Re: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME

Dan York <york@isoc.org> Thu, 08 November 2018 03:06 UTC

Return-Path: <york@isoc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5A97130E93 for <dnsop@ietfa.amsl.com>; Wed, 7 Nov 2018 19:06:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TaKY7XitEEYx for <dnsop@ietfa.amsl.com>; Wed, 7 Nov 2018 19:06:50 -0800 (PST)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-co1nam05on0626.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe50::626]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20A07130EF5 for <dnsop@ietf.org>; Wed, 7 Nov 2018 19:06:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ldB+V01DZViuHyEFPDX68q85x/s28DDJVWBkMzO4njI=; b=tbStuBjpMG4dMVxe12KTL/RbxguQNcQY2j5vFyrbyzUyq5MAZII5VAJPBAPHwZ0hrnLQoGj7Q311QdsssTxEsdmU4E+7MH+t8dv0QZBkcJ86qZQTZTc402OhdI1zgkd/KT0AxqVgV+vr2WFMoOtkZAjwZ56OXADqL6T5fd14/Lo=
Received: from BN3PR0601MB1314.namprd06.prod.outlook.com (10.161.210.139) by BN3PR0601MB1381.namprd06.prod.outlook.com (10.163.39.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.20; Thu, 8 Nov 2018 03:06:38 +0000
Received: from BN3PR0601MB1314.namprd06.prod.outlook.com ([fe80::6ddc:e11:56b8:b6ba]) by BN3PR0601MB1314.namprd06.prod.outlook.com ([fe80::6ddc:e11:56b8:b6ba%9]) with mapi id 15.20.1294.034; Thu, 8 Nov 2018 03:06:38 +0000
From: Dan York <york@isoc.org>
To: Brian Dickson <brian.peter.dickson@gmail.com>
CC: "dnsop@ietf.org WG" <dnsop@ietf.org>
Thread-Topic: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME
Thread-Index: AQHUdwsdWdJBJc5rk0KlCNC9d9wpAaVFMgeA
Date: Thu, 8 Nov 2018 03:06:38 +0000
Message-ID: <2BDA0411-202D-4199-A43B-3FDC50DC47F5@isoc.org>
References: <CAH1iCirLfSEUcTf=p5bHuFJSFie_BoPh4X=89w2mpxgNpR9HkA@mail.gmail.com>
In-Reply-To: <CAH1iCirLfSEUcTf=p5bHuFJSFie_BoPh4X=89w2mpxgNpR9HkA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=york@isoc.org;
x-originating-ip: [2001:67c:1232:144:2d43:aebf:decc:ebba]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0601MB1381; 6:ePSmN4Af1smNIbXL+3RogZ+1tgPF+cUGn6Mjs5ZorzhUxSKWq7BKVzgDr9v5tsvUS+Conuaq+dqxa2G4aevwRa7PRZ5aPjn7xJ1Zb012zFgc3sq0SJU4l5iQ+xde/wJIa9jKm9GipASDKWRq2h/aQRwI13LoUGYMWhsylhDKT4ewYkQiQAZMdkLy2Mz7XOEbmsPASd7B4Wdb6O153VSb590n1H5IXVwvrmfRDRkB91AxCLFQKUtfA8K0bSkAwOpgb9t9m1kLpAA2ft4FfG576OfhJemA397+X6fdLKQge9HbDSUqauIemoW2IdCJHmlQvhIMHGPEBOhigXmvZvtR2wTGCYVnOkrNCWW5chwdY5OV/s+mev48a3HFNWfPCMaJ/s9KUb7Mix6yNcjd9SMj5HQzGCmfvLLvUcJL8douZRkIWQVJZGUiY0s3OjdBooCKRFez2QGfnfcnbyf+ZHVYQQ==; 5:DAmRASQ7Y9d01cCxemrJxEd5iJramKcBXPjU49S0DDzJC6dGAadOFI+EmtK9/TJa0RMzPfUdBLsfV/OsTKM+9065XgT2Y/iT2RBYxXSXeIuKmpq5x6g1CEi7Aw1qfqxFeKFzBGUqaFZ63PjNGndKiVBJgTdER+wO5I+VHE3c44o=; 7:b8z+pSzOgvkCH9RHGf+AQOCJ81Cid7p1FJHttVySbdK7t+vpPo9unoFNtz94OaXIL1so1PTPKcDKt02kv7GmdtiZYOGzMraxkTi8dpHsfNIJts5XCYCX1tXavgBHul6Rshtnv2dIE0zyvNI0xRhSiA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 0230284f-2dd7-451e-d926-08d645273314
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN3PR0601MB1381;
x-ms-traffictypediagnostic: BN3PR0601MB1381:
x-microsoft-antispam-prvs: <BN3PR0601MB138139C34E665C4B6DCE6470B7C50@BN3PR0601MB1381.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(85827821059158)(192278398808882)(166708455590820)(269456686620040)(31418570063057);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(3231382)(944501410)(4983020)(4982022)(52105095)(148016)(149066)(150057)(6041310)(20161123564045)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:BN3PR0601MB1381; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0601MB1381;
x-forefront-prvs: 0850800A29
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39850400004)(366004)(396003)(346002)(376002)(189003)(199004)(54896002)(6436002)(6512007)(2900100001)(6116002)(53936002)(2906002)(97736004)(46003)(99286004)(14444005)(256004)(236005)(966005)(6246003)(478600001)(76176011)(82746002)(6306002)(6506007)(102836004)(53546011)(186003)(71200400001)(6916009)(606006)(71190400001)(39060400002)(83716004)(229853002)(575784001)(86362001)(36756003)(99936001)(4326008)(7736002)(25786009)(8936002)(345774005)(81156014)(316002)(106356001)(68736007)(33656002)(446003)(476003)(5660300001)(8676002)(6486002)(53376002)(11346002)(14454004)(486006)(2616005)(81166006)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN3PR0601MB1381; H:BN3PR0601MB1314.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 36a/JfX3zWdyKkecNWR3fSwbRhQZA9Yr5JOKkFTzZO+h4Oy2UWMVCkk82l+4WDQ6+239p8Qz1bSIuCQdUJKHzWSqcgD0TEaIag+41ij+CGNGJxDceFbr35S14VjGBHWo8iIIVRMQ+LcPi6k5RgTn+UrneTxaufLe+dcM12SBBjVFoJEoWDS0SW5bwrZ12hLTP0WGdF6Ie+jUjHr2wtUZ0iloi2F8bFvWkItBUKnL/A6M0piPJkq2FUAM/6nrNYrg/YiL0Zmkryt090wqgNYJlHCwgDM7CtH16FsjNnvJFAef6HJ5+8Tuy8rGgZAjxHUwV3KRnjOi8Vg2VSEm+//KX5uRFLF73R18YkxTU/aFE2M=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; boundary="Apple-Mail=_20EC7A73-B0B0-4A17-BA12-BEF51F119B9F"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 0230284f-2dd7-451e-d926-08d645273314
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2018 03:06:38.1648 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0601MB1381
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WN0gvOxlMIdfKGiHblYnDn-IiYM>
Subject: Re: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 03:06:57 -0000

