Re: [DNSOP] QNAME minimisation on the standards track?
Tim Wicinski <tjw.ietf@gmail.com> Fri, 20 July 2018 14:33 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 362BC130E9C for <dnsop@ietfa.amsl.com>; Fri, 20 Jul 2018 07:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b-YvMvDI4rH3 for <dnsop@ietfa.amsl.com>; Fri, 20 Jul 2018 07:33:43 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FDD4130E57 for <dnsop@ietf.org>; Fri, 20 Jul 2018 07:33:43 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id a19-v6so9986768wmb.2 for <dnsop@ietf.org>; Fri, 20 Jul 2018 07:33:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=U1dzTXhlyO7nJ2365+Se5jACqoMaaHn5avl0rSakc5A=; b=tXcw1S1xbEm9KzdTCn1oxTDrpfJvhYflddj/JEXmTtSrv72yH/jdb9PmZGxWMkKcLo x6xtMLTjqldgs5rJkNCQpqrMnSf3Fd0i8oUNmCtnV/VeozZbM90DNELbrFnjNDGXW5Mq RYvzRHiOtcwVaGuKQfn3ynCw7gtpLk1oMZAWAg69SyDs1mT7mO7fAhH4IbsUAeA6tq7X dzcbAVEueC58zUw1AktA+oJeLL0477GEgpuCcGQ054OVT5eof3myJcJhJICUHYCexZVB RJBvJW9Tc9c/6BvCrKklX4/iqI9m79N1HJfgo7YKwhLAkmZY0jIMJJ0FKd1GJhOJoKFd Infg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=U1dzTXhlyO7nJ2365+Se5jACqoMaaHn5avl0rSakc5A=; b=Ne9CQsstDuNHEnPr5+o5+/e0N7jJPsyPSW62RV06FzieTTS6LoFBYx78LcMREMjFAE 5ML4hzUmq2r7Ef+rWTEzDYLKrOr8+eEK6/PuWDU38rZ4lzwZxiiXCZydjFi8JIDTDj+h FyjwT6kr1dLAW/0l+j85ViAM0Icbxq2IjNEkeJBmi7TWh53xoLwJz5Bepmotm4Bx+lMx ekrfyK/jK4EzBbHDQ58B/l2it5vTiMoFnSZKBpTEj+8kB1RQE11uCvsZ7KQTXOOag4S8 kB0rZ+gBTo/InbhLGHhOSZfaT49OwSMjbJo9nzSm5NdjKMlC7Lrfa5MwqlXSkW38a9uc zCLw==
X-Gm-Message-State: AOUpUlF9mUF97kUEFBKA+isbmCSiiVas2eUHM7lMnDx1GdDdXEJhHmw2 zyTRqPxKyb2D5C4s5gtXhJdS5c2o7G8nP3ed4uCEt5wTWMU=
X-Google-Smtp-Source: AAOMgpdNNIH0eo8ZaP4xN2+0xlgkHrQ/rruTAWMj3B8A3r1/N4gTqXNyxy90zg5NWWqth9bvgFR8abpotkKz5mWhTqk=
X-Received: by 2002:a1c:1509:: with SMTP id 9-v6mr1581284wmv.142.1532097221860; Fri, 20 Jul 2018 07:33:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:a414:0:0:0:0:0 with HTTP; Fri, 20 Jul 2018 07:33:41 -0700 (PDT)
In-Reply-To: <alpine.DEB.2.20.1807181100320.17082@bos-lpg69.kendall.corp.akamai.com>
References: <20180717121406.GA6681@laperouse.bortzmeyer.org> <0E1026DD-2304-43FE-BEED-B9CE2981D9E3@gmail.com> <alpine.LRH.2.21.1807171724540.3719@bofh.nohats.ca> <CAArYzr+g5a8txJYV5z7ora_Y54ys0fi3UOQBbgosxGUnYfdGcA@mail.gmail.com> <alpine.DEB.2.20.1807181100320.17082@bos-lpg69.kendall.corp.akamai.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Fri, 20 Jul 2018 10:33:41 -0400
Message-ID: <CADyWQ+EWY6mt5YZDd5tQ82KA7Sgz_-GWWJ9uVVF1nd1GHi+CWw@mail.gmail.com>
To: Jonathan Reed <jreed=40akamai.com@dmarc.ietf.org>
Cc: manu tman <chantr4@gmail.com>, dnsop <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary="000000000000aba43e05716f2e1f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AfAjfTWVgxUdOB-xL4j5wFF6NLM>
Subject: Re: [DNSOP] QNAME minimisation on the standards track?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 14:33:46 -0000
Jonathan That's *exactly* the type of operational issues that I am interesting in documenting. (That doesn't mean the other chairs or the working group feel the same way, in fact they probably won't! Tim On Fri, Jul 20, 2018 at 9:40 AM, Jonathan Reed < jreed=40akamai.com@dmarc.ietf.org> wrote: > > On Tue, 17 Jul 2018, manu tman wrote: > > I'd like to see this standardized too. >> Side note: I would also be interested to get a return of experience from >> people operating qname minimization at scale, >> > > I suspect you're looking for feedback from recursive operators, but I'd > like to share our experience as an authoritative operator. Supporting > QNAME minimization as an authoritative implies correctly responding NOERROR > to empty-non-terminals (ENTs) within the zone. RFC 4592 clarifies the > interaction between wildcards and ENTs, however this poses a problem with > customer-provided zone data. > > RFC 4592's behavior is not intuitive to most of our customers, and