Re: [DNSOP] a CDN perspective on ANAME challenges
Matthijs Mekking <matthijs@pletterpet.nl> Tue, 23 July 2019 08:39 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C331120142 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 01:39:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JDClQT2tTyw for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 01:39:11 -0700 (PDT)
Received: from lb2-smtp-cloud7.xs4all.net (lb2-smtp-cloud7.xs4all.net [194.109.24.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40E3812013C for <dnsop@ietf.org>; Tue, 23 Jul 2019 01:39:11 -0700 (PDT)
Received: from [IPv6:2001:980:4eb1:1:e91c:4f7a:eee9:9bac] ([IPv6:2001:980:4eb1:1:e91c:4f7a:eee9:9bac]) by smtp-cloud7.xs4all.net with ESMTPSA id pqKChu09WLqASpqKDhI6nE; Tue, 23 Jul 2019 10:39:09 +0200
To: Erik Nygren <erik+ietf@nygren.org>
Cc: dnsop WG <dnsop@ietf.org>
References: <CAKC-DJjiwEA977sLpriPg5yyfm--yCQ=xMUGk7VbXyYd8uPE6g@mail.gmail.com> <d84769fe-77b7-a983-94ae-60416b449b7d@pletterpet.nl> <CAKC-DJjsTNxnb3f2_yWZ_GAqe6MMkH2W2Z9n0XpwZ1sjDa_6aQ@mail.gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <dafd8eff-d255-bec5-e1dd-f2af91163394@pletterpet.nl>
Date: Tue, 23 Jul 2019 10:39:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <CAKC-DJjsTNxnb3f2_yWZ_GAqe6MMkH2W2Z9n0XpwZ1sjDa_6aQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfJQcyA+pJi5CXY31fHF9oHdYhQ2ExgYYjR9RPOf21shSlp9NvwGc+U7QemwXaRVkyzNlHWcHI5rxc2fW2jzLHqQr0Rh0lxArNiuL0TSEyKiHKl7DfH1x wmWZTzRjGVNb95dNTBF+efptK42ehwdXDGieWnSAfUkt2PynhQeg/bqPffOhzQElYzscD43WgX9wJHTYYiIofmxOoaXZSt9McuU1ZwegDAJlChfFg4tq1M1O t5fj+udWqGWRjfE0uCxoAYMGX4eE5gps+MuBvMte84Kl+nHBIbHfaAtB35NZkUrO
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-NYcKvE2IXvW1bweICdHJds0PLU>
Subject: Re: [DNSOP] a CDN perspective on ANAME challenges
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 08:39:14 -0000
Hi Erik, On 7/22/19 9:31 PM, Erik Nygren wrote: > Reading the draft again, I think a challenge with the structure relative > to the CDN > use-case is that requirements on how and where sibling record resolution > is done are derived from the target of the ANAME, not from the > authoritative nameserver. > > It may make sense to be much more clear on this, as what it means to > support ANAME > on an Authority in an interoperable fashion depends on the DNS > architecture > of the expected targets of ANAMEs. If the common use-case of ANAME is > to provide interoperability between authoritative DNS infrastructure for > zone apex ANAMEs that point to CDNs not operated by the DNS infrastructure, > then the common case for ANAME may need to be for authorities > to "recurse with ECS to get the A/AAAA sibling record". > > Otherwise the interoperability goal won't be achieved. > From the perspective I've seen from my $dayjob at Akamai > (a large provider of CDN services), I suspect that CDNs > may say "we only support being the target of an ANAME > for third-party authorities that do X, Y, and Z" then it may > be confusing to mutual customers if that set of things > is only listed as being an optional variation in an appendix. > This seems like it has lots of risk of confusion around interoperability > and what it means for an authoritative DNS provider to > have "implemented ANAME". It almost feels like this is a separate document: "Interoperable ANAME services for DNS providers". Describe how to implement ANAME for this specific (but large) use case. Also, how does HTTPSSRVC deal with this? Best regards, Matthijs >> > Authoritative resolvers do a mixture of the following, which is >> Do you mean authoritative name servers here? > > Yes, authoritative nameservers, but also ones that effectively have > to be resolvers in-order to do inline sibling record resolution (and > caching) > and sending ECS. > > Erik > > > > > On Mon, Jul 15, 2019 at 4:56 AM Matthijs Mekking <matthijs@pletterpet.nl > <mailto:matthijs@pletterpet.nl>> wrote: > > Hi Erik, > > Thanks for sharing this perspective. > > On 7/12/19 7:52 PM, Erik Nygren wrote: > > One of the intended goals of ANAME is to improve interoperability of > > onboarding onto CDNs for URLs at a zone apex, such as > > “http(s)://example.com <http://example.com> <http://example.com>”. > > > > > > The TL;DR is that ANAME is unlikely