IETF Logo Mail Archive

Re: [DNSOP] SVCB chain lengths

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 27 December 2019 20:06 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FECA1200E5 for <dnsop@ietfa.amsl.com>; Fri, 27 Dec 2019 12:06:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eucedyNjkc1x for <dnsop@ietfa.amsl.com>; Fri, 27 Dec 2019 12:06:07 -0800 (PST)
Received: from mail-vk1-xa36.google.com (mail-vk1-xa36.google.com [IPv6:2607:f8b0:4864:20::a36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEB4612006F for <dnsop@ietf.org>; Fri, 27 Dec 2019 12:06:07 -0800 (PST)
Received: by mail-vk1-xa36.google.com with SMTP id u6so7013840vkn.13 for <dnsop@ietf.org>; Fri, 27 Dec 2019 12:06:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oOZOHkk4ev/LNDDovRMZv5GqcAD1zgx+4CL28bXSEiU=; b=XIngOgq6vz345bWPBJuVe/EaQme1z4CBWj6VDkm5MZx+SVLVDpIxVk+xXjpv4bNvUu HFdM2tZIx+w/8+oR8M/+wVqsjV8dG+o8+cAPwhEenNPa1YJ3GA6plo6QBnfL0GIqTavb jgToNkFyEZ9EKP+6WVXxA9pLJPwznavwsVlvjmTOl/3mKa/B5zprhyw1fzFwD+GgWudU Vw66zfbVgi34EaawLsr8SNk8kjhWJJROTQZeC60JzO+xEXYNG8x3jVQCxuIiJx4QEYjn Y6g5kdGrZ5sLCfWLK3xgZ/K9Wt6eNGkKoZSAR3uznrBO+b+3JPXfW0SNsIpKIAF1X2SE R62Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oOZOHkk4ev/LNDDovRMZv5GqcAD1zgx+4CL28bXSEiU=; b=eqtePvzm/6SD336tnwKvqotWRVGP7mf+izrN92yJXwlajrN34veIzqBqJjQmHdLDNP WLRZ7o7/f2E/PuwVigQwdkZDKW9+Vbk2GBr38nTJDfVspchcRXE+e2XgkgoOHJ6DeEtM UI4QcBcl6KBdSs9u6xbaQboy6ZlyKe5c/x75rA9pLsBn8e2KARgpRii/sV+ndk1RcKcZ prCzZ6hD/Liyak+HiRcoaJdqOqQJt9WGYHCer7mzB2MXEoRyYeThZNefwS0nDsEBPJ72 +YOjpGQWjbOYS+OVIGEXJTOBUAxnCPbZ5vdI9BLOHVXIhSkmUDkXw/+mPwN6HhY99Ffe NGMw==
X-Gm-Message-State: APjAAAUYxTrZk7tc+/DPMl9Jj9fgJw4ggdunz/Me1Qxid/VaE8Mk26lo Epym7UnRgItaR6xtFSfgjru6Xu6FfEBo/i5B4V8=
X-Google-Smtp-Source: APXvYqxqHzZc8iOzfOtR2YEmLOTJ08lFzS4fBv4dwtm3NOeXImI1eq6CRiVsvxeAkqiX/2B6RAvDVaYT0QL09/DrVcA=
X-Received: by 2002:a1f:8d57:: with SMTP id p84mr26497633vkd.65.1577477166733; Fri, 27 Dec 2019 12:06:06 -0800 (PST)
MIME-Version: 1.0
References: <CAMOjQcGP3=+_fb9pt3dvF27kR1ENH+=2L28EDNPQU6JF8zkrzQ@mail.gmail.com> <CAH1iCirdFrT_v-FBqaC=WUfaY52DyeYLh5VWbeVsw2YwscDCpA@mail.gmail.com> <CAHbrMsBAmQU-xduT3E4_sHaqrpsdZ_YfdEtgoNB4kti4jDCvdQ@mail.gmail.com> <CAH1iCip0iY8Mt8=HC0-V8jF=D=BGcs54xUMu4Rkbe47FFxGyuA@mail.gmail.com> <CAMOjQcG2YOBa1X7ZqAUpDG0Cwr+nOzmy-bKJmbqaQEqrcTOCAQ@mail.gmail.com> <CAH1iCip6CdLSNAmBB-j=Qya26j=OoLoBGyMtXEWQ0sQz9Z2HYw@mail.gmail.com> <CAMOjQcGLhu-27932_FoyNmV=7RGG074zzkaGNxHMs0qrfAO+4A@mail.gmail.com>
In-Reply-To: <CAMOjQcGLhu-27932_FoyNmV=7RGG074zzkaGNxHMs0qrfAO+4A@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 27 Dec 2019 12:05:55 -0800
Message-ID: <CAH1iCiq3ebNRa=SBs8rb-R3tp2iWsxsmq2RAqntp0PzocGwgbg@mail.gmail.com>
To: Eric Orth <ericorth@google.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002a1eb5059ab50619"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-FrTvI_-k2cDbX73tDuStNOyrrU>
Subject: Re: [DNSOP] SVCB chain lengths
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 20:06:10 -0000

