[DNSOP] Meeting feedbacks/summary on draft-bretelle-dnsop-recursive-iprange-location
Manu Bretelle <chantr4@gmail.com> Thu, 19 November 2020 01:28 UTC
Return-Path: <chantr4@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 018BF3A1110 for <dnsop@ietfa.amsl.com>; Wed, 18 Nov 2020 17:28:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.152
X-Spam-Level:
X-Spam-Status: No, score=0.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_TRY_3LD=1.999] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OO1Ys6RVCSek for <dnsop@ietfa.amsl.com>; Wed, 18 Nov 2020 17:28:22 -0800 (PST)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BA853A110F for <dnsop@ietf.org>; Wed, 18 Nov 2020 17:28:22 -0800 (PST)
Received: by mail-il1-x133.google.com with SMTP id t13so3858542ilp.2 for <dnsop@ietf.org>; Wed, 18 Nov 2020 17:28:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=/OAZ/dK9Amu+IbXpwpFUiOQhh0mXKfsKtYRHXo+KPfc=; b=UCRrIri7ddgJ/5zl+G4ebTtnLcSqZVTBNc0qqwnhcI9VTql/Sox7aOZ5V/MLns9L6+ NFTP1V7azYS0Qj+MFcrl0oituHXiWrws5/NCz9a5eKRRfRdU+29EBAXMy2FoFiji9d2+ AwqYBJ2nsVB9zgtw2B3B+YHtsY6TkwxqnEDZqJ7Oe5ZLu48yZUg6N8cD9YSOHT9BQFhc wbhZwmcHw3pT6uCYVuW6lNNwBmjeGWxtXLDqtVVD40NygLr2dsrtogtNGwRyDw5ZGnHJ VrIycpUhpeYMwQb7CN0Da/SnQwV4Cty9mSfQmgw3AHauDu/VT7BhZZM3Mmkk8RMcIlu9 ISvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=/OAZ/dK9Amu+IbXpwpFUiOQhh0mXKfsKtYRHXo+KPfc=; b=igKYyjtNDmLfH+uuHtmxUZFwxvuW5kFD5j0biq53xwLnjDnHImGMWEHqrlWgoso9Te 8Jv5fXo4oaVk1AHdrjwb3av1z02lT5UPCeRbIXehqoOS+6SG4mDneD5+a3wLjl5wCRog lvr8oD/2KYyOdNHAp+pMEzsLxj7p0sW/hpL1OpQZ4+83H22owsW01XJuVjpqYzYwHsFH t2R6WVVGq/gHcT2jljUxzcsu5IPd6q/VAOjbqsIUp7gFPjWuViLn0zMKFIYDvV0NdeZp xHdZFhpOXYo14srq0mflawlCmqNOk7n4XQBMqs/3E13j1dteQqTOHOUhaGT6lsxjKPgN Mw8A==
X-Gm-Message-State: AOAM530Z8ILXUihJx7SyEsvGdi94/b3Qg+TZjRHxuBlE1J2Idptt3rx3 jNJWSJgiAvRm2WFXCW0O2JWKFFw68AGZo/fafNT9yLP6Rbs=
X-Google-Smtp-Source: ABdhPJxghxVka/u8B9ObjhZcg832//vDDf4yqyvne7XCXwggBelt4R6K3EI3og9xzyiKHfoMX+Vp2SpaWH3w68WFayY=
X-Received: by 2002:a92:a041:: with SMTP id b1mr11582766ilm.242.1605749301257; Wed, 18 Nov 2020 17:28:21 -0800 (PST)
MIME-Version: 1.0
References: <CAArYzrJTA6myo9tYS=PZVo76stFdf78q0D_+Tec8mHMNOjP+Rw@mail.gmail.com>
In-Reply-To: <CAArYzrJTA6myo9tYS=PZVo76stFdf78q0D_+Tec8mHMNOjP+Rw@mail.gmail.com>
From: Manu Bretelle <chantr4@gmail.com>
Date: Wed, 18 Nov 2020 17:28:09 -0800
Message-ID: <CAArYzrJ0KHfKAFM7GDUx9_eGeKpiOq8Cwff0w_rMrvTQxpYUag@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b32ddc05b46ba461"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bRRg6geL9epjF7dxiLkW3d7PTJg>
Subject: [DNSOP] Meeting feedbacks/summary on draft-bretelle-dnsop-recursive-iprange-location
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 01:28:25 -0000
Hey all, Thanks a lot for providing feedback on the resolver IP ranges and location distribution draft [0] during the dnsop meeting. I gathered the feedbacks below as follow-ups, but, based on some of the comments made at the "mic" or over Jabber, I would also to provide some clarifications as to the intent of the draft. The primary intent of this draft is for resolver DNS providers to be able to share the list of IP ranges they operate under in a standardized way so consumers of such list can rely on 1 consistent format to access and parse. As mentioned in the draft introduction, currently this is a bit all over the place. RFC8805 [1] does provide this format (CSV)/medium (HTTPS). Amongst the use cases: * Being able to access/distribute IP ranges is mostly useful for network/DDoS/Response Rate Limit policies. * Location (optional in RFC8805) can be useful for Geo based DNS answers. While there is work on finding geofeed in the OPSAWG [2], this would defeat the original purpose of sharing resolver-only IP ranges. One could possibly say that only ip ranges are distributed and geolocation would be fetched from inetnum object but it seems to be adding more complexity in both term of