[DNSOP] BCP on rrset ordering for round-robin? Also head's up on bind 9.12 bug (sorting rrsets by default)

Erik Nygren <erik+ietf@nygren.org> Fri, 15 June 2018 15:45 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1030B130E2C for <dnsop@ietfa.amsl.com>; Fri, 15 Jun 2018 08:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id YfkYZwPfCQMu for <dnsop@ietfa.amsl.com>; Fri, 15 Jun 2018 08:45:22 -0700 (PDT)
Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 678B212777C for <dnsop@ietf.org>; Fri, 15 Jun 2018 08:45:22 -0700 (PDT)
Received: by mail-it0-x232.google.com with SMTP id 188-v6so3292766ita.5 for <dnsop@ietf.org>; Fri, 15 Jun 2018 08:45:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=6DXRTLjNBHmYK5Cr03KqQP8Y4r+ztW8UJq3kkEVgYuM=; b=X9ogtR8++7liPw2ScdUxet6hb9HVEZpCcJPrHgAltAMuyOu7APDULMHzvnLLyXg+0l yeObt9Z1CZgal1acHk/zkWryNan+78dty1cZm/irZ47OjmclNobJaUZxcUESWNvUh8/g nlnHMKrYQIEXcio8xI0+8V01CXC7gmffd2Ym4tZjabPIWrp6jpQixaeziFU74+/lQ8F7 b5yi4NyZHG5p2lS95tSR6wLh9qxxA8JxCy3OLVnNdg+jImrRfKVn7RscIAF7Y6lW5vMI Rctytk4kLKkFPyjYklGsbexaS4InVOUxXC6EUF5emvOe188kNrShXN92QdvDTYwz8YXQ EBHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=6DXRTLjNBHmYK5Cr03KqQP8Y4r+ztW8UJq3kkEVgYuM=; b=q9yJI/ya363CJnz1aQrJu8rXV53pwzKmRz8GN1ErkPH+8YbD+Q7ADIIxL03mg+8GJ7 tOJfj5t9AGfJ2zmuuYjTArYnPtphH5BjvBa0uKkElwke7RwXCldt/N/rpU8RFCtlNE+i qK2B7V3oe2HmWWWxD0x1XaHjca42nWQIsBkM4cndheOjLhtsmi1TiUjdyk9sw4AQ/vWA mQ98X7CyjvQVAcQ3cTpV/mDi5tisTjkLqSp17km2ggINtAaB1AxHAJY0h3BOqvoEDt43 FpuDmmSzxfKLOYnT8E5PTBGOY7d6cSGhavJX1i3YcPKhyWul+cFNkdizU488eNYGt5pM F8kw==
X-Gm-Message-State: APt69E3s3F4V1owh1/pi5VLnv4zuoxg7Wi6GpaYHxNmk/outdRS6/mW8 sOz18OiusjhKqtIy0geZTVKMilUKWB9UI/YzaN/oow==
X-Google-Smtp-Source: ADUXVKLotn/sc0ASI4D2iOy0YvwUqI5cskWSU4OJh9n0iBuw3KnPpMXreJJeMfybSJ3kxFBXtqN3K1FqMFkmHyjoeHI=
X-Received: by 2002:a24:be85:: with SMTP id i127-v6mr1649967itf.131.1529077521079; Fri, 15 Jun 2018 08:45:21 -0700 (PDT)
MIME-Version: 1.0
Sender: nygren@gmail.com
Received: by 2002:a4f:4f4f:0:0:0:0:0 with HTTP; Fri, 15 Jun 2018 08:45:19 -0700 (PDT)
From: Erik Nygren <erik+ietf@nygren.org>
Date: Fri, 15 Jun 2018 11:45:19 -0400
X-Google-Sender-Auth: 92ZauxQ5wDp5Zvem_fmfwVlr0jk
Message-ID: <CAKC-DJimMOtNCSE95kRs6Dy3dC_mxB=8O2WVA7badp8GK2ci-Q@mail.gmail.com>
To: dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007a614f056eb01aca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_diK61t7YmZu_DJvRvUAhvKVSh4>
Subject: [DNSOP] BCP on rrset ordering for round-robin? Also head's up on bind 9.12 bug (sorting rrsets by default)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2018 15:45:24 -0000

A number of folks have been bitten by a bug in bind 9.12 where it silently
changes the default sorting of rrsets to always be sorted (even if the
authoritative response wasn't sorted).  This causes problems for services
assuming at least some degree of round-robin behavior by clients as now
many clients would sent all traffic to only the lowest IP.  Bug details:
https://gitlab.isc.org/isc-projects/bind9/issues/336   If you are upgrading
to or have upgraded to bind 9.12 you likely want to take a fix or override
in config.

This raises the question of whether there would be value in a more modern
BCP covering round-robin expectations for recursive resolvers?  I suspect
many (most?) service operators take at least some degree of DNS round-robin
behavior by recursive resolvers as a default.

I suspect starting assumptions are roughly in the range of:

* Recursive (and stub?) resolvers (SHOULD/MUST?) do some form of
round-robin in RRset responses.

* There are a variety of ways to implement round-robin (randomize, permute,

* Server operators need to be aware that round-robin may be a part of a
load balancing scheme (especially if capacity is far greater than average
demand) but should not be relied on exclusively.  (Perhaps with examples of

Am I missing something in-terms of an existing BCP to this effect?  There's
RFC 1794, but I couldn't find much else (but given the sheer number of DNS
RFCs it's very likely I missed one).

Best, Erik