IETF Logo Mail Archive

Re: [DNSOP] ANAME loop detection

Matthijs Mekking <matthijs@pletterpet.nl> Thu, 04 July 2019 14:54 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 257B81201E6 for <dnsop@ietfa.amsl.com>; Thu, 4 Jul 2019 07:54:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uKh9Bnm_sZ_l for <dnsop@ietfa.amsl.com>; Thu, 4 Jul 2019 07:54:48 -0700 (PDT)
Received: from lb2-smtp-cloud9.xs4all.net (lb2-smtp-cloud9.xs4all.net [194.109.24.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8E1D120142 for <dnsop@ietf.org>; Thu, 4 Jul 2019 07:54:47 -0700 (PDT)
Received: from [IPv6:2001:980:4eb1:1:3992:4add:1cf0:92e1] ([IPv6:2001:980:4eb1:1:3992:4add:1cf0:92e1]) by smtp-cloud9.xs4all.net with ESMTPSA id j38DhCEI2AOfNj38Fhyk6J; Thu, 04 Jul 2019 16:54:43 +0200
To: Matthew Pounsett <matt@conundrum.com>
Cc: dnsop <dnsop@ietf.org>
References: <CAM1xaJ9txy98s5Y+Sq5T5N1KaD-LvtrDTut=mUomjHFwTvWnDg@mail.gmail.com> <a4137531-7641-34f2-6443-1cd904b485e3@pletterpet.nl> <CAAiTEH8v4MqpOvvKzLCeY=3NL8UrY5=LehxXy_JVtAt48muMrw@mail.gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <38b61acb-d223-2d4e-bfd4-02cee87341a5@pletterpet.nl>
Date: Thu, 04 Jul 2019 16:54:41 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <CAAiTEH8v4MqpOvvKzLCeY=3NL8UrY5=LehxXy_JVtAt48muMrw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfHJbCNgMRZOyBMU6l3hBI1Y8s6EALyB4YE7CaIq/i6ujxp+WPDbANAPTOdkSDdUzqSZKHYfoqoFN3PR0zeIdv9F0AU4h1p2PIPgFaN706nL/Tqdb1CZr 3YR0MTt9mBBqiksaQhqdi08Enx/FdTwp1OQOBl26eQVUZ9koY6JHeZ/e6HuHruJgveGl4UxTFXoqy2ZoXUr/Vbq9LbwA8f9lOHUf1yYMpaFpN2zpQA1hxLiD u5HRh3thR/bfQNf9gtuIXA/1swS5lafu4Wumx+WB04p5VnxPkmUwKPecWUDvjGQe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UkCBDLnthl4VjxlhasPO_mptLgc>
Subject: Re: [DNSOP] ANAME loop detection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jul 2019 14:54:51 -0000

Matthew,

On 7/4/19 2:32 PM, Matthew Pounsett wrote:
> 
> 
> On Thu, 4 Jul 2019 at 05:54, Matthijs Mekking <matthijs@pletterpet.nl
> <mailto:matthijs@pletterpet.nl>> wrote:
> 
>     >
>     > 1. EDNS "do not follow ANAME" option: The requester would indicate
>     > that it is capable of following ANAME and that the server receiving
>     > the query should not include the ANAME sibling address records. The
>     > loop detection would then work exactly the same ways as with CNAMEs.
> 
>     This would be an easy addition I think, however I thought the "do not
>     follow ANAME" option actually meant "really don't do a target lookup I
>     can do it myself".  The authoritative server can still send the sibling
>     address records that are placed in the zone, they can be used if the
>     requester fails to perform the ANAME target lookup (for example due to a
>     network error or outage).
> 
>     Furthermore, a service provide receiving such a request might want to
>     ignore it if it feels strongly it should hand out more appropriate
>     addresses than the sibling records (basically because that is the
>     service they provide their customers, will they rely on an EDNS option
>     from the requester saying "no really I can do this"?).
> 
> 
> I would say they should rely on that.  Why shouldn't they?  Isn't our
> goal to get downstream servers to adopt the extension and do their own
> lookup?  The server-side lookups and sibling records are bolt-ons to
> handle the adoption period.  Remember, this record is geared toward
> customers of CDNs being able to do get similar behaviour to:
> www.example.com <http://www.example.com>. IN CNAME webfarm.cdn.net
> <http://webfarm.cdn.net>. 
> at the apex of example.com <http://example.com>.  That was the original
> problem we're trying to solve.  I read your statement above about "the
> service they provide their customers" being about the CDN resolving
> webfarm.cdn.net <http://webfarm.cdn.net>, which most CDNs can already do
> within their own infrastructure.

I am talking about DNS providers that perform CNAME at the Apex like
features: a customer goes to them and opts in to this feature. Such a
provider wants to make sure that it is providing the behavior the
customer expects and thus wants to make sure it hands out appropriate
addresses.

Also what is wrong with an authoritative server already giving out more
optimal answers than just the ANAME and sibling address records?


> Sending out the sibling records in the presence of this EDNS option
> might make sense as a backup, since that is low effort on the part of
> the authoritative, but a declaration by the querying server that it
> understands ANAME and is prepared to do its own lookups should be
> trusted by the authoritative server, and it should not to recursive
> lookups.  To take that further, why would the authoritative server
> believe that the results of any lookups it does would not be thrown away? 
> 
> This EDNS option should also be useful to recursive servers that
> understand ANAME, and are planning to do their own ANAME resolution. 
> They can get their answer from the authoritative server much faster this
> way.

I am not sure if that is true. Perhaps if you do ANAME target lookup on
the fly yes, but I think most implementations will have a side process
that does the target lookup and the query resolution can get the target
addresses just from cache.


> This is also a way to measure adoption.  As the ratio of "EDNS do not
> follow ANAME" queries to total ANAME queries approaches 1.0, we know
> that adoption has been successful.  Maybe we could even begin to
> deprecate authoritative resolution (of ANAMEs) at that point, and begin
> to get back to something that looks more like plain CNAME.
> 
> I would suggest that better EDNS semantics would be just "I
> understand/support ANAME".   That gets the desired information across
> without the sense of sending a command to the upstream server.

I am fine with a "understand/support ANAME" signal, I don't like if that
prohibits the receiver to do its own target lookups. So I am in favor of
a signal that says "this query is part of an ANAME target lookup" to
distinguish it from an address query.


> Option #2 gets similar behaviour but at the cost of additional lookups. 
> #3 and #4 don't work well in the presence of server farms.

If addresses are in the response to the ANAME request there is no
difference in number of lookups between 2 and 3 I think.

Best regards,

Matthijs

v2.23.0 | Report a Bug | By Email