Re: [DNSOP] call for adoption: draft-vandergaast-dnsop-edns-client-subnet
"Mark Delany" <f4t@november.emu.st> Wed, 24 December 2014 19:53 UTC
Return-Path: <f4t@november.emu.st>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0CA71A1A6E for <dnsop@ietfa.amsl.com>; Wed, 24 Dec 2014 11:53:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLIO8fTJaIkU for <dnsop@ietfa.amsl.com>; Wed, 24 Dec 2014 11:53:06 -0800 (PST)
Received: from smtp1.bushwire.net (f5.bushwire.net [199.48.133.46]) by ietfa.amsl.com (Postfix) with SMTP id 6F4161A1A74 for <dnsop@ietf.org>; Wed, 24 Dec 2014 11:53:06 -0800 (PST)
Received: (qmail 4350 invoked by uid 1001); 24 Dec 2014 19:52:29 -0000
Delivered-To: qmda-intercept-dnsop@ietf.org
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=s384; d=november.emu.st; b=owVX4AbmKnQHgPfIivBbPl1JDg+S94iQ3hLFwJrIUlWdZcxTbkuBFYLnCGYow3ia;
Comments: DomainKeys? See http://en.wikipedia.org/wiki/DomainKeys
DomainKey-Trace-MD: h=14; b=80; l=C18R70D32M64F41M32T18S39?43R60M17C39C27I61;
Comments: QMDA 0.3
Received: (qmail 4343 invoked by uid 1001); 24 Dec 2014 19:52:29 -0000
Date: Wed, 24 Dec 2014 19:52:29 +0000
Message-ID: <20141224195229.4342.qmail@f5-external.bushwire.net>
From: Mark Delany <f4t@november.emu.st>
Mail-Followup-To: dnsop@ietf.org
To: dnsop@ietf.org
References: <629002B1-7A32-4A83-ACA1-0185F5355641@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <629002B1-7A32-4A83-ACA1-0185F5355641@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/8x_DuI5TJUbzfWzn6kuJR3u6Koo
Subject: Re: [DNSOP] call for adoption: draft-vandergaast-dnsop-edns-client-subnet
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 19:53:09 -0000
> The draft is available here: http://datatracker.ietf.org/doc/draft-vandergaast-dnsop-edns-client-subnet/ a) 6.2 - Intent of SCOPE NETMASK "In both cases, the value of the SCOPE NETMASK in the reply has strong implications with regard to how the reply will be cached" I wonder whether SCOPE NETMASK should have a bigger impact beyond how the reply is cached? Specifically, if an auth returns a SCOPE NETMASK that is more fine-grained than the SOURCE NETMASK, should that granularity influence the SOURCE NETMASK of future queries from that cache to that auth/domain? If you think about it, SCOPE NETMASK is the auth communicating its knowledge of the client network back to the cache. And, in the cases where the client-subnet option is most useful (CDN-like applications), it is commonly the case that auths do indeed have better knowledge than the cache/resolver. By way of example if a cache issues a query with a default SOURCE NETMASK of /24 to a well-managed CDN auth, it is entirely possible that the auth has greater knowledge of the SOURCE network and may return a SCOPE NETMASK of, say, /25 because it knows that that /24 is distributed topologically from the auth's perspective. As it stands today, this cache will continue to issue queries to that auth/domain with a /24 SOURCE NETMASK even though the replies coming back indicate that the client network is divided on /25 basis as far as the auth is concerned. In effect the auth has no way to correct the erroneous assumptions of the cache. I'm primarily concerned that client implementations of client-subnet will hard-code a minimum or default SOURCE NETMASK which may not be granular enough in the future. As we approach v4 exhaustion I can easily imagine a corp network dividing a /24 up on a regional basis and who knows what will happen to public routing as we really do get close to v4 exhaustion? If caches allow returned SCOPE NETMASKs to influence future SOURCE NETMASKs (modulo privacy policy of course) then as networks get more granular, auths - which have the greatest incentive to adapt - can dynamically influence caches as the Internet changes. (Admittedly this may not help if caches adopt a default privacy mask that matches their default SOURCE NETMASK - which I expect many will). b) 11.2 - Whitelist "Only a few Recursive Resolvers will need to use edns-client-subnet" Does "few" refer to implementations or deployments? If the later, then I wonder whether that estimate is accurate? I would think that any enterprise or ISP with multiple ingress points is a candidate user. Maybe that's still a "few" in the grand scheme of things but the number of relevant operators goes well beyond the tiny population of public caches and giant eyeball networks. Has "few" been quantified? Are we talking about 1,000 deployments, 10,000? What is the threshold at which "few" no longer applies? I'm also thinking of medium sized corporates which could easily run regional networks with internal caches and auths. Maybe this isn't a concern here because it's not the "Internet", but generally they will want to use the same technology. My ulterior motive is to revisit the whole notion of whitelisting. Why have it at all? I worry that the desire to make a manageable Internet-wide whitelist (if that's not an oxymoron) is driving some of the assumptions and text in the spec. Apologies if this is a rehash of earlier discussions, ignore anything that has been previously settled. Mark.
- [DNSOP] call for adoption: draft-vandergaast-dnso… Suzanne Woolf
- Re: [DNSOP] call for adoption: draft-vandergaast-… Warren Kumari
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Hoffman
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Ebersman
- Re: [DNSOP] call for adoption: draft-vandergaast-… David C Lawrence
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Wouters
- Re: [DNSOP] call for adoption: draft-vandergaast-… Allison Mankin
- Re: [DNSOP] call for adoption: draft-vandergaast-… Suzanne Woolf
- Re: [DNSOP] call for adoption: draft-vandergaast-… Warren Kumari
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… George Michaelson
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… Marcus Grando
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… jewforice .
- Re: [DNSOP] call for adoption: draft-vandergaast-… Peter DeVries
- Re: [DNSOP] call for adoption: draft-vandergaast-… Marcus Grando
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… Suzanne Woolf
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Hoffman
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… Warren Kumari