IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Lanlan Pan <abbypan@gmail.com> Fri, 18 August 2017 16:37 UTC

Return-Path: <abbypan@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03A3B1329FF for <dnsop@ietfa.amsl.com>; Fri, 18 Aug 2017 09:37:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htxsIOiXpZBX for <dnsop@ietfa.amsl.com>; Fri, 18 Aug 2017 09:37:32 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA6E81329F8 for <dnsop@ietf.org>; Fri, 18 Aug 2017 09:37:31 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id t201so3963738wmt.1 for <dnsop@ietf.org>; Fri, 18 Aug 2017 09:37:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wnnOc/yaN2kEhBt202fOwih6v9T92cKqWxVyrCdDbSY=; b=mrm8WKXI3jr44aOMx8JlfxpsEEgeuDN+AEvBFPjuINuny0yqlJ+ErueCS/bflN5q0e biNURTB3CoCqyHJtfB6JmT/xjkiK2lIR8+GD5oKwcdBRNzoHQHsZvI9c+H9R10D3eUe/ Iuh5VkXUCbFhZxqtHdkzrKJJlBH2FBTccvNc20DAUpr4BcQU1t20WcguVFbfNl7AMYfP mKSr8s9RVoTdrLiZ/YXXboj/9w1rl6Ej8ESh1AkwkesV1X/LXiYcICLF2QYImEtjYaqU K1aMShx8WmygTV3Dv7YVKLtMJQ0GGcuioknADRu98qzjmek8hXjiNO6ccpbHt98B0vBD PRwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wnnOc/yaN2kEhBt202fOwih6v9T92cKqWxVyrCdDbSY=; b=YdbHQXkIW95O1mvDF+FwzpQW0pEqwpl7U6zIq7O1ZY3FRVMdDtcStTghVOcEQeyi01 PB6NX8lbYQaGGH9WTofGSfHv90qnQoeaMEG8yK4muT1omTCk8WiV6EBsj44Sod9FP9oy IpwqDi6ZLbsyzZ9qIH7PnxPtC29xruqhFT+ZZVlxLVEPU81fqGp21iiKC2CJnP4MepaT TZZz1HnB1nYV+7ggLAZCSCFt2Ml9LfMDubzgQiX2a+mBVvezXCHnVRcRrUtrwv7ew5Nm ELx61vMD0cuxon5jvawE9MofY44/AFRx1JNHQhhwvG+Rt0sTxUw0Jie6HQ90XurPSkiR eVig==
X-Gm-Message-State: AHYfb5idPRfLdnLgmK9ijr34gUJpRJ1zJ662ZviHI+G18sXJbg7T/ow6 AKjGlENpnGGBOjRxE5OYtT2fdGo5l2Ts
X-Received: by 10.80.182.44 with SMTP id b41mr5324535ede.115.1503074250241; Fri, 18 Aug 2017 09:37:30 -0700 (PDT)
MIME-Version: 1.0
References: <CANLjSvWFh0ER47=SFJB-3rkTJKT_OxcjKwcD9-DUkDDxJTo=+g@mail.gmail.com> <201708151341.v7FDfNqR039481@calcite.rhyolite.com> <CAPt1N1=2eFRBCHYptn6W=3ruFisN0xRcMQSPPakgZXnmsaTS5w@mail.gmail.com> <CANLjSvWkDTgqTg+fy2jZzfcaY7e1VWB11yiWMzO3MfcrCGVLSQ@mail.gmail.com> <FFA80661-78A3-40B8-8DBC-FE79E873BCAF@fugue.com> <CANLjSvWcscFQSH9KdmZPgOb9vC5immDoJZjG3msQB5TqfiHkDQ@mail.gmail.com> <78BBBA80-9FAA-4F18-9EDC-F93A2790E226@fl1ger.de>
In-Reply-To: <78BBBA80-9FAA-4F18-9EDC-F93A2790E226@fl1ger.de>
From: Lanlan Pan <abbypan@gmail.com>
Date: Fri, 18 Aug 2017 16:37:18 +0000
Message-ID: <CANLjSvXQ6dpXG034ASx84y0+vafFZjdLgZzVf4um+1WBOWTHAQ@mail.gmail.com>
To: Ralf Weber <dns@fl1ger.de>
Cc: Ted Lemon <mellon@fugue.com>, dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0dd4e4c1ba5e055709bee6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/V8yvAIbgjmT0hKGQF236QJm8DYA>
Subject: Re: [DNSOP] New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 16:37:35 -0000

Thanks a lot for your detail analysis, :-)

Ralf Weber <dns@fl1ger.de>于2017年8月17日周四 下午11:16写道:

