IETF Logo Mail Archive

Re: [DNSOP] Adoption of new EDNS opcode "rrserial"

Petr Špaček <pspacek@isc.org> Mon, 10 May 2021 08:19 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 373033A0E53 for <dnsop@ietfa.amsl.com>; Mon, 10 May 2021 01:19:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=ZtjDcssJ; dkim=pass (1024-bit key) header.d=isc.org header.b=I3kghwGa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l7TNACZguWha for <dnsop@ietfa.amsl.com>; Mon, 10 May 2021 01:19:24 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B62C33A0E2D for <dnsop@ietf.org>; Mon, 10 May 2021 01:19:24 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 50DE93AB024 for <dnsop@ietf.org>; Mon, 10 May 2021 08:19:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1620634761; bh=zjXL1U9OEMRihxWOXFM5/4yZtE9pqstpmUuixn0/uiw=; h=To:References:From:Subject:Date:In-Reply-To; b=ZtjDcssJA/N2AZLN4vn1HOciVbD9CQk5vQh5PsWcfQM3tsClUrj38nWNaR8cJYR13 hafXc4dox28BI/C2Y6sJt41x9CUC0x5vjFDFrKlBuFUqww3P4dhqe4zu0StwI9WOqc QA1/5HsSDMsIszeqBFbEU7MwouOH9rXICQ9d28YI=
Received: from zmx1.isc.org (localhost.localdomain [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 2035016003A for <dnsop@ietf.org>; Mon, 10 May 2021 08:19:21 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C3980160084 for <dnsop@ietf.org>; Mon, 10 May 2021 08:19:20 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org C3980160084
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1620634760; bh=2/eoQRhxCwjizzyyl8geURgZ/QJ332fgUneOKAZuUx4=; h=To:From:Subject:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=I3kghwGaOmWl9W4xaOuFJCwijMeJB4vD6oCT82XhjUxBaAKmEjPakoBde3N2eZRTP b75RDp/3OR229cXAAIFaV4Jeyzr4HIE07djS9iq7NPE0Bbdo7XDsknkV9VMEwaLCvT X494T5hK98VhV9lJC17aSfnjmSHh6rOngxMvkvMo=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id h9kmXesSc86I for <dnsop@ietf.org>; Mon, 10 May 2021 08:19:20 +0000 (UTC)
Received: from [192.168.1.148] (vlcnovska-1.chrudim.net [94.143.232.110]) by zmx1.isc.org (Postfix) with ESMTPSA id 3242C16003A for <dnsop@ietf.org>; Mon, 10 May 2021 08:19:19 +0000 (UTC)
To: dnsop@ietf.org
References: <20200127150847.taxhqeipwq6jg2rr@nic.cl>
From: Petr Špaček <pspacek@isc.org>
Message-ID: <c15437aa-365b-3a53-1d06-8d33491fb826@isc.org>
Date: Mon, 10 May 2021 10:19:17 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <20200127150847.taxhqeipwq6jg2rr@nic.cl>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/07ISssrct9IXXyMpOgwGBXUczlw>
Subject: Re: [DNSOP] Adoption of new EDNS opcode "rrserial"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 08:19:31 -0000

On 27. 01. 20 16:08, Hugo Salgado wrote:
> Dear DNSOPers, as an operator I tend to have this need to couple
> an answer for a query to an auth server, with the actual "SOA zone
> version" used. So I think it'll be valuable to have an EDNS option
> for it.
> 
> Here I'm proposing it with this new draft. The 'camel index' for
> its implementation/hack/proof-of-concept is about 37 lines in
> NSD 4.1 (more details in Appendix A).
> 
> I've asked some operators and they see value on it. Is there any
> support for adoption in DNSOP?
> 
> -----
> Name:           draft-salgado-rrserial
> Revision:       01

...

>     This "RRSERIAL" data allows to debug problems and diagnosis by
>     helping to recognize the origin of an answer, associating this answer
>     with a respective zone version.

I think it needs more thought. Here's why:

Extending TTLs
==============
First, people in this thread have floated ideas about using SOA serial 
for extending TTLs.

I think it's a bad idea because:
a) It would be pretty complex to implement right.
b) There are no guarantees that the SOA serial did not overflow in the 
meanwhile. As an extreme example, auth server can legally increment SOA 
value by 2^29 for each update, thus rolling SOA serial over very frequently.


Debugging
=========
Secondly, let's consider just the "debugging" use-case, which removes 
the requirement to make the proposed mechanism 100 % reliable:

In practice, this RRSERIAL option is a specialized way to conflate two 
queries into one:
- First query specified by the standard (qclass, qtype, qname)
- Second query with hardcoded qtype=SOA, qclass derived from the primary 
qclass in question section, and SOA name derived from qname in the 
question section.

To me, this sounds like a crude hack, and I think the proper solution 
should be a real multi-query option, which incidentally provides a 
superset of RRSERIAL capabilities.

A multi-query option would also work multi-master architectures that 
cannot rely on SOA serial but on some other (presumably queriable) 
information.


Epilogue
========
Generally, I think SOA serial design was fine in 1985 but is ill-fitted 
for 2021. (I have to admit I'm biased because I'm implemented 
multi-master auth in topologies with tens of DNS servers, all accepting 
dynamic updates at the same time.)

For this reason, I think the DNS protocol should be gradually getting 
rid of the dependency on SOA serial, not increasing it.

-- 
Petr Špaček

v2.23.0 | Report a Bug | By Email