Brian,

> On Nov 8, 2018, at 9:30 AM, Brian Dickson <brian.peter.dickson@gmail.com> wrote:
> 
> I'm going to start a clean, related thread, to discuss a bunch of questions, that I think can help with the ongoing threads.

DY> Thank you for doing so.

> What we may be forgetting are the USERS of these systems, and the use cases. These matter both in terms of their diversity in their technical savvy, but also in terms of their respective numbers.

DY> This was something I was trying to capture in https://tools.ietf.org/html/draft-york-dnsop-cname-at-apex-publisher-view <https://tools.ietf.org/html/draft-york-dnsop-cname-at-apex-publisher-view> - I definitely welcome comments, feedback and text from others.

> Starting right from that point, it's safe to say that the vast majority of registrants are not operating their own authority servers and editing zone files.

DY> Thomas Peterson did some great data gathering on this point. From a previous message:

>  I took the Alexa top 1 million websites and queried for A* and CNAME against the www records for the top 10 000 domains. What I found is that approximately 44% returned CNAME records, 56% returning A records.  (his code is at https://gist.github.com/thpts/eb5cec361867170a0ffd6ede136c6649 <https://gist.github.com/thpts/eb5cec361867170a0ffd6ede136c6649> )

DY> I played with his data from the top 10K Alexa users and the majority of those CNAMEs looked like they were going to CDNs of different sorts.  Plus, a sizable portion of the A* records are probably cases where the CDNs are also DNS hosting operators and so they are returning to the clients the A* records *after* doing their CDN lookups to point people to the best CDN edge server. (Using one of the various DNS techniques here - or other database techniques.)