On Fri, Dec 27, 2019 at 9:55 AM Eric Orth <ericorth@google.com> wrote:

>
>
> On Mon, Dec 23, 2019 at 3:57 PM Brian Dickson <
> brian.peter.dickson@gmail.com> wrote:
>
>>
>>
>>> Being typically further away from results and with less caching,
>>> unlimited chain following just does not seem reasonable for a stub like
>>> Chrome, and it seems to us to have a big potential to be detrimental to our
>>> users' experiences compared to the status quo of not following any chains.
>>>
>>
>> This puts the necessary and appropriate pressure on stub clients to their
>> resolver operators, to deploy Alias-form aware resolvers.
>>
>> Putting in place (IMHO) hacks, to reduce or eliminate that "pain",
>> removes ANY incentive for resolver operators to actually deploy this stuff.
>>
>> If resolver operators NEVER deploy this stuff, we may as well chuck it
>> before we adopt this, since there will be literally zero benefit, while
>> creating non-trivial amounts of cost (in terms of stub client
>> implementations, authority-server implementations, zone owner deployments,
>> etc.)
>>
>> BTW, I'm strongly in favor of this getting adopted, and getting deployed
>> in recursive resolvers.
>>
>> Thus, I'm in favor of NOT having alias-form limits, even on the stubs.
>> This will lead to much faster adoption, compared to "Real Soon Now", "Some
>> Day", "Eventually", and "We Never Promised To Do That".
>> (The latter set of responses paraphrased from an un-named registrar who
>> eventually reneged on "promises" to deploy DNSSEC support.)
>>
>
> Chrome is not willing to subject its users to such an easily avoidable
> "pain" simply as an incentive to other operators to help fix the badness.
>

I'm a bit confused by the usage of "other" here. Chrome is not an operator,
unless I am mistaken?

You may be overstating or overestimating the amount of (perceived) "pain",
and the reason I put "pain" in quotes in the first place, it it mostly
boils down to the number of queries to the recursive.

If the recursive is comparatively close to the client, the extra iterations
should add a negligible amount of latency, well below the threshold of
impact to user experience. E.g. a 5ms RTT would add an extra 5ms for a
chain of 2, etc., once the resolver has obtained and cached the additional
elements of the chain.

The worst-case latency is only seen the first time every element of a chain
is resolved. Even though the client (browser) does need to chase the SVCB
component(s), it still does so through its resolver, not directly, and all
the benefits of caching are still reaped.


> As much as users taking a latency hit of following long chains would
> incentivize recursives to follow the chains on their side, requiring long
> chain following would be an even stronger incentive to browsers and other
> stub clients to not support any HTTPSSVC alias following or maybe not
> support standardized HTTPSSVC at all.
>

As was discussed (mostly by me) up-thread, the real-world expectation on
chains should be 2, not 1, as a median value.

The main motivations for ANAME (within DNSOP) which were (gladly) subsumed
by SVCB, were interoperation between different classes of providers, and
multi-vendor operation (for reliability, availability, etc.). Those use
cases typically REQUIRE a minimum of 2 levels of SVCB chaining: 1 for the
internal use within a particular class of provider, plus 1 for the
inter-operator dereference operation.

Limiting this to a chain length of 1 (i.e. requiring SVCB to not point to
another SVCB or CNAME) then turns into a requirement to dynamically update
the target fields of the SVCB or CNAME, a requirement that was the death
knell of the original ANAME spec. ANAME went through a large number of
iterations trying to solve this issue or to limit its impact, and was
determined to be insolvable.

Having the client side do the chain following is the only viable
alternative, which REQUIRES a non-trivial chain length (i.e. > 1) to
preserve this benefit (i.e. requirement).


>
> But I also disagree that all incentive for recursives to follow chains is
> removed if stubs only follow one alias link.  Even following that single
> alias in the stub is going to almost always be a bit slower than if the
> recursive does it.
>

The main issue that you seem to be missing here, is that it isn't about
recursives, it is about the authoritatives who are serving the various
records (CNAME, alias-form SVCB, DNAME, and non-alias-form SVCB). For the
most part, they are not doing so out of laziness or as a design choice; it
is a requirement from the domain owners who are customers of the various
entities.

Placing restrictions on chain length, places restrictions on those entities
in terms of how they can select providers, and even whether multi-provider
options are feasible.

This is harmful to consumers, harmful to competition, and harmful to the
larger Internet's availability and performance.

So, please, let's look at this from the holistic and systemic level, rather
than the myopic perspective of "just the browser".

I'm in favor of encouraging sensible choices and best practices. However,
IMNSHO, those belong in things like BCPs and operator guidance docs, not
hard limits in core standards documents.

Brian

v2.23.0 | Report a Bug | By Email