IETF Logo Mail Archive

Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing?

Matthew Pounsett <matt@conundrum.com> Fri, 12 April 2019 03:45 UTC

Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B60921201AA for <dnsop@ietfa.amsl.com>; Thu, 11 Apr 2019 20:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rWPyfyBSYHTo for <dnsop@ietfa.amsl.com>; Thu, 11 Apr 2019 20:45:22 -0700 (PDT)
Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3729F12018E for <dnsop@ietf.org>; Thu, 11 Apr 2019 20:45:22 -0700 (PDT)
Received: by mail-it1-x132.google.com with SMTP id y204so13447945itf.3 for <dnsop@ietf.org>; Thu, 11 Apr 2019 20:45:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kU4hgk53NNoDs2w5xx207NPGx8JBVZxEVzEWwLIkWrA=; b=c28lmLhaVsmdL8x8epI749vlU30tCp4472RauME4ifkEA5CmbBX0/utdshI0dgKDa0 vLVI3OXL1XyEtcts9f4RBW465j/B+slNQKSJyRTO+4+cKKRPLnCzvpba7Q3oRymV3xEE Y64rKi7NkzdCNZRNXy5bj83ajzYvIdcSCAp7WazWaLP7x+KJqw7pMAE8N3LGb60av0ej +Kd9hYKKw99YCWGOZt8WQU/j1bnZiQ9UnLQi4jHlSyd2J+u/lBFozi/C+TiT3j2myRqk rZOZC75SfLbNVSsW4+dbNiemMeEIbhO/uINdEksQGUJG5EbeyGCgfS8vJmQXAst7m5Cn DN5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kU4hgk53NNoDs2w5xx207NPGx8JBVZxEVzEWwLIkWrA=; b=kl/d71kUdSwJr5kvd77gd7YwB7LsY0qH7/OJp0N+US/Le7Uxojir03jLwFQryr1Hum sGm2kH9aNl8iBMx4NxvywS2SUBg2ZfYS334QwDuDC98ZAQV5qO/RHM8ou4KitOplLi55 fWtj4+jL2R1NiQPLzC/pfEbUejONc+d3IcFsHRRb2zspmvXedfL1Mt8DLXRSQRvoLXOv ugJXEZouOxd+q35OPOOdeZ8Nilz+DXp+d5Vk2GpqYyQAnSqPB4rqkD5DDes3zQR0StpR YsBuSVHcdK9L1f0nOwEiC/lCDFIBRep381eIzN3BTJeisXx5EXVqXYSUkJC4kBh7sc9P gEHQ==
X-Gm-Message-State: APjAAAXhDRlA5K+tQOgk/dBUOncvoVTnOL9f+IurSRJxwf2vxib+A3lc S6Zs2ifk3RMMQOoAUzu7VSz7SMMNjfPlavCNfQVQ4Q==
X-Google-Smtp-Source: APXvYqy2AIgGbjaP/4hY69chzzYhpQnbDbow7K6FfWNrQCtQVQ2T5xPPMoDooDcwpL5wAr4Wq42LvaYXPzGW7M+6KCY=
X-Received: by 2002:a24:5f8c:: with SMTP id r134mr11632932itb.110.1555040721094; Thu, 11 Apr 2019 20:45:21 -0700 (PDT)
MIME-Version: 1.0
References: <d8ccad4a-cd0c-4c97-b4d7-2099657351dc@oracle.com> <CA+nkc8BM+mfTBm3XyOaZUF5hMg23t9aSY4nq4Y4=BQ-sjcjkVg@mail.gmail.com> <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> <CAAiTEH9Eg0oYw9HR9Ab5pYikFUvcbWXneF39_8xasp6tE9PpCA@mail.gmail.com> <516fda75-bb6e-67c6-cd52-0a5017bc889f@oracle.com>
In-Reply-To: <516fda75-bb6e-67c6-cd52-0a5017bc889f@oracle.com>
From: Matthew Pounsett <matt@conundrum.com>
Date: Thu, 11 Apr 2019 23:45:10 -0400
Message-ID: <CAAiTEH-ghaJB1XUm_3NJhzscH4ZTRHs34Rwndm40MVoD5FBGxw@mail.gmail.com>
To: Richard Gibson <richard.j.gibson@oracle.com>
Cc: Bob Harold <rharolde@umich.edu>, dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3ivu8LbAYJhVMG9m79RK3oCa5MA>
Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 03:45:25 -0000

On Thu, 11 Apr 2019 at 20:02, Richard Gibson
<richard.j.gibson@oracle.com> wrote:
>
> The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself.

[snip]

> But this suffers from both of the problems I have been complaining about—the resolver does not necessarily have the zone SOA, possibility necessitating an inline lookup, and per RFC 2308 the negative response will be cached according to values from the SOA that are unrelated to and far exceed the TTL of the ANAME.

Ah, I see the confusion.  You're using definitive statements such as
"will" when what you actually mean is "may."   There's no specific
mechanism that causes the client to cache the negative response "for
one to three orders of magnitude greater than the TTL of the ANAME."
And, the TTL of the SOA doesn't necessarily "far exceed" the TTL of
the ANAME.  You're just presupposing that will be a common
configuration?

I think we're still talking about misconfigurations here, and
designing a protocol around people who misconfigure their DNS at the
expense of people who configure it properly seems like a bad path to
take.

> Both of these problems can be addressed by allowing/recommending/requiring ANAME-aware servers to preserve ANAME siblings when resolution of ANAME targets results in NXDOMAIN or NODATA responses, rather than replacing them with an empty RRSet... which, to be honest, seems to be always-undesirable behavior anyway—if anyone can think of a scenario where it would be beneficial to dynamically remove ANAME siblings, please share it.

Yes, I can think of a case where it would be beneficial to remove
ANAME siblings: when the target of the ANAME is removed from the DNS.

> In such a configuration, the owner of the ANAME will be able to see that clients are using its static sibling records rather than its target (and therefore that they are getting no benefit from the ANAME), and can react accordingly. If your concern is excess queries for the ANAME target, then this seems no different from e.g. CNAME—the owner of the target can issue long-lived negative responses while performing whatever other exploration and/or mitigation they deem fit.

If the target of the ANAME disappears, the owner of the ANAME will
similarly be able to recognize the problem and deal with it.  If the
administrator of the name owning the ANAME is concerned about downtime
due to misconfigurations by the target, then that administrator can
either select a different target (presumably by selecting a different
service provider) or set their TTLs appropriately to not be subject to
the potential issue you identified above.

However, if the spec requires preserving the target in the DNS despite
the administrator of the target zone removing it, then that is a path
for abuse by the administrator of the zone containing the ANAME, and
the owner of the target will have no recourse.  This is what I meant
by my reference to serve-stale.

v2.23.0 | Report a Bug | By Email