always reachable, as they are >> hidden masters or >> traffic protected. > > We are fully aware of that. Indeed, we never try to contact the master > server. We just use its name for further lookups. We decided to use > the SOA-MNAME instead of the NS records for the respective > in-addr.arpa/ip6.arpa. zone, because there is only one SOA but there > could be several NS, which would cause even more iterating over lists. > >> Frequently there is no correlation between the >> zone name and the Mname >> I did a randomly selected reverse lookup on 185.55.55.55 >> 185.in-addr.arpa. 3600 IN SOA pri.authdns.ripe.net. dns.ripe.net. ??. >> >> In this case it is obvious (to a human) the SOA is useless and the >> algorithm should terminate, > > Why do you think this name is obviously useless? According to whois, > 185/8 is managed by RIPE. Maybe they will provide an ALTO server in the > future. Anyway, it is a single NAPTR lookup to find out. > >> what the procedure as specified will do is to cause many queries to >> the RIR name servers for lots of names that have >> no PTR records and no delegations. > > We have no data on the percentage of IP addresses that have PTRs in the > reverse tree. The first optimization target for ALTO is P2P > applications, with the peers mostly in DSL/cable access networks. At > least in the U.S. and Europe most of these IP addresses seem to have PTRs. > > In the worst case the algorithm causes 3+N DNS lookups, with N being the > number of PTR records assigned to an IP address (usually 0 or 1). > > Do you think this procedure will cause a significant burden for the DNS > as a whole? > > >> Question #4: Why MNAME but not the owner name of the SOA ? (explain >> or point to explanation) > > What is "the owner name of the SOA"? > > Do you mean the RNAME field defined in RFC 1035, Sec 3.3.13? If so, > that would be an option as well but we think the MNAME is the more > natural choice as this is a real host name. > >> Question #5: What is the point of the explicit SOA query for reverse >> name and why do editors expect to get a different answer than in the >> PTR question ? > > The explicit SOA query is used only if the answer to the PTR query did > not contain an authority section (and there were no PTRs or they did > not produce ALTO-specific U-NAPTR lookup results). > >> Section #4: >> there is no mention about the expected extra traffic to RIR (and or >> ISP) DNS server when the PTR lookup fails, >> I would like to see some text on how to abort the algorithms early I.e. >> SOA present --- useful SOA ---> do lookup >> +-------- useless SOA ---> algorithm failed >> > > If we are in the "second half" of the algorithm, i.e., the PTR stuff > has failed, we do at most two further lookups: one to get the SOA if > we don't already have it, the second to check whether there are NAPTR > records associated with the SOA's MNAME. There are no loops around it! > >> This boat has probably sailed but I will ask it anyway: >> Question #6 Why not place the NAPTR records in the reverse tree? > > see above. > >> Editing comment: It would be helpful if the text from section 3 >> bullet 1 about what address to look up was included in section 2 >> before the >> diagrams of the algorithms (or at least pointer to address selection). >> >> Olafur >> >> On Mar 28, 2013, at 6:01 PM, Brian Haberman >> <brian@innovationslab.net> wrote: >> >>> Hi all, >>> The ALTO WG is considering the adoption of a draft focused on the discovery of an ALTO server using DNS (but not SRV records). Martin (TSV AD) has requested an early DNS Directorate review. Could I get a volunteer (or two) to review the draft for DNS sanity? >>> >>> https://datatracker.ietf.org/doc/draft-kist-alto-3pdisc/ >>> >>> Regards, >>> Brian >>> _______________________________________________ >>> dns-dir mailing list >>> dns-dir@ietf.org >>> https://www.ietf.org/mailman/listinfo/dns-dir > > ------------------------------------------------------------------------ > Flow chart taken from draft-kist-alto-3pdisc-03 > (equivalent to variant 1 in -02, but more detailed): > > (-------------------------------------) > ( START 3pdisc with parameters ) > ( IP address IP, Service Parameter SP ) > (------------------+------------------) > V > +- T1 -------------+------------------+ > | R:=<IP>.in-addr.arpa./<IP>.ip6.arpa.