to allow interoperability here > > unless authorities are willing to effectively and scalablely do > > recursion-with-ECS for all requests (caching keyed by ECS prefix and > > obeying short, sub-minute TTLs). Simply resolving “sibling address > > records” on a zone master (per draft-ietf-dnsop-aname-04) is likely to > > be declared incompatible and unsupported (or at least severely > > restricted) by at least some (if not many) CDNs. > > The document is written in such a way that it is inter-operable, and can > work with offline DNSSEC signing, but authorities can still implement > their own "on-the-fly" ANAME processing that takes into account ECS and > perform online DNSSEC signing. I suspect that authoritities with CDN > customers will do so, similar how they provide CNAME-at-the-apex > functionality now. > > The benefit of ANAME over those vendor specific solutions is that > customers can have provider diversity and transfer their zone from one > to another. > > > (some more comments below) > > > For some background, Dan York highlights some sample use-cases here: > > > > > https://tools.ietf.org/html/draft-york-dnsop-cname-at-apex-publisher-view-01 > > > > For example, web publishers want to do the equivalent of: > > > > example.com <http://example.com> <http://example.com> 300 IN > CNAME > > a123qk.example-cdn.net <http://a123qk.example-cdn.net> > <http://a123qk.example-cdn.net>. > > > > > > Two use-cases (quoted from draft-york above): > > > > 1. users will be able to simply enter "example.com > <http://example.com> > > <http://example.com>" into their browser; and > > > > 2. users will only see "example.com <http://example.com> > <http://example.com>" in their > > address bar (if URLs are even displayed). > > > > > > Note that for some CDNs, the “*MailScanner heeft een e-mail met > mogelijk > > een poging tot fraude gevonden van "a123qk..example-cdn.net > <http://example-cdn.net>" * > > a123qk.example-cdn.net <http://a123qk.example-cdn.net> > <http://a123qk..example-cdn.net <http://example-cdn.net>>” target name > > dynamically selects which IP addresses to return based on a wide > variety > > of factors (recursive nameserver IP, end-user IP prefix passed via > ECS, > > dynamic load and liveness conditions, product, customer security > > requirements, TLS certificate needed for non-SNI-only configurations, > > etc) and often have short TTLs (often in the range of 20s to 60s, > > although sometimes up to 300s). > > > > > > Some CDNs have had vertically-integrated solutions for onboarding zone > > apex names for years, allowing example.com <http://example.com> > <http://example.com> to hand > > back CDN IPs as long as the zone is delegated to the CDN authorities. > > The need for these to be vertically integrated comes from the level of > > complexity involved in calculating these answers. > > > > > > Even these vertically integrated solutions may have limitations. For > > example, one early vertically-integrated solution had very similar > > functionality to some of the ANAME proposals. It only covered case #1 > > above, handing out a subset of CDN IPs (with limited performance). > Along > > with this was a correlated site HTTP configuration that would issue a > > 30[127] redirect to “*MailScanner heeft een e-mail met mogelijk een > > poging tot fraude gevonden van "www.example.com > <http://www.example.com>" * www..example.com <http://example.com> > > <http://www.example.com>” which would in-turn use a normal set of CDN > > IPs. This doesn’t help for the “users will only see ‘example.com > <http://example.com> > > <http://example.com>’ in their address bar” case due to the need to > > redirect to a hostname that can fully CNAME. > > > > > > More advanced vertically-integrated solutions that can also handle > case > > #2 may involve high-volume feeds of proprietary dynamic state and > > configuration being fed to the authoritative nameservers, allowing > them > > to construct answers on-the-fly. > > > > > > It is unclear if third-party authoritative servers will be able to do > > enough here to be compatible with CDNs, at least until we get to a > point > > where most/all recursive servers support ANAME sibling address > > substitution (and there are huge numbers of these