IETF Logo Mail Archive

Re: [DNSOP] ANAME in answer or additional section [issue #62]

Bob Harold <rharolde@umich.edu> Thu, 13 June 2019 20:51 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D26051207FB for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 13:51:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBLNcaqhPVar for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 13:51:08 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8165120801 for <dnsop@ietf.org>; Thu, 13 Jun 2019 13:51:07 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id d11so163103lfb.4 for <dnsop@ietf.org>; Thu, 13 Jun 2019 13:51:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/H69Ih65TuxzXbktxtfF0yDg3Oztru7t5QPMPU4EWkw=; b=i3m3gzwgEOW0pJ74WfANfMPkAPDCDu23bMOe6XJFsBsBHN+FFQhnSoClT9ZcbaA6QU QrDDYCps886aHlw3UnHZFMD3rAjsXds1QrtXmIhsDEyZUrZyf6r+9khbV+VrYS7dKIDC 2MtQhoVl//vbZikx6kNKd1puRzxfURBmhoqa+yW/72VgLmav92wRtTgChQ0ZFJt2p71B kVVJSIpuJ4ecZAOQmL6DE1Mduogi93qGNYrXwTriq/7HLNEG+SBoJGc57JdpIC2Urrwa AOH7HYtPp5pMTOg5KBuxTOWfCZ49hOW1WoLsrfdHCIq89W7PTD+OBnsZLTXQTjP1MoaY 4AMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/H69Ih65TuxzXbktxtfF0yDg3Oztru7t5QPMPU4EWkw=; b=XA5t7ZBhcTaCkuej+u4gQ+MGLdhnL99+dzJUG5vD9JdwgpGOvozW3isZRRfUkb9obY XXGGrThS5ou9CCQKnTsVk2PnUNdK4LXhxbtGcebvTQJWiyFNSo5D8ohhnOLPo9h5URyO 8RtedyarjhEOZsKe+h9+xFMSYiudsl+rVUs8U3T2gOFBW+vUcPd6wUHDBSLEkXRLGtQ+ 21VdU/faEddLxHfUDESiuTCEe6fD2oEgRNBydvcG1TQ4+Q74yjoaxAyVRcr16kKAmnn8 G7w62K0hMSBUGreWEHOcd2qBXqoRPP+JJzHD/oUQY6y0bbBjtvK9wud0ZnvWQLHmb7Ft 0ryw==
X-Gm-Message-State: APjAAAX9crF+ESXawI7Hu8cTKMNpgiHRrpXdCII8axj8r5HH6ye7+e8B YKi/SP4AloRLMimboEtYzzcLkQ7TIfWRuqMT+9i+OA==
X-Google-Smtp-Source: APXvYqzEUzW8XJIY+ZYVsoYQXM1pfwsnGqsfy2DH9wFADTgaSNjWwC5W1HYxGG9iy9AD3BbRgo5s+vJCCTBzq+8gFr8=
X-Received: by 2002:a19:22d8:: with SMTP id i207mr42962874lfi.97.1560459066147; Thu, 13 Jun 2019 13:51:06 -0700 (PDT)
MIME-Version: 1.0
References: <3b136e34-7ec0-e144-2c2a-0885185ec2b1@pletterpet.nl> <20190612000459.GA60387@isc.org> <CAJhMdTP-iDbbgnCDV7WRhbh495KvhOW3cGS+0tu74VAoYfU=gg@mail.gmail.com> <CAH1iCiqE70T3fWVcCrSvA86=qJKoWwuRGFRzKnQyediMrm404A@mail.gmail.com> <68b5997e-1c24-a366-1165-9874a36169b5@pletterpet.nl> <CAH1iCiqp1dbP-No4K3t2hNQ2+kD4RVGPgUHB_sHgByzEOsAxuw@mail.gmail.com>
In-Reply-To: <CAH1iCiqp1dbP-No4K3t2hNQ2+kD4RVGPgUHB_sHgByzEOsAxuw@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
Date: Thu, 13 Jun 2019 16:50:54 -0400
Message-ID: <CA+nkc8BcNcYHkpAadsjgCBbSONOkU7G9kUu+t=0AAKZ92WvVAg@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Matthijs Mekking <matthijs@pletterpet.nl>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000531adc058b3ab030"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WiYpTSlIvxQzedTxBmdsH2WzINw>
Subject: Re: [DNSOP] ANAME in answer or additional section [issue #62]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 20:51:18 -0000

On Thu, Jun 13, 2019 at 1:50 PM Brian Dickson <brian.peter.dickson@gmail.com>
wrote:

