IETF Logo Mail Archive

Re: [DNSOP] comments on draft-ietf-dnsop-edns-client-subnet-00

Yuri Schaeffer <yuri@nlnetlabs.nl> Thu, 08 January 2015 14:51 UTC

Return-Path: <yuri@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03E41A0270 for <dnsop@ietfa.amsl.com>; Thu, 8 Jan 2015 06:51:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.084
X-Spam-Level:
X-Spam-Status: No, score=0.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rBthQ3jhfRYL for <dnsop@ietfa.amsl.com>; Thu, 8 Jan 2015 06:51:41 -0800 (PST)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B45F81A0067 for <dnsop@ietf.org>; Thu, 8 Jan 2015 06:51:41 -0800 (PST)
Received: from [IPv6:2a04:b900:0:1:7e7a:91ff:fe7c:7b1c] (unknown [IPv6:2a04:b900:0:1:7e7a:91ff:fe7c:7b1c]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id AA948D290 for <dnsop@ietf.org>; Thu, 8 Jan 2015 15:51:39 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1420728699; bh=sRgHGDCHa9FaQO7NUznxNc7EgmP0/XgY6GX0R3kukrY=; h=Date:From:To:Subject:References:In-Reply-To; b=tadFmKsxeS45fFxTk6jtyKvrXkvRuo1rRKRq0JZktNAVr3Q0E2o9NPCpbYIpkVP72 pu5V3i8syxKnRJRIQsiHz5YxmACkgbfEqBtOf8dXuzfilx2Vtobhsbu2Ampvnzgzrp EiR+AUu2+BjzXcPlnC8t13cz1eNmjI2nYuXKhEdM=
Message-ID: <54AE999C.1000404@nlnetlabs.nl>
Date: Thu, 08 Jan 2015 15:52:12 +0100
From: Yuri Schaeffer <yuri@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.3.0
MIME-Version: 1.0
To: dnsop@ietf.org
References: <CAJE_bqeY3g7s4HN=5XpoT5Z=4FqgRRTrmOXDSA_0sidWOZ5jiQ@mail.gmail.com>
In-Reply-To: <CAJE_bqeY3g7s4HN=5XpoT5Z=4FqgRRTrmOXDSA_0sidWOZ5jiQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/BYAjfa2Zbj49g6HhmGo_ix1aPx0>
Subject: Re: [DNSOP] comments on draft-ietf-dnsop-edns-client-subnet-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 14:51:43 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/31/2014 08:31 PM, 神明達哉 wrote:
> - Section 6.3
> 
> If the address of the client is within any of the networks in the 
> cache, then the cached response MUST be returned as usual.  If the 
> address of the client matches multiple networks in the cache, the 
> entry with the longest SCOPE NETMASK value MUST be returned, as
> with most route-matching algorithms.
> 
> If I understand this (and Section 6.3 in general), the following 
> "suboptimal" scenario could happen: - The Authoritative Server is
> configured with two prefixes for optimized responses: 2001:db8::/32
> and 2001:db8:2::/48 - The Recursive Server sends a query with
> SOURCE of 2001:db8:1::/48 - The Authoritative Server finds the best
> matching prefix for the SOURCE is 2001:db8::/32 and returns a
> response corresponding to it, setting SCOPE NETMASK to 32

No, I thing the authority should have responded with a scope of 47.
That's the number of bits it needs (for this address) to make sure
there isn't a more specific answer.

Q:  2001:db8:1::/48/0
A:  2001:db8:1::/48/47

> - The Recursive Server receives the response and caches it - The
> Recursive Server receives a query from 2001:db8:2::1, and finds it
> has a matching cache (with prefix being 2001:db8::/32)

It will have in its cache:
  2001:db8:1::/48/47
Likely, (we assume the recursive server wants to expose only the 48
first bits) 2001:db8:2::/48 will be looked up in the cache and will
not match. So then the following exchange happens:

Q:  2001:db8:2::/48/0
A:  2001:db8:2::/48/48

Now, if the recursive server would have asked for 2001:db8:8002::/48
the authority would have responded with a small scope.

Q:  2001:db8:8002::/48/0
A:  2001:db8:8002::/48/33

> and uses the cached response to answer the query, even if it could 
> get the specifically optimized response for 2001:db8:2::/48 from 
> the Authoritative Server.
> 
> Is my understanding correct?  If so, is this a problem to resolve
> or something we need to accept?

Think of scope like:
 "I would have used N bits to come to this answer if N or more have
been available. (for this particular block)"
Rather than:
 "Only the first N bits of the address are relevant"

//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlSumZwACgkQI3PTR4mhavi8kACeM4lk4mRxTyV6V+vy4jO/0pg3
wAMAoJmkiy9yXKLUogBMYs47iLYnmAih
=Rby2
-----END PGP SIGNATURE-----

v2.31.3 | Report a Bug | By Email | System Status