Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

[Warren Kumari <warren@kumari.net>]

On Fri, Jun 22, 2018 at 8:57 AM Joe Abley <jabley@automagic.org> wrote:

> On 19 Jun 2018, at 17:03, Ray Bellis <ray@bellis.me.uk> wrote:
>
> > On 19/06/2018 17:44, Tony Finch wrote:
> >
> >> SRV should have been part of the fix (and it was invented early
> >> enough to be!) but it wasn't a complete fix without support from the
> >> application protocols.
> >
> > AIUI, a large part of the supposed issue with SRV was the inertia of the
> > installed base of browsers that wouldn't know how to access them.
> >
> > Ironically the proposed fix seems to require upgrades to the
> > installed base of one of the most important network infrastructure
> > services on the planet.
> >
> > Meanwhile, a very large portion of the installed base of web browsers
> > gets automatically and silently upgraded every month or so...
>
> I think so long as there's a fallback for clients that don't yet have SRV
> implemented (e.g. publish A/AAAA RRSets at the same owner name as the SRV
> RRSet, and specify the behaviour by SRV-compliant servers in the event that
> both are present) this is not a plausible engineering argument.
>
> Processing an SRV might require additional DNS lookups to get name -> SRV
> -> SRV target -> address, but that's a one-time hit per TTL and I think
> it's a stretch to paint that as definitely a problem. Modelling is required
> and worst cases remain to be understood.
>

​It certainly is the ​case that a number of browser / large web properties
have stated that an additional DNS lookup is a price that they are not
willing to pay, especially for something not "critical".

I believe that this also would require firing off simultaneous lookups for
SRV along with the A and AAAA (or, even worse, firing off a SRV, waiting
for the "nooerror" error and *then* trying for the A / AAAA) and waiting
for the long tail before you even know of you need to resolve the target.

The DNS lookup from my house (behind Comcast, in NoVa, using 8.8.8.8) for
SRV www.afilias.com was Query time: 125 msec.

That is probably not a fair test - there is no SRV for www.afailias.com and
so it wouldn't be cached, but just querying for A www.afilias.com gives
me ;; Query time: 62 msec. This is from a relatively well connected
residential network, and is noticeably worse in many other places in the
world.

Anyway, adding ~60ms is definitely something that many will say is a
problem, especially because all of this falls into the "before first byte"
bucket, and so the user cannot be distracted with progressive rendering,
etc.

I'd note that things like
https://tools.ietf.org/html/draft-wkumari-dnsop-multiple-responses-05 (and
similar) would allow you to bundle the SRV and the target of the SRV so
that you *could* do this in one DNS transaction...



>
> If there are definitive problems it would be good to hear what they are.
> It has always sounded to me like the problem is "this is not how we did
> things before". Perhaps the cost of change is not actually in the client,
> but in the provisioning/client education/product packaging across all web
> and hosting services?
>

​I think that the problem boils down to:
A: a chicken and egg issue and
B: extreme sensitivity to latency, especially "avoidable" latency.

W


>
>
> Joe
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf