Re: [DNSOP] Fundamental ANAME problems

Bob Harold <rharolde@umich.edu> Fri, 02 November 2018 19:20 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C566130DC8 for <dnsop@ietfa.amsl.com>; Fri, 2 Nov 2018 12:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9FPSKWYmscaS for <dnsop@ietfa.amsl.com>; Fri, 2 Nov 2018 12:20:16 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EE83126BED for <dnsop@ietf.org>; Fri, 2 Nov 2018 12:20:15 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id c4-v6so2694065lja.4 for <dnsop@ietf.org>; Fri, 02 Nov 2018 12:20:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0UlsXaI8MDNPf9MfpddXVrVHl1M6bgdgRKlT//88Aws=; b=BjfFf/S5GGv9GeMSM7kzQ4KXVopJVg0ashUDRNEKZow5YdDVtNtwAbo7uY1ih3i7SC 3ZXZ1jhVolTeV6n5A7PeEN//jemI8bDWoZT6CQ1MrMvCEWc24uCTsXQUq1o8rF2+LUx7 EdpUEIeakWS+PW+Lui7jKpJ9Jyu2DKKyqOsCebIgDTXBub4FcXDtBN4iP+IDm8N2qcox 0gQu6SvGrA8K9zir4lvjlX9CUudZsundPuX03celjJ0iA75fRgszwKLSvgZOuKifYTwM c3GBg3CyAdCK16ELzOPIV8/YWSWuNCdbRMVnB/4SsFUHdjuWgdIIENUel4RDzl0Jr/z3 2rWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0UlsXaI8MDNPf9MfpddXVrVHl1M6bgdgRKlT//88Aws=; b=ZCTUTODvYOKGYsPHZKEzRR7Ok7UsI5Tezn6dSAqExlZFfn8csTu6dblWxupXmWg24U rJ/hky85eFjs0RkGd5RhjGyr3iCKQcF5am57ujQ9WrJpLQq9zpNx7Kglo3gX8sPEDoSc f2RsCKoEYFfVoIzxg4pNRayZvdLe6AoKvSs8YzIn2iWXOlZ+OKaZX67bkFia9NgXCfYe DDkEqjGWALeI11rrpEO75hmIHSAqvPTWsgwZerNNR+47NcuxTBOEUpZrq8jEiBCOqYxN wqAsEcL0ToBW72g/zl5anPt6EUz/+OvMwfSUaOmSMCcsI9or4AGbykYFzIDx9kAnzw+b E/SQ==
X-Gm-Message-State: AGRZ1gIV/PjPoAn45ERKMpMAZvCnE6MbaEd97HZYLfpBpdWc5nySPEVd GVs5cwWzBaRSplvk/IztPp0RJaGSfz58f+64KPIJZqJb0MU=
X-Google-Smtp-Source: AJdET5dZaUWbxyUEkEyYIKdhp9GSJH70fTNQLx+dgC7jeK9gX3lHQfnxDu4sQtUtZTiHJUSBZXGJKgVxde+I9CQJo08=
X-Received: by 2002:a2e:8945:: with SMTP id b5-v6mr8769281ljk.55.1541186413412; Fri, 02 Nov 2018 12:20:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAH1iCirXYsYB3sAo8f1Jy-q4meLmQAPSFO-7x5idDufdT_unXQ@mail.gmail.com>
In-Reply-To: <CAH1iCirXYsYB3sAo8f1Jy-q4meLmQAPSFO-7x5idDufdT_unXQ@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
Date: Fri, 2 Nov 2018 15:20:01 -0400
Message-ID: <CA+nkc8C6yVT62cW5QP-ec2ZT7FY_n48Ecr=CLeE6FS_1duBO8g@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b45a220579b36c74"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WTT6kKgai9_n06rucB-9ZPS20nE>
Subject: Re: [DNSOP] Fundamental ANAME problems
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2018 19:20:21 -0000

My thoughts at the bottom...

