IETF Logo Mail Archive

Re: [DNSOP] a CDN perspective on ANAME challenges

Mark Andrews <marka@isc.org> Sun, 14 July 2019 23:08 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BBB7120134 for <dnsop@ietfa.amsl.com>; Sun, 14 Jul 2019 16:08:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7-t0_omc-Sj for <dnsop@ietfa.amsl.com>; Sun, 14 Jul 2019 16:08:22 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFB0D12000F for <dnsop@ietf.org>; Sun, 14 Jul 2019 16:08:21 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 4003E3AB001; Sun, 14 Jul 2019 23:08:21 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 30A22160067; Sun, 14 Jul 2019 23:08:21 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 184EE16007A; Sun, 14 Jul 2019 23:08:21 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id TM3lci6-3Dzb; Sun, 14 Jul 2019 23:08:21 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 3BFD2160067; Sun, 14 Jul 2019 23:08:20 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAKC-DJjiwEA977sLpriPg5yyfm--yCQ=xMUGk7VbXyYd8uPE6g@mail.gmail.com>
Date: Mon, 15 Jul 2019 09:08:17 +1000
Cc: dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DCBE285A-28DB-43B0-BCD9-34D307CEA8A6@isc.org>
References: <CAKC-DJjiwEA977sLpriPg5yyfm--yCQ=xMUGk7VbXyYd8uPE6g@mail.gmail.com>
To: Erik Nygren <erik@nygren.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LSrzBTrjKrRj0_u4bGDbtg0qWWw>
Subject: Re: [DNSOP] a CDN perspective on ANAME challenges
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jul 2019 23:08:24 -0000


> On 13 Jul 2019, at 3:52 am, Erik Nygren <erik@nygren.org> wrote:
> 
> One of the intended goals of ANAME is to improve interoperability of onboarding onto CDNs for URLs at a zone apex, such as “http(s)://example.com”.  
> 
> The TL;DR is that ANAME is unlikely to allow interoperability here unless authorities are willing to effectively and scalablely do recursion-with-ECS for all requests (caching keyed by ECS prefix and obeying short, sub-minute TTLs).  Simply resolving “sibling address records” on a zone master (per draft-ietf-dnsop-aname-04) is likely to be declared incompatible and unsupported (or at least severely restricted) by at least some (if not many) CDNs.
> 
> For some background, Dan York highlights some sample use-cases here:
>      https://tools.ietf.org/html/draft-york-dnsop-cname-at-apex-publisher-view-01
> For example, web publishers want to do the equivalent of:
>      example.com  300  IN  CNAME a123qk.example-cdn.net.
> 
> Two use-cases (quoted from draft-york above):
> 1.  users will be able to simply enter "example.com" into their browser; and
> 2.  users will only see "example.com" in their address bar (if URLs are even displayed).
> 
> Note that for some CDNs, the “a123qk.example-cdn.net” target name dynamically selects which IP addresses to return based on a wide variety of factors (recursive nameserver IP, end-user IP prefix passed via ECS, dynamic load and liveness conditions, product, customer security requirements, TLS certificate needed for non-SNI-only configurations, etc) and often have short TTLs (often in the range of 20s to 60s, although sometimes up to 300s).
> 
> Some CDNs have had vertically-integrated solutions for onboarding zone apex names for years, allowing example.com to hand back CDN IPs as long as the zone is delegated to the CDN authorities.  The need for these to be vertically integrated comes from the level of complexity involved in calculating these answers.
> 
> Even these vertically integrated solutions may have limitations.  For example, one early vertically-integrated solution had very similar functionality to some of the ANAME proposals.  It only covered case #1 above, handing out a subset of CDN IPs (with limited performance).  Along with this was a correlated site HTTP configuration that would issue a 30[127] redirect to “www..example.com” which would in-turn use a normal set of CDN IPs.  This doesn’t help for the “users will only see ‘example.com’ in their address bar” case due to the need to redirect to a hostname that can fully CNAME.  
> 
> More advanced vertically-integrated solutions that can also handle case #2 may involve high-volume feeds of proprietary dynamic state and configuration being fed to the authoritative nameservers, allowing them to construct answers on-the-fly.
> 
> It is unclear if third-party authoritative servers will be able to do enough here to be compatible with CDNs, at least until we get to a point where most/all recursive servers support ANAME sibling address substitution (and there are huge numbers of these around the world run by a huge variety of operators!).  
> 
> For third-party authoritative servers wishing to collapse A/AAAA names into a zone as signalled by an ANAME, some of the options include:
> 
> 	• Primary zone master does sibling address substitution:  Some CDNs will declare this to be strictly incompatible.  (ie, all traffic would be directed to a small set of IPs associated with where the Primary Master is located).  This would defeat the purpose of using a non-purely-anycast CDN.   
> 	• Zone secondaries do frequent sibling address substitution:  Some CDNs may still declare this to be incompatible.  Traffic is still directed to a small subset of IPs associated with where the zone secondaries are located.  If the zone secondaries are widely deployed, some CDNs might be able to support this using anycast configurations, although that might limit to a subset of products or limit to a subset of CDN server locations and might have CDN SLA limitations.
> 	• Authoritative resolvers do a mixture of the following, which is likely what would be needed to be compatible with CDNs that do DNS-based traffic direction:
> 		• Online / on-demand lookups using ECS, with response caching.  (Possibly requiring collaboration with the CDN to be on an ECS ACL or allowlist.)
> 		• Online DNSSEC signing.
> 		• Honoring short (eg, 20s-60s) response TTLs.
> 		• Having the scale/capacity and attack resilience to be able to support this possibly-low-cache-hit-rate request workload.
> 
> It is only the third of these that might actually work well enough, but may add a huge amount of complexity to authorities, requiring the authority to also have many recursive functionality.  It is possible that some authoritative operators are willing and able to do this to enable interoperability. However, if this set of functionality is what is required to make ANAME work well enough to achieve its goals, then we should be clear on that. It would be a mistake to go through all of the effort of rolling out ANAME only to find that CDNs declare it to be incompatible.  
> 
> I’ll add the caveat that the HTTPSSVC proposal doesn’t fully or magically solve this problem either.  It is likely that A/AAAA records will need to live at the zone apex for a long time to come.  If those are static addresses, they’ll likely still need to do 30[127]-style redirects to “www.example.com” names.  However HTTPSSVC leaves an option for “example.com” requests (eg, those containing an Alt-Used request header) to not need to return a redirect, allowing a somewhat more graceful transition as client adoption picks up.

No one ever thought that it would.  With the transition from address to MX lookups for SMTP it took many years before you could just publish a MX record and have it work reliably enough.  The transition from A/AAAA to whatever was always going to take sometime (years) before you could reliably just publish the alternative.

>     Erik
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email