consuming and generating the data as we now deal with multiple data-sources in different operational areas (DNS vs Network). Addressing the feedback category received during the meeting. # Geo location is not a good mechanism for providing customized answers Ben Schwartz and others on Jabber commented that Geo location is not the right thing to use. This draft is in no-way recommanding use of country/region... as the way to do so called "geotargeting" DNS, neither does it tries to solve this problem. I do agree that geolocation is different from network topology, latency. DNS targeting is even more complex than that and would take into consideration capacity of the destination (compute, backbone to origin), drain ratio, overall health of the system, (paid) peering vs transit... and more. The thing though, is that not everybody can build this type of metric/feedback loop and instead a lot are relying on the location of the resolver (based on its IP) as a proxy for where to send an end user. This is pretty much all you can get at DNS level. If you are lucky enough to receive and support ECS then you can go a step deeper. Eventually your most granular level of traffic steering (for the web) is going to be once the end user connects to your service and you can generate pages with customize domain to send them to a specific POP, or Alt-SVC. Route53 [3], NS1 [4], DynDNS [5], Akamai [6] to name a few, provide such type of targeting. Opensource authoritative name servers also support GeoIP answers: Bind [7], PowerDNS [8], Knot DNS [9]. Typically based on a DB in MaxmindDB format. Resolver IP could also be used by people implementing Geo targeted answers to generate ipv{4,6}hint SvcParamsKey. So, while using a resolver "location" may not be optimal, there is real use-cases and needs that can be served by standardizing this which gives a decent amount of bang for the buck. # TXT record, no, please no. I hear you and provided this as a potential mechanism knowing that it would be controversial. To "facilitate" discovery, the idea would be to have this behind a special underscore label. Ben Schwartz mentioned that HTTPS would not be a good candidate, SVCB probably more [10]. I had originally thought of URI [11] but favors HTTPS for its potential extensibility (ip hints, ech, alpn...), even though most of those may not be strictly needed for this use case. Mark Andrews commented that APL [12] could probably be a fit with new custom address family. It would mean that the family needs to be registered in IANA's address family numbers registry for something that does not feel close an actual address family. Also, this record could quickly grow in size. Unless the intent was to use it in reverse lookup? Alex Mayrhofer mentioned geo URI. Thanks for mentioning this. I am not sure that going to the full extend of using geo coordinates would be useful for this use case. Coarse geo location is enough I believe and also sufficiant for the use cases. Also already fits within RFC8805 format. # Use cases Some people came to the proverbial mic or commented in jabber about use cases. Joe Abley... thanks for commenting on the use-case. Brian Dickson commented on Jabber: > prefixes of resolver info including geo, allow identification of major common resolver operator, which is very useful to classification/resource reservation on authority side. # Misc Joe Abley... thanks for educating me on IATA not being a universal nomenclature to reference a network location :). I will keep [15] in my toolbelt. Hell, I grew up 70km from Andorra, I should have known better. I would love to see how we can standardize the distribution of resolver IP ranges/locations but I think we need to not focus on the details of using geo location to perform DNS targeted answers as the goal of this document. It is not, it is just an example use cases that is used in many places. I should have probably left the geolocation part aside, but givemn that RFC8805 was providing support to distribute the location at the same time, I merged the geolocation with it. Agreeing on using RFC8805 to distribute the data is probably not the most difficult, but discovery mechanism it going to be more challenging. Should there be 2 drafts? 