IETF Logo Mail Archive

Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing?

Joe Abley <jabley@hopcount.ca> Fri, 12 April 2019 17:37 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49D1012079C for <dnsop@ietfa.amsl.com>; Fri, 12 Apr 2019 10:37:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7j3XS91t66W for <dnsop@ietfa.amsl.com>; Fri, 12 Apr 2019 10:37:09 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62CC5120776 for <dnsop@ietf.org>; Fri, 12 Apr 2019 10:37:09 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id n11so9198265ioh.1 for <dnsop@ietf.org>; Fri, 12 Apr 2019 10:37:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=WU416Lpk2ymznpxAFKq/sF0ZNTLGn6JEg597jrqlRew=; b=StDa2mNjzYpMdfM3dz5O52H/wA9Zqj1wD42T7TvuXi2OcwUQ0R8zg6GL4ypKzhR+av 2+6pwKJv904mkqeH6svueo7w0/Y5RG/uM1LBIl+xVWiwmdrqdF5rjCmeubXSvelhRJzn HAai27ZNSDiG3U8G/5/P0Dnp5us8ZWmBswJUU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=WU416Lpk2ymznpxAFKq/sF0ZNTLGn6JEg597jrqlRew=; b=K75wqwRHRZ6XGJQJMbDh0wI3EY9bXCrX6tJnDx2Nxp14kYKaVo2L/UzRypCmRxOPvR i0PvMT0yigXr8KMs7VgSRibqCHFqWZfTG7ewqSkEKqyGhR7cOY+hfAwHG4N4l/Uo4uuA AGFoB9Jw5i11F4Uz3EoahsC6X//70u5Rfz4gjbPpEkJ7gZbFcSK8evQuT57xjiRC55oV oTe21SbsnTr9mE5bl2zIsWamGaRbn439sgNeDUX0LPWEZKtjoAAS9sy12ENXGJprPBL6 agX37mrMcjcShPBr2H2VfZxCc3jprLHNV07gB/qdRs98jpejwAbS6ZL3Jlv9VJAwnwK2 cY6w==
X-Gm-Message-State: APjAAAWaFM4nA8pjfFFLb3Lu3FNXnkCliJYdlql0lPbMfGEM9WLfWw+i w6AFwudSt5Jl0h27KtSDYXs95A==
X-Google-Smtp-Source: APXvYqxGvX0SbWtXr4EmeLdHwCuNBCN1YW3h90A2Q74WbeaJXuEVM+wG30FYk3q0hLFBa7F/0mgFew==
X-Received: by 2002:a5e:950f:: with SMTP id r15mr25201351ioj.88.1555090628538; Fri, 12 Apr 2019 10:37:08 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:e786:128f:935:27fd:af60:bcbb? ([2607:f2c0:e786:128f:935:27fd:af60:bcbb]) by smtp.gmail.com with ESMTPSA id f126sm4108932ita.31.2019.04.12.10.37.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Apr 2019 10:37:06 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
Message-Id: <374C38F3-AC65-42D8-9250-3EC591DD4F95@hopcount.ca>
Content-Type: multipart/signed; boundary="Apple-Mail=_4B0E1A2B-4D66-474C-86BA-D46A549BA2AF"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Fri, 12 Apr 2019 13:37:04 -0400
In-Reply-To: <CAAiTEH-ghaJB1XUm_3NJhzscH4ZTRHs34Rwndm40MVoD5FBGxw@mail.gmail.com>
Cc: Richard Gibson <richard.j.gibson@oracle.com>, Bob Harold <rharolde@umich.edu>, dnsop <dnsop@ietf.org>
To: Matthew Pounsett <matt@conundrum.com>
References: <d8ccad4a-cd0c-4c97-b4d7-2099657351dc@oracle.com> <CA+nkc8BM+mfTBm3XyOaZUF5hMg23t9aSY4nq4Y4=BQ-sjcjkVg@mail.gmail.com> <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> <CAAiTEH9Eg0oYw9HR9Ab5pYikFUvcbWXneF39_8xasp6tE9PpCA@mail.gmail.com> <516fda75-bb6e-67c6-cd52-0a5017bc889f@oracle.com> <CAAiTEH-ghaJB1XUm_3NJhzscH4ZTRHs34Rwndm40MVoD5FBGxw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GhTUvDwEjlzM23yx0sY1-iDB94Q>
Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 17:37:11 -0000

On 11 Apr 2019, at 23:45, Matthew Pounsett <matt@conundrum.com> wrote:

> On Thu, 11 Apr 2019 at 20:02, Richard Gibson
> <richard.j.gibson@oracle.com> wrote:
>> 
>> The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself.
> 
> [snip]
> 
>> But this suffers from both of the problems I have been complaining about—the resolver does not necessarily have the zone SOA, possibility necessitating an inline lookup, and per RFC 2308 the negative response will be cached according to values from the SOA that are unrelated to and far exceed the TTL of the ANAME.
> 
> Ah, I see the confusion.  You're using definitive statements such as
> "will" when what you actually mean is "may."   There's no specific
> mechanism that causes the client to cache the negative response "for
> one to three orders of magnitude greater than the TTL of the ANAME."
> And, the TTL of the SOA doesn't necessarily "far exceed" the TTL of
> the ANAME.  You're just presupposing that will be a common
> configuration?

You can't tell how long to cache a negative answer for unless you know data from closest-enclosing SOA RRSet (the RRSet TTL and the SOA.MINIMUM field). In this case potentially there are two SOA RRSets to consider, the one enclosing the ANAME and the one enclosing the ANAME target, and there's the additional complication that the ANAME RR also has a TTL.

I don't see text in the working draft (the one on github) that makes the expected behaviour clear in the case that Richard outlined. I think it makes sense to specify this carefully, otherwise there is a risk of negative answers being cached for longer than expected, which might be especially bad in the case (perhaps the expected use case) where availability and deterministic cache behaviour are kind of important.

I have not been following this closely enough, quite possibly.


Joe

v2.23.0 | Report a Bug | By Email