given > that many other authoritative operators did not (and perhaps still don't) > correctly handle interaction between wildcards and ENTs, we received > significant customer pushback when we started correctly handling ENTs and > wildcards. In short, as far as customers are concerned, '*' should always > match "across" dots. _We_ all understand why it doesn't, but it's not > intuitive to our customers, and it is no longer the case that the person > managing a company's zone has an extensive background in DNS. (Nor, > frankly, should it be the case). > > Here's a common example: Consider a SaaS/cloud provider that onboards > customers through CNAMEs. For example, cloudco.biz would onboard > example.com by creating "example.com.cloudco.biz" and CNAMEing it to some > internal name. The SaaS provider also typically has a wildcard at/below > the apex of their zone (*.cloudco.biz) to gracefully handle their > customers who may put the CNAME in place before they have been fully > provisioned. > > Such a zone, by definition, potentially has ENTs at every possible TLD. > Thus, www.notyetprovisioned.com.clouco.biz will never match the wildcard > at the apex, because of the ENT at com.cloudco.biz. The SaaS provider is > now causing a significant outage for their in-the-process-of-onboarding > customers, and the provider is rightly very unenthusiastic about copying > that apex wildcard down to every TLD. The problem is further compounded > with ccTLDs (www.example.co.uk.cloudco.biz creates two ENTs: one at uk, > one at co.uk). This rapidly becomes an untenable solution for our > customers, and they're likely to seek out another authoritative provider. > > I realize this is a somewhat a special case, but there were (still are?) > many large authoritative DNS providers in this position, and our effort to > support QNAME minimization pushed a large operational problem onto our > customers. > > -Jon > > -- > Jonathan Reed > Senior Performance Engineer > Akamai Technologies > > > the type of issues encountered, what are the ratios of such errors.... >> hint @marek :) >> >> Manu >> >> On Tue, Jul 17, 2018 at 2:35 PM Paul Wouters <paul@nohats.ca> wrote: >> On Tue, 17 Jul 2018, tjw ietf wrote: >> >> > Subject: Re: [DNSOP] QNAME minimisation on the standards track? >> > >> > I’d like to see a more fleshed out operational considerations >> section. >> >> That would be good indeed. Especially with respect to broken DNS >> load >> balancers. >> >> I have enabled it in Fedora from the start and did run into a few >> problem >> domains, and some people turning it off. But that happened less >> than I >> had expected. Red Hat did not yet enable this in RHEL7 but it is >> planned >> to be enabled in RHEL8. >> >> But I do believe qname minimisation is an important privacy >> enhancing >> technology that we should strongly promote as a standards track >> document. >> >> Paul >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> >> >> > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > >
- [DNSOP] QNAME minimisation on the standards track? Stephane Bortzmeyer
- Re: [DNSOP] QNAME minimisation on the standards t… Puneet Sood
- Re: [DNSOP] QNAME minimisation on the standards t… tjw ietf
- Re: [DNSOP] QNAME minimisation on the standards t… Marek Vavruša
- Re: [DNSOP] QNAME minimisation on the standards t… Paul Wouters
- Re: [DNSOP] QNAME minimisation on the standards t… manu tman
- Re: [DNSOP] QNAME minimisation on the standards t… Paul Hoffman
- Re: [DNSOP] QNAME minimisation on the standards t… Sara Dickinson
- Re: [DNSOP] QNAME minimisation on the standards t… Dan York
- Re: [DNSOP] QNAME minimisation on the standards t… Petr Špaček
- Re: [DNSOP] QNAME minimisation on the standards t… Jonathan Reed
- Re: [DNSOP] QNAME minimisation on the standards t… Tim Wicinski
- Re: [DNSOP] QNAME minimisation on the standards t… manu tman