| > | X:=lookup(PTR,R) | > +------------------+------------------+ > V > / B1 --------+------------\ > /----< One or more PTR(s) in X >----\ > | yes \-------------------------/ no | > | V > +- T2 --------|-------------+ /----------------->+ > | V | | V > | /-> FOREACH Y:=PTR in X | | /- B3 -------+------------\ > | | +--------+-----------+ | | < AuthSect with SOA RR in X > > | | |lookup(U-NAPTR,Y,SP)| | | \--+---------+------------/ > | | |add results to Z | | | yes | V no > | | +--------+-----------+ | | | +- T3 -+-------------+ > | \-----------+ | | | | X:=lookup(SOA,R) | > +-------------|-------------+ | | +------+-------------+ > V | | V > /- B2 -------+------------\ | | /- B4 +------------\ no > < One or more results in Z >----/ | <Lookup OK, SOA in X >-\ > \------------+------------/ no | \-----+------------/ | > | \-------->V yes | > | yes +- T4 --------+-------------+ | > | | Y:=extract MNAME from X | | > V | Z:=lookup(U-NAPTR,Y,SP) | | > +<-----------------\ +-------------+-------------+ | > V | V | > +- T5 --------+-------------+ | /- B5 -------+------------\ | > | sort Z acc. to order,pref | \----< One or more results in Z > | > +-------------+-------------+ yes \------------+------------/ | > V no V<--------------/ > (-------------+-------------) (-------------+-------------) > ( END 3pdisc with result Z ) ( 3pdisc FAILED, no result ) > (---------------------------) (---------------------------) > > > > > ------------------------------------------------------------------------ > Alternative solution with NAPTR records in the reverse tree > (see discussion above): > > (---------------------------------------) > ( START 3pdisc with parameters ) > ( IP_address IP, Service_Parameter SP ) > (-------------------+-------------------) > V > +- T1 --------------+-------------------+ > | R:=<IP>.in-addr.arpa. / <IP>.ip6.arpa.| > +-------------------+-------------------+ > V > +- T2 --------------+-------------------+ > | X:=DNSlookup(R,U-NAPTR,SP) | > +-------------------+-------------------+ > V > / B1 --------------+------------------\ > /---------< One or more U-NAPTR results in X > > | yes \------------------+------------------/ > | V no > | /- B2 -------------+------------------\ > | /----< Authority sect. with SOA record in X > > | | yes \------------------+------------------/ > | | V no > | | +- T3 --------------+-------------------+ > | | | X:=DNSlookup(R,SOA) | > | | +-------------------+-------------------+ > | | V > | | /- B3 -------------+------------------\ > | | < Lookup OK, SOA record present in X >----\ > | | \------------------+------------------/ no | > | | V yes | > | \----------------------->+ | > | V | > | +- T4 --------------+-------------------+ | > | | M:=extract MNAME from SOA record in X | | > | | X:=DNSlookup(M,U-NAPTR,SP) | | > | +-------------------+-------------------+ | > | V | > | /- B4 -------------+------------------\ V > \--->+<---< One or more U-NAPTR results in X >--->+ > | yes \-------------------------------------/ no | > V V > (-------+-------) (-------+-------) > ( END, result X ) ( END, failure ) > (---------------) (---------------) > > ------------------------------------------------------------------------ > > > Thanks again > Sebastian > -- martin.stiemerling@neclab.eu NEC Laboratories Europe NEC Europe Limited Registered Office: Athene, Odyssey Business Park, West End Road, London, HA4 6QE, GB Registered in England 2832014
- [dns-dir] Review request Brian Haberman
- Re: [dns-dir] Review request Olafur Gudmundsson
- Re: [dns-dir] Review request Martin Stiemerling
- Re: [dns-dir] Fwd: Re: Review request Sebastian Kiesel
- Re: [dns-dir] Fwd: Re: Review request Martin Stiemerling
- Re: [dns-dir] Review request Olafur Gudmundsson