On Thu, Nov 1, 2018 at 6:34 PM Brian Dickson <brian.peter.dickson@gmail.com>;
wrote:

> Greetings, DNSOP folks.
>
> First, a disclaimer and perspective statement:
> These opinions are mine alone, and do not represent any official position
> of my employer.
> However, I will note that it is important to have the perspective of one
> segment of the DNS ecosystem, that of the authority operators (are also
> known as DNS hosting operators.)
> IMNSHO, authority operators provide a critical element of the DNS
> ecosystem, operating DNS zones for the vast majority of DNS registrants.
>
> The important element of this perspective is, that changes to how DNS
> operates and scales, if they have an adverse impact on authority operators
> (at scale), have potential knock-on impact to everyone.
> If (and I realize this is a big "if") changes are made which adversely
> affect the operation cost (regardless of whether it is direct or
> indirect/consequential) of operating authority services, this puts at risk
> the ability of registrants to operate their own zones (e.g. if there are
> fewer authority operators, or if prices skyrocket).
> This further puts at risk, the ongoing volume of DNS registrations, which
> impacts the viability of everyone else whose business relies on
> registration fees, directly or indirectly, including TLDs, CDNs, (non-DNS)
> hosting, and even ICANN itself.
> Caveat dnsops.
>
> Given the above, I feel it is important to point out several problems that
> are rooted in the requirement to dynamically update the sibling records
> that is present in the current design of ANAME. (This is the only real
> problem I see, but it's a doozie.)
>
> (The introduction text mentions some of these, but IMHO doesn't adequately
> address their impact.)
>
> First, there is the issue of imposed update frequency.
>
> The requirement on update rate, is imposed externally by whichever entity
> operates the ANAME target. In other words, this is not under the direct
> control of the zone operator, and is potentially a potentially (and very
> likely) UNBOUNDED operational impact/cost.
>

> Second, this issue is compounded by scale.
>
> The issue here is, that the larger the entity is that operates zones with
> ANAMEs is, the larger the resulting impact. This is a new, unanticipated,
> asymmetric cost. It has the definite potential to make operating authority
> servers prohibitively costly.
>

> Third, there is an issue with the impact to anycast operation of zones
> with ANAMEs, with respect to differentiated answers, based on topological
> locations of anycast instances.
>

> There is currently an expectation on resolving a given name, that where
> the name is ultimately served (at the end of a *NAME chain) by an entity
> doing "stupid DNS tricks" (e.g. CDNs), that the answer provided is
> topologically appropriate, i.e. gives the "best" answer based on resolver
> (or in the case of client-subnet, client) location.
> When done using CNAMEs, the resolver is the entity following the chain,
> and does so in a topologically consistent manner. Each resolver instance
> querying a sequence of anycast authorities which return respective CNAMEs,
> gets its unique, topologically-appropriate answers, and there is no
> requirement or expectation that resolvers in topologically distinct
> locations have any mutual consistency.
> ANAME places the authority servers in an anycast cloud, in a "Hobsons
> choice" scenario. Either a single, globally identical sibling value is
> replicated to the anycast instances (which violates the expectation of
> resolvers regarding "best" answer), or each anycast instance needs to do
> its own sibling maintenance (with all that implies, including on-the-fly
> DNSSEC signing), or the anycast cloud now has to maintain its own set of
> divergent, signed answers at the master, and add all the complexity of
> distributing and answering based on resolver topological placement. (The
> last two have significant risk and operational complexity, multiplied by
> the volume of zones served, and impacted by the size of the anycast cloud.)
>
> To summarize:
> The requirement to maintain sibling records (A/AAAA) itself is absolutely
> a "camel back breaking" requirement. The issues are: frequency of updates
> required is externally imposed; either the correctness required by ANAME
> targets is broken (using single A/AAAA value regardless of anycast
> location), or the complexity of performing A/AAAA updates is compounded by
> at least NxM (N anycast locations of authority operatior, M disparate
> values provided in response to A/AAAA queries to the ANAME target); plus
> the added requirement of on-the-fly DNSSEC signing is a non-scalable and
> security-challenging non-starter.
>
> Side-note: we, as a community, have been pushing for wide-scale adoption
> of DNSSEC; this definitely places a significant hurdle to adoption,
> precisely in a wide-scale manner, i.e. to the vast majority of DNS
> registrants. It is a big roadblock to DNSSEC adoption, and a move in the
> wrong direction.
>
> What are the alternatives?
>
> Fundamentally, the behavior that is desired that we are collectively
> trying to preserve, is that of resolver-based *NAME chain resolution, just
> with the ability to do so at the apex of a zone.
>
> This points to the only logical places that MUST be part of any apex-based
> chaining of resolution: resolvers, or clients.
> (I include clients as an option, since it is at least feasible to include
> client-based multiple-lookups as an alternative to "additional processing"
> that would otherwise be needed in resolvers.)
>
> Ultimately, this means any solution that has this characteristic, can only
> provide backwards compatibility to clients, if resolvers are updated, or
> alternatively, if clients are updated to do whatever is required that
> resolvers which aren't updated won't do. (Sorry for the badly written
> logic, english is not really well suited for branching logic.)
>
> There would still be a requirement on authority servers, but it would not
> provide a transparent backwards compatibility without updates to resolvers
> or clients. There would need to be SOME response to give to resolvers,
> telling them where to go and what to do. The only differences are, on the
> non-providing of sibling records, and the changes to response processing in
> which the new record type(s) are selected and returned. On the plus side,
> in this different model, the RRs would be basically constant, allowing the
> scaling of authority operators to be unaffected, and there would not be a
> requirement for dynamic updates or frequent/on-the-fly DNSSEC signing.
>
> There are several choices, and dependent on what those are, is what the
> logic change needed would be, where the new RRtype(s) could be used, and
> how resolvers and/or clients would handle the new responses.
>
> If the current limited ANAME (without sibling) is used, the logic would be
> to return it only if the corresponding query types (A or AAAA) are seen,
> there is no RRset of that type at the owner name, and there is an ANAME
> record. The processing on the authority, and resolver or client, would be
> pretty much as in the current draft, modulo not having the sibling record.
> If the response to an A/AAAA query is an ANAME, follow the chain until an
> A/AAAA record is found, or the chain breaks. If this is done by the
> resolver, special handling on TTL and new client queries would be necessary.
>
> Another option would be a similar type, maybe ACNAME (address CNAME),
> which could co-exist with other types, and could occur both at an apex and
> anywhere else in a zone. Same basic processing logic.
>
> A third option would be, for lack of a better term, WCRR, wildcard RR
> type, whose RDATA is an FQDN. The logical processing would be to add
> handling at the point where "NOERROR, NODATA" would otherwise be returned,
> right above the WILDCARD in the resolution process. If no match for QTYPE
> is found, check for WCRR type, and return that it found. Resolver handling
> would be the same; if a WCRR type is returned, replace the QNAME with the
> RDATA and re-start query processing.
>
> Client handling of these could be done via simultaneous queries for A (or
> AAAA) and ANAME (or WCRR), and following ANAME/WCRR replies to their target
> if no A/AAAA response is received and an ANAME/WCRR is received.
>
> (IMHO, the WCRR is a bit cleaner to implement on both authority and
> resolver, and is more forward-looking, i.e. handles other aliasing at other
> RRtypes as well, if needed.)
>
> The last option would be handling all of this junk in the browser, with
> either SRV, or whatever new RRTYPE is required that fixes the problem(s)
> with SRV that the HTTP folks require.
>
> Brian
>

