Re: [DNSOP] Cache utilization review and suggestion for EDNS client-subnet
Yuri Schaeffer <yuri@nlnetlabs.nl> Thu, 04 February 2016 10:51 UTC
Return-Path: <yuri@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D8EF1A8777 for <dnsop@ietfa.amsl.com>; Thu, 4 Feb 2016 02:51:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.093
X-Spam-Level:
X-Spam-Status: No, score=0.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kos2_nbdd8Um for <dnsop@ietfa.amsl.com>; Thu, 4 Feb 2016 02:51:34 -0800 (PST)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2E031A876E for <dnsop@ietf.org>; Thu, 4 Feb 2016 02:51:33 -0800 (PST)
Received: from [IPv6:2a04:b900:0:1:7e7a:91ff:fe7c:7b1c] (unknown [IPv6:2a04:b900:0:1:7e7a:91ff:fe7c:7b1c]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 05AFB46FB for <dnsop@ietf.org>; Thu, 4 Feb 2016 11:51:32 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1454583092; bh=2101yjwy4U3wcC7tK27FDC0z1elQmRmP8tHSGTm4CYE=; h=Subject:To:References:From:Date:In-Reply-To; b=ree2K5UMlxGARpb0TW/GJdlCKdjjpenxPbyF4rV11LoBIzLnUD47PLlebKjzTCJ/d ZJAPjX6VR3JM+fX3E9Rxan1zex+Fs2IQ7gqPtt7PHaaSODuiz0dDlUMNTVX3YHtbfj ldaBDsFICr9daTlPYZ2xiuQlT+aI9ubnKqqnwEI0=
To: dnsop@ietf.org
References: <20151228022914.GA11204@jurassic.l0.malgudi.org>
From: Yuri Schaeffer <yuri@nlnetlabs.nl>
X-Enigmail-Draft-Status: N1110
Message-ID: <56B32D33.5020203@nlnetlabs.nl>
Date: Thu, 04 Feb 2016 11:51:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.5.0
MIME-Version: 1.0
In-Reply-To: <20151228022914.GA11204@jurassic.l0.malgudi.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/8DpcuocxYG3_mD_UCJDMeVAAIec>
Subject: Re: [DNSOP] Cache utilization review and suggestion for EDNS client-subnet
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 10:51:35 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have a hard time understanding your need for DIRECTION and DEPTH, and would argue you'd have enough information as is. > > IPv4 root [A2(/0)**] / \ 0b0.. / \ 0b1.. / \ A2(/1) X / > \ / \ 0b10.. / \ 0b11.. / \ A2(/2) X / \ / \ > 0b110.. / \ 0b111.. / \ A2(/3) A1(/3) > > > ** This is the global answer, but the auth server shouldn't send > it. > > (...) > > I add that there is still confusion on what happens with the scheme > in the current draft, if the resolver queries with > client-subnet=128.0.0.0/1. The authoritative server has two answers > in this network. Does it send A1 or A2? If it sends A2, with scope > prefix-length=1, that'll be used from cache for future resolver > queries where client-subnet=223.0.0.0/3. That would be used yes. Therefore as a caching resolver I would not expect the authority to reply with SCOPE=1. I would expect in this case either (A2) 128.0.0.0/1/2 ("give me a bit more and I have it more specific") or (A2) 128.0.0.0/1/3 ("Give me et least 3 bits and I'll have THE answer." ) In any case it would answer with A2 because given the information provided this is the most specific answer (it gets it from the root of the tree). Now as a caching resolver the next time I do a cache lookup for say client 128.1.2.3 I would find the cache entry "128.0.0.0/1/3" thus giving me two choices: A) I'm willing to share more bits. So I query the authority with SOURCE 3. (Or maybe lower if my policy says so) B) My policy mandates SOURCE cannot exceed 1 and I'll use the cache entry. The authority wants more but is not getting it from me. > A1 may not be correct as the client behind the resolver (that is > hidden by policy) may be in 224.0.0.0/3. The draft says: > >> If an Intermediate Nameserver receives a response which has a >> longer SCOPE PREFIX-LENGTH than the SOURCE PREFIX-LENGTH that it >> provided in its query, it SHOULD still provide the result as the >> answer to the triggering client request even if the client is in >> a different address range. > > Operators who use this feature ought to be careful in designing > their network. For example, there is a possibility that an address > record may be sent to a client which has no route to it if the > address is local to some other network. You seem to imply that a SCOPE > SOURCE means an answer from further down the tree. But I think it doesn't, or at least it shouldn't. The SCOPE is not tied to an answer but rather used as an indicator how many bits the authority needs/wants for the most/more specific answer. //Yuri -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlazLTMACgkQI3PTR4mhavhk9QCfdYhtOiIkgzuPhRllFw2v1thu kH4AoMC4XHOipkQxcP8A1I+wxzp1dPhT =pb1/ -----END PGP SIGNATURE-----
- [DNSOP] Cache utilization review and suggestion f… Mukund Sivaraman
- Re: [DNSOP] Cache utilization review and suggesti… 神明達哉
- Re: [DNSOP] Cache utilization review and suggesti… Mukund Sivaraman
- Re: [DNSOP] Cache utilization review and suggesti… Mukund Sivaraman
- Re: [DNSOP] Cache utilization review and suggesti… 神明達哉
- Re: [DNSOP] Cache utilization review and suggesti… Yuri Schaeffer
- Re: [DNSOP] Cache utilization review and suggesti… Mukund Sivaraman
- Re: [DNSOP] Cache utilization review and suggesti… Yuri Schaeffer
- Re: [DNSOP] Cache utilization review and suggesti… Mukund Sivaraman
- Re: [DNSOP] Cache utilization review and suggesti… Yuri Schaeffer
- Re: [DNSOP] Cache utilization review and suggesti… Mukund Sivaraman
- Re: [DNSOP] Cache utilization review and suggesti… Mukund Sivaraman
- Re: [DNSOP] Cache utilization review and suggesti… Yuri Schaeffer