Re: [DNSOP] BCP on rrset ordering for round-robin? Also head's up on bind 9.12 bug (sorting rrsets by default)

"Peter van Dijk" <peter.van.dijk@powerdns.com> Sat, 16 June 2018 08:30 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C98B6130DD4 for <dnsop@ietfa.amsl.com>; Sat, 16 Jun 2018 01:30:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fFYeUPT4XNj for <dnsop@ietfa.amsl.com>; Sat, 16 Jun 2018 01:30:28 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63F4A130DCE for <dnsop@ietf.org>; Sat, 16 Jun 2018 01:30:28 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id 981D46A24D; Sat, 16 Jun 2018 10:30:26 +0200 (CEST)
Received: from [10.242.2.20] (unknown [10.242.2.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 48E003C0275; Sat, 16 Jun 2018 10:30:26 +0200 (CEST)
From: "Peter van Dijk" <peter.van.dijk@powerdns.com>
To: WG <dnsop@ietf.org>
Date: Sat, 16 Jun 2018 10:30:23 +0200
X-Mailer: MailMate (1.11.2r5479)
Message-ID: <650BE3CC-7C43-4623-936B-9C0568F3623F@powerdns.com>
In-Reply-To: <CAHPuVdXoVrzzckz5Yjrqi_i+pg2R8PYJaKKtOxZU7TEfg5igPw@mail.gmail.com>
References: <CAKC-DJimMOtNCSE95kRs6Dy3dC_mxB=8O2WVA7badp8GK2ci-Q@mail.gmail.com> <20180615171231.GF1126@mx4.yitter.info> <CAHPuVdWP=DVj52diWYTHKqHBET0hFyUWvACT-VpH20iKzed-ww@mail.gmail.com> <CA+nkc8AS6+cZfi_NGT2T+FeQkQ5fKn--HQOOuusL1cYFkdKbKA@mail.gmail.com> <20180615195232.GA5926@jurassic> <CAKC-DJhRJwg7cw8iexCgq9axgjyjnQQaXP2+wD4u=sk3PtypRg@mail.gmail.com> <CAAF6GDfSoE9-VhuFeh2QkABamC0zmLO61qggV6YjP13wvLaQ7g@mail.gmail.com> <CAHPuVdW9O0Dsb+05TxtqrUS228ifAYHLWxFs5eXGV+6o=XO9Xg@mail.gmail.com> <CAAF6GDd1ha8b2fafLWsqw=QsPy0Z8U6qhrRRKuDo=8U8F4bfuQ@mail.gmail.com> <CAHPuVdXoVrzzckz5Yjrqi_i+pg2R8PYJaKKtOxZU7TEfg5igPw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LGdlN2bgGB0wrMgYr_N8ZzlpQ6Q>
Subject: Re: [DNSOP] BCP on rrset ordering for round-robin? Also head's up on bind 9.12 bug (sorting rrsets by default)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jun 2018 08:30:30 -0000

On 16 Jun 2018, at 2:14, Shumon Huque wrote:

> Yeah, good point about side channels. Let's stick to recommending
> randomization!
>

Unbound has interesting middle ground here:

        rrset-roundrobin: <yes or no>
               If yes, Unbound rotates RRSet order in response (the 
random number is taken from the query ID,
               for speed and thread safety).  Default is no.

It rotates, but you cannot predict (easily) by how much. It keeps the 
implementation simple but mostly avoids (as far as I can judge) the side 
channel.

I do want to point out that the default is ‘no’, suggesting it is 
getting away with no ‘round robin’ at all in many deployments.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/