I agree that unlimited updates could be an issue, but I think we can make
this work.

This might not be what the RFC says, but in reality I would likely handle
it this way:
I would treat this as a stepwise improvement.
I would suggest rolling this out in steps:
1. Allow adding ANAME records. Do not change any of the existing records,
and do not do any new updates.

Authoritative servers:


   - If the authoritative is not doing "proprietary A record updates" or
   "location based A records" (the premium feature you call "stupid DNS
   tricks") then there is no significant change in effort. They have a single
   set of A records for everyone, same as currently. Just also send the ANAME
   record.
   - If the authoritative is using "proprietary A record updates", it
   continues to do that. Just also send the ANAME record.

Resolvers:


   - If a resolver does not understand ANAME, nothing changes.
   - If a resolver does ANAME, it gets an immediate advantage.


2. ANAME style updates to the authoritative.

If not doing proprietary updates currently, this is a new feature, and
might require a premium cost.


   - Limit to one ANAME at the apex, or price per ANAME if needed.
   - Limit the update rate, or charge based on rate.

If currently using proprietary updates, convert to ANAME style updates, at
the same rate, and using the same DNSSEC signing mechanism that it used for
the proprietary updates. And charge the same amount.


3. Years later, when most all of the resolvers on the planet have updated
to understand ANAME, give users the option to remove the A and AAAA
records, and remove the update processing and charge less for the
simplified version. This might take decades and might never happen.

Another option to give users is a non-updating fallback A record, that
could point to a web redirect.  That saves all the hassle of updates.  (I
encourage users to redirect the apex to www... and the I CNAME www to the
CDN.  Some users don't want the www, but it solves the DNS problem.)

 My preference would be a *NAME record that specifies which record types it
applies to.  So one could delegate A and AAAA at apex to a web provider, MX
to a mail provider, etc.  That would also be valuable at non-apex names.
But I am happy to support ANAME as part of the solution.

-- 
Bob Harold