Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01.txt
Evan Hunt <each@isc.org> Fri, 26 January 2018 02:44 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD7F112D88B for <dnsop@ietfa.amsl.com>; Thu, 25 Jan 2018 18:44:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZyYHdvPrkZyT for <dnsop@ietfa.amsl.com>; Thu, 25 Jan 2018 18:44:56 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DDC91270AB for <dnsop@ietf.org>; Thu, 25 Jan 2018 18:44:56 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id C4A8F3AB1AE; Fri, 26 Jan 2018 02:44:51 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id A6E9B216C1C; Fri, 26 Jan 2018 02:44:51 +0000 (UTC)
Date: Fri, 26 Jan 2018 02:44:51 +0000
From: Evan Hunt <each@isc.org>
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: dnsop <dnsop@ietf.org>, Peter van Dijk <peter.van.dijk@powerdns.com>, "anthony.eden@dnsimple.com" <anthony.eden@dnsimple.com>
Message-ID: <20180126024451.GA1179@isc.org>
References: <151573473976.18703.16142464801623244164@ietfa.amsl.com> <DA12F618-29A5-4939-B4CD-8BEAEDAFE53D@verisign.com> <20180125232701.GA99501@isc.org> <909D91AA-16FD-47C2-A4F6-6363AF2FBBA2@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <909D91AA-16FD-47C2-A4F6-6363AF2FBBA2@verisign.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Mzdbnyd-2CeUi_P_jIBl3tykyXs>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jan 2018 02:44:57 -0000
On Thu, Jan 25, 2018 at 11:51:30PM +0000, Wessels, Duane wrote: > As an example, consider an ANAME record with TTL 3600 and a corresponding > AAAA record with TTL 86400. You'd want the AAAA to expire no later than the ANAME did, because the ANAME might have been updated to point to some other name by then. > I'm suggesting its just as acceptable to return the AAAA record with TTL > counting down from 86400, but after 3600 seconds it is ejected/marked > stale/whatever from the ANAME-implementing authoritative server. > > Unbound does that with its cache-max-ttl setting. > > If you do it this way then the consumers of the data (including > ANAME-unaware clients) get to cache it for the original TTL. That's exactly what I'm trying to prevent. With an ANAME-aware resolver, the address returned by the auth is ignored, the resolver chases the answer for itself, and records are all cached with their original TTLs. The ANAME answer and the target answers expire when they should, just as with a CNAME now. In your example, the ANAME expires after 3600 seconds, so we re-query to refresh it. If it's changed, then we follow it to get a new AAAA, but if it hasn't changed, then since we already have the AAAA cached, there's no need to chase it again. But with an ANAME-unaware resolver, it asked for an address, got one, and will cache it for whatever TTL you sent it. If your ANAME has a one-hour TTL, then you wouldn't want to send a higher TTL than that; you'd just overriding the ANAME TTL. > It seems to me that ANAME gives auth servers resolver-like properties, so > why wouldn't that apply there as well? Yes, fair point. I'll try to come up with text to address this. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
- [DNSOP] I-D Action: draft-ietf-dnsop-aname-01.txt internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Bob Harold
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Richard Gibson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Wessels, Duane
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Evan Hunt
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Wessels, Duane
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Evan Hunt
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Stefan Bühler
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Bjørn Mork
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Evan Hunt
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Evan Hunt
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Stefan Bühler
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Evan Hunt
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-01… Tony Finch