1 that focuses on the medium/format and 1 that focuses on the discovery? Thanks all, Manu [0] https://datatracker.ietf.org/doc/draft-bretelle-dnsop-recursive-iprange-location/ [1] https://www.rfc-editor.org/rfc/rfc8805.html [2] https://tools.ietf.org/html/draft-ietf-opsawg-finding-geofeeds-00 [3] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html [4] https://ns1.com/resources/understanding-ns1s-geofilters [5] https://help.dyn.com/traffic-director-predefined-geographic-regions/ [6] https://learn.akamai.com/en-us/webhelp/global-traffic-management/global-traffic-management-user-guide/GUID-65EB07B3-1BE3-40DB-8682-50E6836A8A78.html [7] https://kb.isc.org/docs/aa-01149 [8] https://doc.powerdns.com/authoritative/backends/geoip.html [9] https://www.knot-dns.cz/docs/2.7/singlehtml/index.html#geoip-geography-based-responses [10] https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-02 [11] https://tools.ietf.org/html/rfc7553 [12] https://tools.ietf.org/html/rfc3123 [13] https://www.iana.org/assignments/address-family-numbers/address-family-numbers.xhtml#address-family-numbers-2 [14] https://tools.ietf.org/html/rfc5870 [15] https://en.wikipedia.org/wiki/List_of_countries_without_an_airport On Wed, Nov 4, 2020 at 3:00 PM Manu Bretelle <chantr4@gmail.com> wrote: > Hi all, > > There is currently no streamlined way for recursive resolver operators to > distribute the IP ranges/locations that their server farm may use. It is > currently a mixture of csv files shared over email, or web pages with > formats that may be unique to each provider and rarely directly parseable > by automation. > > This document is an attempt to provide a consistent mechanism that > recursive providers can use to distribute their ranges/locations, and auth > providers can use to apply the policies they may wish to. > > Thanks > > Manu > > > --- > A new version of I-D, draft-bretelle-dnsop > -recursive-iprange-location-01.txt > has been successfully submitted by Emmanuel Bretelle and posted to the > IETF repository. > > Name: draft-bretelle-dnsop-recursive-iprange-location > Revision: 01 > Title: Recursive Resolvers IP Ranges location distribution and > discovery > Document date: 2020-10-29 > Group: Individual Submission > Pages: 6 > URL: > https://www.ietf.org/archive/id/draft-bretelle-dnsop-recursive-iprange-location-01.txt > Status: > https://datatracker.ietf.org/doc/draft-bretelle-dnsop-recursive-iprange-location/ > Html: > https://www.ietf.org/archive/id/draft-bretelle-dnsop-recursive-iprange-location-01.html > Htmlized: > https://tools.ietf.org/html/draft-bretelle-dnsop-recursive-iprange-location-01 > Diff: > https://www.ietf.org/rfcdiff?url2=draft-bretelle-dnsop-recursive-iprange-location-01 > > Abstract: > This document specifies a way for recursive resolvers operators to > signal the IP ranges and locations used by their server pools. > > Discussion Venues > > This note is to be removed before publishing as an RFC. > > Source for this draft and an issue tracker can be found at > https://github.com/chantra/draft-dns-recursive-iprange-location. > > > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > >
- [DNSOP] draft-bretelle-dnsop-recursive-iprange-lo… Manu Bretelle
- [DNSOP] Meeting feedbacks/summary on draft-bretel… Manu Bretelle
- Re: [DNSOP] Meeting feedbacks/summary on draft-br… Ben Schwartz
- Re: [DNSOP] Meeting feedbacks/summary on draft-br… Brian Dickson
- Re: [DNSOP] Meeting feedbacks/summary on draft-br… Vittorio Bertola
- Re: [DNSOP] Meeting feedbacks/summary on draft-br… Manu Bretelle
- Re: [DNSOP] Meeting feedbacks/summary on draft-br… Ben Schwartz