IETF Logo Mail Archive

Re: [DNSOP] ANAME in answer or additional section [issue #62]

Matthijs Mekking <matthijs@pletterpet.nl> Fri, 14 June 2019 07:00 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE59B1200DE for <dnsop@ietfa.amsl.com>; Fri, 14 Jun 2019 00:00:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8FZM0zzQVZfz for <dnsop@ietfa.amsl.com>; Fri, 14 Jun 2019 00:00:01 -0700 (PDT)
Received: from lb2-smtp-cloud7.xs4all.net (lb2-smtp-cloud7.xs4all.net [194.109.24.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFF3D120019 for <dnsop@ietf.org>; Fri, 14 Jun 2019 00:00:00 -0700 (PDT)
Received: from [IPv6:2001:980:4eb1:1:90db:7d55:e602:50e0] ([IPv6:2001:980:4eb1:1:90db:7d55:e602:50e0]) by smtp-cloud7.xs4all.net with ESMTPSA id bgBnhVqdY5qKabgBphKZ17; Fri, 14 Jun 2019 08:59:58 +0200
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
References: <3b136e34-7ec0-e144-2c2a-0885185ec2b1@pletterpet.nl> <20190612000459.GA60387@isc.org> <CAJhMdTP-iDbbgnCDV7WRhbh495KvhOW3cGS+0tu74VAoYfU=gg@mail.gmail.com> <CAH1iCiqE70T3fWVcCrSvA86=qJKoWwuRGFRzKnQyediMrm404A@mail.gmail.com> <68b5997e-1c24-a366-1165-9874a36169b5@pletterpet.nl> <CAH1iCiqp1dbP-No4K3t2hNQ2+kD4RVGPgUHB_sHgByzEOsAxuw@mail.gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <aedd92dd-0fc5-f895-bf96-4bd2a1ab1817@pletterpet.nl>
Date: Fri, 14 Jun 2019 08:59:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAH1iCiqp1dbP-No4K3t2hNQ2+kD4RVGPgUHB_sHgByzEOsAxuw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfOD7xxYPIh4cQSvwKZ8UTRe91x4sx1Oe7U3lwgr0pgM3NYOYukxda85HZvgMS973kQFtx4N+Xq0kP/bdvdTcjtr/apk2yDjA58CO83FGp9XyXHO3Firg 2LNV3F74aPwfpgyP9HzoUDXE6+6EiqEz5rAJZsr0hn7uVqR1SaN/LEaOymlME6a2fMr93MHyCHYD023y1br6U2k+EOmdHIi4S+ijxVGD9QPtFlPxW+/GR8Dh zUNBD2oWoCydfRTusXdDfHS8pbykyq0t0jL8XzkC4Vmea0Qmjl70qeET6zT/OJaUK7AvTCNQtyXeuHSRP6cR6Q==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZdHwmu8ukV3mOZwUni6xW-GYCuA>
Subject: Re: [DNSOP] ANAME in answer or additional section [issue #62]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2019 07:00:04 -0000

Brian,

On 6/13/19 7:50 PM, Brian Dickson wrote:
> 
> 
> On Wed, Jun 12, 2019 at 1:11 AM Matthijs Mekking <matthijs@pletterpet.nl
> <mailto:matthijs@pletterpet.nl>> wrote:
> 
>     Brian,
> 
>     Thanks for the detailed background on why DNAME worked. There are a few
>     things that caught my attention:
> 
>     > When a recursive queried an authority server, if it got back a DNAME
>     but did not understand it, it ignored the DNAME but processed the CNAME
>     (as if only the CNAME existed) (plus any other data like chained CNAMEs
>     or A/AAAA records)
> 
>     > All of this is unfortunate, because of the fact that there is no
>     genuinely backward compatible record similar to ANAME that can be used,
>     without a very strong likelihood of breaking things. From authority to
>     recursive: You can't return an ANAME and a CNAME (as a
>     backward-compatible rewrite signal that corresponds to the ANAME), since
>     the CNAME will effectively obscure other RRTYPEs that might coexist
>     (e.g. at the zone apex).
> 
>     This is fine, because that is not what we want: We would like to add the
>     ANAME in the answer section with the A/AAAA records (not a CNAME).
> 
>     > The real problem here, is the "other" record for backward
>     compatibility isn't a rewrite-type (such as CNAME or DNAME), but is a
>     "promoted" A/AAAA record of potentially limited utility and questionable
>     provenance (due to geo-ip stuff, TTL stuff, and RRSIG problems).
> 
>     I actually see the A/AAAA record as the backward compatibility records:
>     An ANAME-aware resolver would understand the ANAME and can act upon it,
>     an ANAME-unaware resolver will use the A/AAAA records that the
>     authoritative returned.
> 
> 
> So, this is where the analogy to DNAME diverges from reality of ANAME,
> and IMHO is the the crux of one of the main problems with ANAME.
> 
> In the DNAME/CNAME example, the A/AAAA records are returned ONLY IF the
> server that is authoritative for the DNAME is also authoritative for the
> DNAME "target" (right-hand-side/RDATA).
> If the DNAME auth server is not, it will only return DNAME+CNAME records.
> 
> The only "legitimate" (in my opinion) reason that the ANAME
> authoritative server should also return A/AAAA records, is if it is also
> authoritative for the ANAME "target" (right-hand-side/RDATA).

I disagree.  I do think an authoritative should be careful when doing a
target lookup and not recklessly replace its sibling records. But this
is all about how much trust you have in your ANAME resolution.


> (And the reason that having the ANAME authoritative server obtain and
> return A/AAAA records itself leads to what I called:
> 
>     potentially limited utility and questionable provenance (due to
>     geo-ip stuff, TTL stuff, and RRSIG problems).
> 
> 
> I have elaborated on this problem previously, but will do so again for
> completeness/context:
> 
>   * There can be differences (possibly significant differences) in the
>     results returned for resolution of the "target" between the ANAME
>     authoritative server, and the querying resolver.
>       o E.g. Any sort of "stupid DNS tricks" that return different
>         values based on either physical topology (anycast instance) or
>         geo-ip (client-subnet)>       o That discrepancy can direct clients to a suboptimal server,
>         where suboptimal can even be, from a user perspective, badly
>         broken (e.g. wrong language, illegal content, etc.)>   * The interactions on TTLs and the need for repeated lookups can have
>     adverse impacts on both clients, resolvers, and auth servers
>       o An auth server might want to use longer TTLs to reduce query
>         volume, for ANAME values that do not change frequently (A/AAAA
>         TTL set to same as ANAME TTL)
>       o The original A/AAAA TTL (for the "target" owner name's A/AAAA
>         RRDATA) might be short because it changes frequently (e.g. CDNs)

I agree with these issues, but I also think they are solvable with some
trickery. Perhaps some words in a Considerations section about that make
sense.


>   * If the "sibling" data is only a hint, non-upgraded resolvers will
>     serve A/AAAA records that are either poor (longer latency, higher
>     loss), wrong (incorrect language due to wrong CDN node), broken
>     (long TTL -> wrong server), or slow (requery required)

The sibling data is not a hint, it is the actual answer that the
authoritative hands out for address queries. The ANAME target lookup
process is replacing the sibling address records with the target values.


Best regards,

Matthijs


> I don't have a better suggestion on how to fix this within the context
> of ANAME; IMNSHO it is an intractable issue, a fundamental problem with
> ANAME if sibling records are required.
> 
> Brian

v2.23.0 | Report a Bug | By Email