> Moin!
>
> On 17 Aug 2017, at 0:09, Lanlan Pan wrote:
> > Yes, I agree, in fact the *online cache rate* is small (0.12% queries),
> LRU
> > & TTL works fine.
> > SWILD not save many online cache size, because of the queries rate.
> > And Temporary Domain Names/ All Names: 41.7% for 7 days statistics,  the
> > rate can be about 10% for 1 day statistics. Because temporary domain
> names
> > expire after TTL time.  Ralf has similar curious.
> As you mention me, with the data you supplied it is highly unlikely that a
> lot of records will still be active in the Cache because of the TTL and
> how least recently used (LRU) algorithms work.
>

> > The problem is:
> >
> > 1)  cache size
> > Recursives commonly cache "all queried domain in n days" for some
> > SERVFAIL/TIMEOUT condition, which has been documented in
> > https://tools.ietf.org/html/draft-tale-dnsop-serve-stale-01
> That is not what the draft suggest and is not what the current
> implementations of this or similar features do. They all rely on a cache
> with a fixed size and if the record that normally would be expired is
> still in the cache extend it's lifetime when queried. The records you
> mention are not queried and thus would be expired because other records
> that are queried more frequently would have overwritten them anyway.
>
> There also is nearly no harm if these queries fail in case the
> authoriative is not responding as most of those queries you describe
> are computer and not human generated. The draft above and similar
> techniques where done because of the twitter.com problem. Now I can
> assure you that twitter.com will always be hot (asked at least every
> couple of seconds) in a regular resolver at your ISP or a provider
> of DNS services, and thus the expired record will probably still be
> in the cache.
>
You are totally right.
I admit the online cache size is not a problem on fixed size LRU/TTL
refresh.

>
> > The subdomain wildcards cache are needlessly,  we can use heuristics
> > algorithm for deciding what to cache, or just use simple rule like
> "select
> > domain which queies time > 5 in last n days".
> > We can use SWILD to optimize it, not need to detecting, just remove items
> > which SWILD marked, to save cost.
> The cost of sending a query now and then is very low resolvers do that all
> the time and the rate on which they have to do that is very low. However to
> actually save costs you would have to deploy your proposal on the
> authoritative server that have that behaviour and the resolvers. Good luck
> with that. I also assume some of the authorities are actually interested in
> the queries so they would not implement your proposal even if they could,
> making the theoretical improvement of 0.12% even smaller.
>
0.12% is the rate of recursive queries times.
authorities's improvement rate is not 0.12%, it depends on the query
distribution of subdomain wildcards on the whole zone, and the number of
recursives that enable SWILD.

>
> > 2) cache miss
> > All of temporary subdomain wildcards will encounter cache miss.
> > Query xxx.foo.com,  then query yyy.foo.com, zzz.foo.com, ...
> > We can use SWILD to optimize it,  only query xxx.foo.com for the first
> time
> > and get SWILD, avoid to send yyy/zzz.foo.com queries to authoritative
> > server.
> See above.
>
same as above, and the above reply to Ted, :-)

>
> > 3) DDoS risk
> > The botnet ddos risk and defense is like NSEC aggressive wildcard, or
> NSEC
> > unsigned.
> > For example,  [0-9]+.qzone.qq.com is a popular SNS website in China,
> like
> > facebook. If botnets send "popular website wildcards" to recursive,  the
> > cache size of recursive will rise, recursive can not just simply remove
> > them like some other random label attack.
> As PRSD (Pseudo Random Subdomain) attacks as I call them or waterfall
> attacks
> as others call them are usually asking every subdomain once (and these
> botnets
> take great care on doing this) the record would be removed by the least
> recently used (LRU) algorithm when other records that are used more are
> questioned.
>
> While these attacks on recursive resolvers can stress the recursive to
> authoritative part of the resolver there are techniques to limit the
> exposure to clients. I did gave a talk on that at DNS-OARC 2015 Spring
> Workshop in Amsterdam on that topic:
>         https://indico.dns-oarc.net/event/21/contribution/29
> and the summary of it is that all major vendors of recursive resolvers
> handle this, so again while your solution would be one once universally
> deployed there are already solutions to the problem out there, so why do
> another one?
>
See also the above reply to Ted.
All major vendors of recursive resolvers can deal "legitimate subdomain
wildcards" problem with some feature like Response Rate Limiting.
The difference of my solution is directly reply IP to all "legitimate"
clients' low rate queries, not move in/out the subdomain wildcard records
with LRU.

So long
> -Ralf
>
>
> --
致礼  Best Regards

潘蓝兰  Pan Lanlan

v2.23.0 | Report a Bug | By Email