Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-edns-isp-location-02.txt

Lanlan Pan <> Mon, 31 July 2017 03:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 87F7E131CB6 for <>; Sun, 30 Jul 2017 20:06:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id k0R4lw9hfm77 for <>; Sun, 30 Jul 2017 20:06:04 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C7894120724 for <>; Sun, 30 Jul 2017 20:06:03 -0700 (PDT)
Received: by with SMTP id u19so14476851qtc.0 for <>; Sun, 30 Jul 2017 20:06:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kBT+goJrkCxgBI7jNB6/flyyHY4I3YGRD339dOmcw88=; b=RRcpJ0uVS/q0+ItkuUEMrhdsjg+UVX881eehnIpRDQfO+UKnpb5EIAUY1+7ctx6/Rh wgU8eXqzULJGAvADixlRY1qi32v3T0MaNluXuZA6IhyILk30YbYW3wXu1TaBv9iFQ0qC RbM0A+Q5Yh9m/byNpe3zuyFoezN8PGl3qBayWsKfvYMFx1o8CDRJMkGD9vaPLkSnJQd5 5IpAkvYZxPPHdvSsD/7tv6Sa54oxNf5zv54rdJoufwv9B0puACoZp5Z+yjI3wjDwikzh 1t9aImDhEPbnG+N6Xdwr8JKzCI+CIYO8RJ0554jEGF+YbqpDWlBFYiUn/DwRJsmGj73+ vtjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kBT+goJrkCxgBI7jNB6/flyyHY4I3YGRD339dOmcw88=; b=E8WyivPNoiWYq2rtGs/GRC7Pyv7jxNe3JuTkbPiAjJifl8HfPlVbBB8KCRR/TiXQ7q s8fC3taoVtU4gcMiH11WH2sYCAFBGzW4QWwbkYsOMoTh+nkDpGLrDyGraqhrOTuMvGmc NkzwTOWssjpVppGYqzD30qdUldguPqZe2HYBmotX4iex9PU4WPc0L7y1dYWxllwQbfoC chL5lMAxC+5Z9IqBvN8QizcZ9iOxGhjEZ4lIQSbYKy4jX2ZFiq/KXegWn6TCrA5O8x0u qKljVl3oXWEQM+s2PRY4qXF7zXJP3aHpSY2SKIOsPRGpNi9q4OfYZafG2UUM+P97RUOK r4JA==
X-Gm-Message-State: AIVw1130IiHkLDmpgQqMM74zNzRGNrz0Kq7xCRZSuamBvK8AjQXb7FUF HaHntAR5WA5ZPiv3I7KWj6qzo9+deI0g
X-Received: by with SMTP id r12mr18793468qte.47.1501470362874; Sun, 30 Jul 2017 20:06:02 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Lanlan Pan <>
Date: Mon, 31 Jul 2017 03:05:51 +0000
Message-ID: <>
To: Robert Edmonds <>
Cc: dnsop <>, Dave Lawrence <>
Content-Type: multipart/mixed; boundary="94eb2c1907b49fe6b20555944f21"
Archived-At: <>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-edns-isp-location-02.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 31 Jul 2017 03:06:07 -0000

Hi Robert,

Thanks for your comments.

Robert Edmonds <>于2017年7月29日周六 上午1:17写道:

> Hi,
> Dave Lawrence wrote:
> > Have you had any feedback from authority server implementers who are
> > interested in using this?
> As an authority server implementer at a CDN -- we have no interest in
> using anything like this.
Fastly support  Creating location-based tagging
<> ,
offer HTTP header like Fastly-GeoIP-CountryCode for geographically
sensitive content, and Geolocation-related VCL features
Fastly has something like this, give tailor HTTP response based on client
ip's Geo Feature.

Hope you have interest to support something like this on DNS level in the
future, welcome cooperation, :-)

> > I'm having a hard time picturing many CDNs wanting to switch, in no
> > small part because geo is not the only goal of mapping.  The
> > < COUNTRY, AREA, ISP > tuple that is defined is insufficient.
> Yes, as has been made clear in previous discussion on this document.
The "sufficient" vs "not sufficent" has repeat many times.
Seperate path calculation and tailor DNS response
CDN can do all analysis based on client ip *without ECS and EIL*, because
it is data provider, every client will visit.
Geoip enabled ECS vs EIL
: The < COUNTRY, AREA, ISP > tuple *can be sufficient for GeoIP-enabled
Authoritative Nameserver*.
See also 3 pictures in attach.

> Even if it were sufficient, using only a <COUNTRY, AREA, ISP> tuple to
> direct traffic makes it incumbent on the resolver operator to accurately
> geolocate the client IP and faithfully transmit the result to the
> authoritative operator.

For user privacy concern and realistic geoip-enabled authoritative server,
EIL can be an alternative feature, not many cost on geoip-enabled
authoritative server to add this feature.

Generally speaking, the global public dns, which make resolver's IP not
close to client's IP, is the origin of "response accurate problem". Their
GeoIP database's accuracy should be no less than authoritative service
With ECS, authoritative server incumbent to accurately geolocate the client
IP. Big company with huge number of users has advantage. EIL can be more
fairly for small company and third patry startup authoritative sevice if
they have less accuracy GeoIP database.

Common security concern, if resolver not "faithfully transmit the <COUNTRY,
AREA, ISP> tuple to the authoritative operator", would it "faithfully
transmit the client-subnet tuple to the authoritative operator" ?

If the resolver operator is an ISP, this
> proposal would give the ISP an enormous amount of counter- traffic
> engineering power by spoofing the COUNTRY/AREA fields.
ISP resolver (or all type resolvers) can redirect traffic because its key
position, between user and authoritative server.

Use the same logic, we can imagine that,  ECS can give the ISP an enormous
amount of counter- traffic
engineering power by spoofing the CLIENT-SUBNET fields.

> --
> Robert Edmonds
致礼  Best Regards

潘蓝兰  Pan Lanlan