IETF Logo Mail Archive

Re: [DNSOP] question regarding draft-ietf-dnsop-aname-03.txt/authoritative name server response

Klaus Malorny <Klaus.Malorny@knipp.de> Wed, 29 May 2019 07:34 UTC

Return-Path: <Klaus.Malorny@knipp.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5B921200F6 for <dnsop@ietfa.amsl.com>; Wed, 29 May 2019 00:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9BJznj3TA-Pg for <dnsop@ietfa.amsl.com>; Wed, 29 May 2019 00:34:56 -0700 (PDT)
Received: from kmx5b.knipp.de (s671.bbone.dtm.knipp.de [195.253.6.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F01D12001A for <dnsop@ietf.org>; Wed, 29 May 2019 00:34:56 -0700 (PDT)
Received: from hp9000.do.knipp.de (hp9000.do.knipp.de [195.253.2.54]) by kmx5b.knipp.de (Postfix) with ESMTP id 440A0300055; Wed, 29 May 2019 07:34:53 +0000 (UTC)
Received: from [195.253.2.27] (mclane.do.knipp.de [195.253.2.27]) by hp9000.do.knipp.de (Postfix) with ESMTP id 1E8ADA5600; Wed, 29 May 2019 09:34:23 +0200 (MESZ)
To: Matthijs Mekking <matthijs@pletterpet.nl>, dnsop@ietf.org
References: <54f0a685-0a57-2821-26cc-c136c39e7750@knipp.de> <59692e76-d5f3-eab0-7fe7-150a0430b32e@pletterpet.nl>
From: Klaus Malorny <Klaus.Malorny@knipp.de>
Message-ID: <b54e9dcc-dbce-39ce-3535-f41b36b77466@knipp.de>
Date: Wed, 29 May 2019 09:34:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Thunderbird/69.0a1
MIME-Version: 1.0
In-Reply-To: <59692e76-d5f3-eab0-7fe7-150a0430b32e@pletterpet.nl>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spamd-Bar: /
Authentication-Results: kmx5b.knipp.de; none
X-Rspamd-Server: s671
X-Rspamd-Queue-Id: 440A0300055
X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:8391, ipnet:195.253.0.0/16, country:DE]; IP_WHITELIST(0.00)[195.253.2.54]
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EHGatWc1v6ZOc3VKXI9hz12Finw>
Subject: Re: [DNSOP] question regarding draft-ietf-dnsop-aname-03.txt/authoritative name server response
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 07:34:59 -0000

On 28.05.19 21:14, Matthijs Mekking wrote:
> Hi Klaus,
> 

Hi Matthijs,

> I provided responses inline.

I too.

> 
> On 5/28/19 5:49 PM, Klaus Malorny wrote:
>>
>>
>> Hi all,
>>
>> [...]
> 
> For authoritative servers that receive A or AAAA requests, the address
> records shall appear only once: in the answer section.  It is correct
> that those address records have the owner name and TTL adjusted (to the
> owner name of the ANAME record and the minimum of the encountered TTLs).
> 
> There is nothing in the additional section, except for the ANAME record,
> as described in Section 6.1.1:
> 
>     When a server receives an address query for a name that has an ANAME
>     record, the response's Additional section MUST contain the ANAME
>     record.  The ANAME record indicates to a client that it might wish to
>     resolve the target address records itself.
> 
> Note that there is separate additional processing for authoritative
> servers and resolvers.  For resolvers there is a requirement of having
> target address records in the additional section.
> 
> 
>> [...]
> 
> I am not sure what text in Section 3 you are referring to, can you quote
> the specific text?
 >
 > AFAICS there is nothing that says the visited ANAMEs and CNAMEs needs to
 > be set in the Additional section.  Visited ANAME and CNAME records are
 > used to adjust the owner name and the TTL.

Well, just the two sentences just below the headline of section 3:

    The requirements in this section apply to both recursive and
    authoritative servers.
    ^^^^^^^^^^^^^

    An ANAME target MAY resolve to address records via a chain of CNAME
    and/or ANAME records; any CNAME/ANAME chain MUST be included when
                                          ^^^^^^^^^^^^^^^^^^^^^^^
    adding target address records to a response's Additional section.

Along with the following requirement of 3.1:

    o  MAY contain the target address records that match the query type
       (or the corresponding proof of nonexistence), if they are
       available and the target address RDATA fields differ from the
       sibling address RRset.

So, I can choose to add the target addresses to the additional section, but then 
I have to add the full path of ANAME/CNAME/DNAME(?) also. This is my interpretation.


> 
> 
>> - if the name server chooses to cache the target address records (and
>> the intermediate xNAME records), shall the answer reflect the age of the
>> cache entries in the TTLs (i.e. be subtracted) of the records in the
>> answer and/or additional section?
> 
> There is some guidance in appendix C on this:
> 
> - In principle you should use a fixed TTL (no decremented TTLs) to avoid
> query bunching (C.1).
> 
> - If the ANAME target lookup is done inside the name server, and
> implements a cache, may use a decremented TTL in the response to the
> client rather than using the original target address records' TTL, but
> not a near zero TTL (C.4).
> 
> Hope this helps.

Ah, ok. This is helpful.

Thanks for answering.

Klaus

v2.23.0 | Report a Bug | By Email