IETF Logo Mail Archive

Re: [DNSOP] opportunistic refresh and Happy Eyeballs

Warren Kumari <warren@kumari.net> Wed, 16 August 2017 00:34 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A4C21320BD for <dnsop@ietfa.amsl.com>; Tue, 15 Aug 2017 17:34:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mUH7nGFqJ9Ej for <dnsop@ietfa.amsl.com>; Tue, 15 Aug 2017 17:34:13 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5F7B1323B0 for <dnsop@ietf.org>; Tue, 15 Aug 2017 17:34:12 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id f15so21422825wmg.1 for <dnsop@ietf.org>; Tue, 15 Aug 2017 17:34:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1prN7IzjZHi3EKjLXMAij5CJqHApp/LUJrl9uuZ88Pk=; b=07a77z9nEzrXC+x34wMTSwf3bl9x7yVXVmfwB1WkL2OzOYeKnNR1NFt3Ld0qc43mUQ dX6F6mZANdeoo658w3th+aIuKicZ8AX/2U4zWeElnYzXu6VB7v6nkWBqumWrlGYl6D+o uxZ+0ICz84dv0v7BVWqSBmcNC3f8QXKl2zxmygrOmT25p2ZeuwI02aLRiiuilCHbGuhA rRk8WHVP4NplLpcH+kdrxeS4LGHZtQry5to/4dc2/WNz/RiGaORgU95xL3Hed3GKkQCf L+12U0CGiA1pzVI8hV6zfhmBpy+d8mn9HeezSrNXNFhkhH3EcCnM2exl+wJcRb3+TRC1 RbUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1prN7IzjZHi3EKjLXMAij5CJqHApp/LUJrl9uuZ88Pk=; b=VSHEw8FekfxF0Cn0D3/6XaWrYVT2AD5mMaGGsF0RlBsXEi6F4hRXbLHDlN9WS47F+j WNqZdTWYvR84Qnmn9aj5Cg0L0tpo9wrt5NQsslMAmOqptMvlUqZn1aXLSy7ZKikeqGkm Ofju+r47rRQ4tVf83Y3AX0dYxqKq1u21vyv2gRCaiEfzkc+ZsJeWAu+L25MEzu4ewTIC e1C5VpKYgOZYtLqDC0cUAlJ8EuTVqjsEFI67p5IYymkldWYg+xAmoXSVnza851N+AvdY QPMKwsG9V+nYAmM8hpSRVSjUJY89GSy4OdwrBQ1f3YvzZPwrq8ZH4AFekQZhBoPwq7lO y+HA==
X-Gm-Message-State: AHYfb5gAZvcwg1X+4Q9lQzm5QG4G8HGxg+6JuamA5n3/vPVPUmPomjrb C9+9RsmnZjDQv7R4RGZx6wDIQV6AHkiW79WFwA==
X-Received: by 10.28.196.71 with SMTP id u68mr146665wmf.18.1502843651186; Tue, 15 Aug 2017 17:34:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.164.135 with HTTP; Tue, 15 Aug 2017 17:33:30 -0700 (PDT)
In-Reply-To: <294FA766-3C87-4C35-AF0F-E886A7ADEDE5@dotat.at>
References: <alpine.DEB.2.20.1708150911470.3655@uplift.swm.pp.se> <9EED4C56-8B35-4013-861D-0B86F66483E0@puck.nether.net> <59932F2F.9030504@redbarn.org> <294FA766-3C87-4C35-AF0F-E886A7ADEDE5@dotat.at>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 15 Aug 2017 20:33:30 -0400
Message-ID: <CAHw9_iLNwcsxbw37Zr827MUDtrU5th2XYe=rEy4BTs5C8b+NMA@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Paul Vixie <paul@redbarn.org>, dnsop <dnsop@ietf.org>, Mikael Abrahamsson <swmike@swm.pp.se>, Jared Mauch <jared@puck.nether.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/K3drurnTBzi_kN_Bg5Q_PC7NrOY>
Subject: Re: [DNSOP] opportunistic refresh and Happy Eyeballs
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 00:34:15 -0000

On Tue, Aug 15, 2017 at 3:05 PM, Tony Finch <dot@dotat.at> wrote:
>
>> On 15 Aug 2017, at 20:28, Paul Vixie <paul@redbarn.org> wrote:
>>
>> we can specify that AAAA be sent as additional data for QTYPE=A, and that A be sent as additional data when QTYPE=AAAA.
>
> It's awkward.
>
> From the stub point of view, how does it know that the server will return additional address records? How does it tell the difference between no support, no records, or an empty cache? To what extent do the additional records actually help clients to avoid double queries?
>

This is a subset of draft-wkumari-dnsop-multiple-responses-05
("Returning extra answers in DNS responses."):
"Other examples where this technique may be useful include SMTP (by
   including mail server addresses, SPF and DKIM records when serving
   the MX record), SRV (by providing the target information in addition
   to the SRV response) and TLSA (by providing any TLSA records
   associated with a name).  This same technique can also be used to
   include both the IPv4 (A) and IPv6 (AAAA) addresses for any singular
   address query."
The above document does require DNSSEC, and is clearly an
optimization, but if the auth-> recursive or recursive -> stub
includes an AAAA with an A (or the other way round), it means that
you'll have it handy.



> From the recursive server point of view, should it delay answers so it can fill in the additional section? What if a broken authority doesn't answer to AAAA queries?
>
> DNSSEC can help a bit because there would be a visible proof of nonexistence to disambiguate some cases.
>
>> given identical deployment curves along both the ANYA and additional-data timelines, we will get identical results.
>
> ANYA has the advantage of clear signalling that the server supports it or not, though broken servers or middleboxes might make the negative answer rather slow. But we would need some kind of modelling or experimental evidence to see if it increases the query load by 50% (the worst case) rather than reducing by 50% (the goal).

multiple-responses allows servers to opportunistically include this
info. We still need to do some analysis to figure out just how much of
an improvement this generates, but it doesn't require any additional
requests. If the server (auth or recursive) knows that a client
(recursive or stub) might be able to use this into, it just shovels it
in. This leads to larger responses, but I think that we lost the
"small packets" battle long ago -- attackers who want to find big
responses for reflections can easily do so...


>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email