IETF Logo Mail Archive

Re: [DNSOP] Cache utilization review and suggestion for EDNS client-subnet

Yuri Schaeffer <yuri@nlnetlabs.nl> Thu, 04 February 2016 10:51 UTC

Return-Path: <yuri@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D8EF1A8777 for <dnsop@ietfa.amsl.com>; Thu, 4 Feb 2016 02:51:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.093
X-Spam-Level:
X-Spam-Status: No, score=0.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kos2_nbdd8Um for <dnsop@ietfa.amsl.com>; Thu, 4 Feb 2016 02:51:34 -0800 (PST)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2E031A876E for <dnsop@ietf.org>; Thu, 4 Feb 2016 02:51:33 -0800 (PST)
Received: from [IPv6:2a04:b900:0:1:7e7a:91ff:fe7c:7b1c] (unknown [IPv6:2a04:b900:0:1:7e7a:91ff:fe7c:7b1c]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 05AFB46FB for <dnsop@ietf.org>; Thu, 4 Feb 2016 11:51:32 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1454583092; bh=2101yjwy4U3wcC7tK27FDC0z1elQmRmP8tHSGTm4CYE=; h=Subject:To:References:From:Date:In-Reply-To; b=ree2K5UMlxGARpb0TW/GJdlCKdjjpenxPbyF4rV11LoBIzLnUD47PLlebKjzTCJ/d ZJAPjX6VR3JM+fX3E9Rxan1zex+Fs2IQ7gqPtt7PHaaSODuiz0dDlUMNTVX3YHtbfj ldaBDsFICr9daTlPYZ2xiuQlT+aI9ubnKqqnwEI0=
To: dnsop@ietf.org
References: <20151228022914.GA11204@jurassic.l0.malgudi.org>
From: Yuri Schaeffer <yuri@nlnetlabs.nl>
X-Enigmail-Draft-Status: N1110
Message-ID: <56B32D33.5020203@nlnetlabs.nl>
Date: Thu, 04 Feb 2016 11:51:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.5.0
MIME-Version: 1.0
In-Reply-To: <20151228022914.GA11204@jurassic.l0.malgudi.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/8DpcuocxYG3_mD_UCJDMeVAAIec>
Subject: Re: [DNSOP] Cache utilization review and suggestion for EDNS client-subnet
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 10:51:35 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have a hard time understanding your need for DIRECTION and DEPTH,
and would argue you'd have enough information as is.

> 
> IPv4 root [A2(/0)**] /  \ 0b0.. /    \ 0b1.. /      \ A2(/1)    X /
> \ /   \ 0b10.. /     \  0b11.. /       \ A2(/2)      X / \ /   \ 
> 0b110..   /     \ 0b111.. /       \ A2(/3)    A1(/3)
> 
> 
> ** This is the global answer, but the auth server shouldn't send
> it.
> 
> (...)
> 
> I add that there is still confusion on what happens with the scheme
> in the current draft, if the resolver queries with 
> client-subnet=128.0.0.0/1. The authoritative server has two answers
> in this network. Does it send A1 or A2? If it sends A2, with scope 
> prefix-length=1, that'll be used from cache for future resolver
> queries where client-subnet=223.0.0.0/3.

That would be used yes. Therefore as a caching resolver I would not
expect the authority to reply with SCOPE=1. I would expect in this
case either
	(A2) 128.0.0.0/1/2  ("give me a bit more and I have it more specific")
or
	(A2) 128.0.0.0/1/3 ("Give me et least 3 bits and I'll have THE answer."
)

In any case it would answer with A2 because given the information
provided this is the most specific answer (it gets it from the root of
the tree).

Now as a caching resolver the next time I do a cache lookup for say
client 128.1.2.3 I would find the cache entry "128.0.0.0/1/3" thus
giving me two choices:

A) I'm willing to share more bits. So I query the authority with
SOURCE 3. (Or maybe lower if my policy says so)

B) My policy mandates SOURCE cannot exceed 1 and I'll use the cache
entry. The authority wants more but is not getting it from me.


> A1 may not be correct as the client behind the resolver (that is
> hidden by policy) may be in 224.0.0.0/3. The draft says:
> 
>> If an Intermediate Nameserver receives a response which has a
>> longer SCOPE PREFIX-LENGTH than the SOURCE PREFIX-LENGTH that it
>> provided in its query, it SHOULD still provide the result as the
>> answer to the triggering client request even if the client is in
>> a different address range.
> 
> Operators who use this feature ought to be careful in designing
> their network. For example, there is a possibility that an address
> record may be sent to a client which has no route to it if the
> address is local to some other network.

You seem to imply that a SCOPE > SOURCE means an answer from further
down the tree. But I think it doesn't, or at least it shouldn't. The
SCOPE is not tied to an answer but rather used as an indicator how
many bits the authority needs/wants for the most/more specific answer.

//Yuri

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlazLTMACgkQI3PTR4mhavhk9QCfdYhtOiIkgzuPhRllFw2v1thu
kH4AoMC4XHOipkQxcP8A1I+wxzp1dPhT
=pb1/
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email