>
>
> On Wed, Jun 12, 2019 at 1:11 AM Matthijs Mekking <matthijs@pletterpet.nl>
> wrote:
>
>> Brian,
>>
>> Thanks for the detailed background on why DNAME worked. There are a few
>> things that caught my attention:
>>
>> > When a recursive queried an authority server, if it got back a DNAME
>> but did not understand it, it ignored the DNAME but processed the CNAME
>> (as if only the CNAME existed) (plus any other data like chained CNAMEs
>> or A/AAAA records)
>>
>> > All of this is unfortunate, because of the fact that there is no
>> genuinely backward compatible record similar to ANAME that can be used,
>> without a very strong likelihood of breaking things. From authority to
>> recursive: You can't return an ANAME and a CNAME (as a
>> backward-compatible rewrite signal that corresponds to the ANAME), since
>> the CNAME will effectively obscure other RRTYPEs that might coexist
>> (e.g. at the zone apex).
>>
>> This is fine, because that is not what we want: We would like to add the
>> ANAME in the answer section with the A/AAAA records (not a CNAME).
>>
>> > The real problem here, is the "other" record for backward
>> compatibility isn't a rewrite-type (such as CNAME or DNAME), but is a
>> "promoted" A/AAAA record of potentially limited utility and questionable
>> provenance (due to geo-ip stuff, TTL stuff, and RRSIG problems).
>>
>> I actually see the A/AAAA record as the backward compatibility records:
>> An ANAME-aware resolver would understand the ANAME and can act upon it,
>> an ANAME-unaware resolver will use the A/AAAA records that the
>> authoritative returned.
>>
>
> So, this is where the analogy to DNAME diverges from reality of ANAME, and
> IMHO is the the crux of one of the main problems with ANAME.
>
> In the DNAME/CNAME example, the A/AAAA records are returned ONLY IF the
> server that is authoritative for the DNAME is also authoritative for the
> DNAME "target" (right-hand-side/RDATA).
> If the DNAME auth server is not, it will only return DNAME+CNAME records.
>
> The only "legitimate" (in my opinion) reason that the ANAME authoritative
> server should also return A/AAAA records, is if it is also authoritative
> for the ANAME "target" (right-hand-side/RDATA).
>
> (And the reason that having the ANAME authoritative server obtain and
> return A/AAAA records itself leads to what I called:
>
>> potentially limited utility and questionable provenance (due to geo-ip
>> stuff, TTL stuff, and RRSIG problems).
>>
>
> I have elaborated on this problem previously, but will do so again for
> completeness/context:
>
>    - There can be differences (possibly significant differences) in the
>    results returned for resolution of the "target" between the ANAME
>    authoritative server, and the querying resolver.
>       - E.g. Any sort of "stupid DNS tricks" that return different values
>       based on either physical topology (anycast instance) or geo-ip
>       (client-subnet)
>       - That discrepancy can direct clients to a suboptimal server, where
>       suboptimal can even be, from a user perspective, badly broken (e..g. wrong
>       language, illegal content, etc.)
>    - The interactions on TTLs and the need for repeated lookups can have
>    adverse impacts on both clients, resolvers, and auth servers
>       - An auth server might want to use longer TTLs to reduce query
>       volume, for ANAME values that do not change frequently (A/AAAA TTL set to
>       same as ANAME TTL)
>       - The original A/AAAA TTL (for the "target" owner name's A/AAAA
>       RRDATA) might be short because it changes frequently (e.g. CDNs)
>    - If the "sibling" data is only a hint, non-upgraded resolvers will
>    serve A/AAAA records that are either poor (longer latency, higher loss),
>    wrong (incorrect language due to wrong CDN node), broken (long TTL -> wrong
>    server), or slow (requery required)
>
> I don't have a better suggestion on how to fix this within the context of
> ANAME; IMNSHO it is an intractable issue, a fundamental problem with ANAME
> if sibling records are required.
>
> Brian
>

I see two main cases:

   - ANAME replaces a CNAME record, so that other records can be attached
   to the same name. I don't think this is likely to be a big use case. In
   this case, all your concerns apply.


   - ANAME replaces A/AAAA records, most likely at a zone apex, where CNAME
   was desired but not allowed. I think this is the main case for ANAME. And
   in this case, the old A/AAAA records are returned as previously, but with
   the added ANAME record. Your concerns only apply if they already applied to
   the A/AAAA records - nothing has gotten any worse.

Is there another major case I am missing?

-- 
Bob Harold

v2.23.0 | Report a Bug | By Email