> Why not SRV?
> There are a number of reasons that SRV is not in widespread use, that have to do with the mixed bag of ways those 100s of millions of registrants operate their domains.
> 
> Even if registrants use systems that expose SRV to them to configure, as an RRtype, the other parts of SRV are not at all novice-friendly. From the wikipedia page:
> _service.._proto.name <http://proto.name/>. TTL class SRV priority weight port target
> 
> This isn't at all friendly. The alternative is to put all of the above into some kind of UI. But again, this puts several more roadblocks on uptake by users. Regardless of the interface, the values need to be supplied, and the input needs to be validated, with the ability for the user to understand error messages and fix the input. There is no short cut for understanding the values, and knowing about _service and _proto. If the user doesn't get it right the first time, they are very likely to give up, since there are so many variables. For HTTP as a use case, it is far too complex.

DY> Additionally, *at the current time*, the user is typically told by their CDN provider to just "point your domain to <long-CDN-address>" under the assumption that the user is doing a CNAME. The CDN wants to keep it as simple as possible to reduce the possibility of user errors entering the info.  

DY> This is not to say the CDN couldn't tell the user the other info for priority, weight, port, etc.  They could. And I am sure they *would* if that was the only or best way to configure the records.

DY> But from a technical support point of view, the fewer pieces of info you have to give to the end user, the fewer chances are that they will screw it up when entering the data with the DNS operator. Which means happier customers and fewer technical support calls.

DY> The *design* of SRV offers great flexibility and power. But with greater power comes greater deployment configuration issues.

> If you are an SRV proponent, here's my recommendation: Find someone you are acquainted with, who doesn't have any DNS familiarity, show them CNAME and SRV, and ask them for their opinions.. Please.

+1

> 
> Why is CNAME so abundantly used?
> If we look at CNAME, it is much simpler, and probably one of the first things anyone doing DNS every plays with.

DY> Yes.

> Why not CNAME?
> The secondary issue with CNAME isn't just the apex issue, it is the non-coexistence issue (of which apex is merely the poster child).

DY> Agreed.

> This leads to the only logical outcome that is implementable, doesn't require more than five minutes for any user to understand, doesn't require (but supports optional) changes to resolvers, doesn't require any change to authority serving beyond new RRtype(s), and thus can/will get brower support (simply by the numbers):

DY> This to me is a good design statement.

> HTTP.
> 
> Why should HTTP be so simple?
> Because it is simple to use. 
> It looks just like a CNAME.
> It can chain with CNAMEs and DNAMEs.
> It works with stupid DNS tricks.
> It gets the job done. 
> It is a common denominator. 
> That is a feature, not a bug.

DY> A good summary, although the counterpoint I can see from the SRV/URI side is that those records are already out there and supported in the existing DNS infrastructure. 

DY> Upgrading our DNS infrastructure is VERY difficult. Because it is still massively distributed and decentralized (even though we do have ongoing centralization/consolidation), getting a new RRTYPE deployed means:

- upgrading all the authoritative servers to support the new RRTYPE
- upgrading all the *provisioning software* at the thousands of DNS registries, DNS registrars, DNS hosting operators to support the new RRTYPE
- upgrading the *millions* of recursive resolvers to know what to do they receive the new RRTYPE in a query response

DY> A group of us wrote about these issues in https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-06 <https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-06> and while that was talking about deploying new DNSSEC crypto algorithms, the situation is very similar for new RRTYPEs.

DY> Which is NOT to say we should NOT do a new RRTYPE.  I can see many of the benefits of HTTP.

DY> But it is to say that deployment will take a lllllllllooooooooooooonnnnnnnnnnnnnggggggggggggg time.

DY> Which does means we do need to get started NOW ... but it also means that it will be a significant number of years before it is widely available and deployed. (But if we don't start, of course, it will never happen.)

DY> (And even if were to decide to change the behavior of CNAME, for instance, to allow it to co-exist at the apex, it would take a long time for that support to roll out into the millions of recursive resolvers.)

DY> I'm just pointing out that the counter-argument FOR the use of SRV/URI is that they are out there now and would not have the same significant deployment lag. (But they still have the same user deployment issues I mentioned above.)

> Why service-specific?
> As Ray points out, MX is already there as a service-specic RRtype. 
> Other service-specific RRtypes may be needed, and new RRtypes are easy to get now. 
> (Perhaps we can anticipate what some of those are, and include those in the draft?)

DY> Let's keep any drafts simple and focused on a single RRTYPE.  We need RFCs to be as easy as possible for someone to *understand* and then *implement*.

Thanks for bringing this all together,
Dan

--
Dan York
Director, Content & Web Strategy, Internet Society
york@isoc.org   +1-802-735-1624 
Jabber: york@jabber.isoc.org  Skype: danyork   http://twitter.com/danyork

http://www.internetsociety.org/