around the world run > > by a huge variety of operators!). > > > > > > For third-party authoritative servers wishing to collapse A/AAAA names > > into a zone as signalled by an ANAME, some of the options include: > > > > > > 1. > > > > Primary zone master does sibling address substitution: Some CDNs > > will declare this to be strictly incompatible. (ie, all traffic > > would be directed to a small set of IPs associated with where the > > Primary Master is located). This would defeat the purpose of > using > > a non-purely-anycast CDN. > > > > 2. > > > > Zone secondaries do frequent sibling address substitution: Some > > CDNs may still declare this to be incompatible. Traffic is still > > directed to a small subset of IPs associated with where the zone > > secondaries are located. If the zone secondaries are widely > > deployed, some CDNs might be able to support this using anycast > > configurations, although that might limit to a subset of > products or > > limit to a subset of CDN server locations and might have CDN SLA > > limitations. > > > > 3. > > > > Authoritative resolvers do a mixture of the following, which is > > Do you mean authoritative name servers here? > > > likely what would be needed to be compatible with CDNs that do > > DNS-based traffic direction: > > > > o > > > > Online / on-demand lookups using ECS, with response caching. > > (Possibly requiring collaboration with the CDN to be on an ECS > > ACL or allowlist.) > > > > o > > > > Online DNSSEC signing. > > > > o > > > > Honoring short (eg, 20s-60s) response TTLs. > > > > o > > > > Having the scale/capacity and attack resilience to be able to > > support this possibly-low-cache-hit-rate request workload. > > > > > > It is only the third of these that might actually work well > enough, but > > may add a huge amount of complexity to authorities, requiring the > > authority to also have many recursive functionality. It is possible > > that some authoritative operators are willing and able to do this to > > enable interoperability. However, if this set of functionality is what > > is required to make ANAME work well enough to achieve its goals, > then we > > should be clear on that. It would be a mistake to go through all > of the > > effort of rolling out ANAME only to find that CDNs declare it to be > > incompatible. > > I agree that ANAME should fit the CDN use case, but there are other use > cases for ANAME that does not require ECS, online DNSSEC signing. I > think the ANAME draft provides enough flexibility such that > authoritative servers can combine ANAME with the above features to fit > the CDN use case, but can also be a very simple setup for the "I just > want an address redirection from my apex domain name to 'www'".. > > If you feel like something specific is missing for the CDN case, please > let me know. > > > Thanks, > > Matthijs > > > > I’ll add the caveat that the HTTPSSVC proposal doesn’t fully or > > magically solve this problem either. It is likely that A/AAAA records > > will need to live at the zone apex for a long time to come. If > those are > > static addresses, they’ll likely still need to do 30[127]-style > > redirects to “www.example.com <http://www.example.com> > <http://www.example.com>” names. However > > HTTPSSVC leaves an option for “example.com <http://example.com> > <http://example.com>” > > requests (eg, those containing an Alt-Used request header) to not need > > to return a redirect, allowing a somewhat more graceful transition as > > client adoption picks up. > > > > > > Erik > > > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > > https://www.ietf.org/mailman/listinfo/dnsop > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > https://www.ietf.org/mailman/listinfo/dnsop > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] a CDN perspective on ANAME challenges Erik Nygren
- Re: [DNSOP] a CDN perspective on ANAME challenges Mark Andrews
- Re: [DNSOP] a CDN perspective on ANAME challenges Matthijs Mekking
- Re: [DNSOP] a CDN perspective on ANAME challenges Erik Nygren
- Re: [DNSOP] a CDN perspective on ANAME challenges Matthijs Mekking
- Re: [DNSOP] a CDN perspective on ANAME challenges Ben Schwartz
- Re: [DNSOP] a CDN perspective on ANAME challenges Matthijs Mekking