IETF Logo Mail Archive

Re: [DNSOP] call for adoption: draft-vandergaast-dnsop-edns-client-subnet

Marcus Grando <marcus@sbh.eng.br> Fri, 13 February 2015 14:28 UTC

Return-Path: <marcus@sbh.eng.br>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7580E1A7D83 for <dnsop@ietfa.amsl.com>; Fri, 13 Feb 2015 06:28:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHqS8jHQaylH for <dnsop@ietfa.amsl.com>; Fri, 13 Feb 2015 06:28:12 -0800 (PST)
Received: from mail-ob0-x231.google.com (mail-ob0-x231.google.com [IPv6:2607:f8b0:4003:c01::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3EA91A86FB for <dnsop@ietf.org>; Fri, 13 Feb 2015 06:28:11 -0800 (PST)
Received: by mail-ob0-f177.google.com with SMTP id wp18so19539516obc.8 for <dnsop@ietf.org>; Fri, 13 Feb 2015 06:28:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbh.eng.br; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5ZKRDyqCUxHlbMzZ4YOBbL1/wW63VV5McOe4C/TpnnI=; b=klchCzarjSf1VcR8YAvrzC8q8kTF8OKTmoBZztcjpjx4V6iSf2LQPT8qLHj+TiZZRr dFsP6tQSWYbOGRlOfZM7uVFPRiUym1xLmUVbKhLtJsb3YKejF9xQdamPgolZcI9aH0BR Nq/O3csITF8CfH9UXNb68z2i0/GBbc8tztMCU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=5ZKRDyqCUxHlbMzZ4YOBbL1/wW63VV5McOe4C/TpnnI=; b=LTnxBln/BVWJViQhUPkOdhTQRbsoshVSkT7cyxjAqpnh/aXNtARWsfi1pKK6lPDUpA FjVM63F3IRB67CTirLbe5RrsCs8NtCgIJiYgELH82iSI1yZEwb9z+yxd5WEWhjg7CrAz ZioNy/GJc9EO2m/ths33Wqh9b0/qCVR4Ol8mIPYhF7xMltUT/pRXqjcqIqe7DbbdnB9y OXhRh62+1QT3QAS+REXNXozRHARbz1h4n0KMaLEmEYgODnTTjRpURrIT1I/RANEN+z1d CKOkmMXB8HKVVq/YJ5RFMytpFBPTRn9UEZjJwvz4DcAEigxaMcpAhAm5zHHhhEhEeI+b 79gQ==
X-Gm-Message-State: ALoCoQmmuXZ3l9vjOG7wX0b1bMpZLC0V72Wnu1Q+QFMYRmNae2KDzGf5ADAF7aq0Cc1am1W2gQfi
MIME-Version: 1.0
X-Received: by 10.60.73.103 with SMTP id k7mr6527672oev.38.1423837690946; Fri, 13 Feb 2015 06:28:10 -0800 (PST)
Received: by 10.182.169.5 with HTTP; Fri, 13 Feb 2015 06:28:10 -0800 (PST)
X-Originating-IP: [177.43.249.158]
In-Reply-To: <D1036F10.F807B%jason_livingood@cable.comcast.com>
References: <CAEyu5L8HnazCEgLR34U9MbgHky3N-QDqhVy59HU0Z3BKpbbqsg@mail.gmail.com> <D1036F10.F807B%jason_livingood@cable.comcast.com>
Date: Fri, 13 Feb 2015 12:28:10 -0200
Message-ID: <CAEyu5L-86=K0UVd6FEvTBxb68KoZPak6_D7Q28R0LNQFt_TV-A@mail.gmail.com>
From: Marcus Grando <marcus@sbh.eng.br>
To: "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
Content-Type: multipart/alternative; boundary="001a1135f94ac995c2050ef90bc8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/bi7bCvYom5TsgrSaQWl7vKf1S4w>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] call for adoption: draft-vandergaast-dnsop-edns-client-subnet
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Feb 2015 14:28:14 -0000

Thinking more about this I figure out some things.

First, the resolver query needs to include ECS and can't be a regular
query, that's need to verify end to end ECS support, but I think it's not a
big problem. I think we need a official way to detect if authoritative has
support or not and it need to be automatically, like an SOA query, an TXT
query or another idea, but need to be official. It's important this query
use TTL to revalidate ECS support.

About the manually whitelist, I really think it will be a huge problem and
I'm not a big fan, since the main problem is in the resolver side and not
the authoritative side, but the authoritative side know if support or not
for all domain hosted. It's impossible to know all resolvers around the
world and contact/appy to all those, to whitelist your domain.

Because of that, the idea of an official way to detect if authoritative has
or not support for ECS from a resolver perspective is a good idea. But the
control of this need to be on the authoritative side and the resolver doing
the ECS query to validate end to end and be able to use.

Another point about the SCOPE NETMASK. What you guys think about using
scope netmask to protect resolver resources, an example is: if scope
netmask was 23, authoritative only can use <=23 to scope netmask response.
I know that can be a problem with IPv4 ends, but can save resources on
resolver side.

Best regards
--
Marcus Grando
marcus (at) sbh.eng.br
@marcusgrando

On Thu, Feb 12, 2015 at 11:09 PM, Livingood, Jason <
Jason_Livingood@cable.comcast.com> wrote:

>   Fair point. IMO whitelisting is a common tactic used early on in
> deployment of new stuff to help manage deployment risk. It was also used in
> early IPv6 days where query access to AAAA RRs was whitelisted (see
> http://tools.ietf.org/html/rfc6589). I suspect it would be similar here;
> that the need for and use of whitelisting fades as deployment levels
> increase.
>
>  - Jason
>
>   On 2/13/15, 12:44 AM, "Marcus Grando" <marcus@sbh.eng.br> wrote:
>
>   The question about whitelist is the problem. I think it need to be
> addressed on this doc.
>
> There's some approaches, like Google does, doing low rate ECS query:
> https://groups.google.com/forum/#!topic/public-dns-announce/67oxFjSLeUM
>
> Or something not so traditional like TXT record on domain record or
> hostname based like "ns1.ECS.domain.tld". It's not an clean way, but can
> optimize latency and can address problems like keep approved domains in
> memory or save on disk.
>
> It's almost impossible to authoritative guys, guess each one resolver that
> support ECS. It's need to be automatically.
>
> The other side of this problem is about resources of DNS resolver. If more
> domains enable ECS, it can increase exponentially memory usage keeping
> approved list and cache itself. With this, the minimum netmask will be
> extremly important.
>
> I don't know if it's a good idea fix the limit of how many different
> answers one authoritative can emit. This can be a problem. It's clear for
> everyone that it's much more easier to implement this on authoritative side
> than resolver side, so it need to be clear and easy for both sides.
>
> Best regards
>
>   On 12Feb15, George Michaelson allegedly wrote:
>> >
>> > we've got two agencies who do DNS, and probably have > 20% worldwide
>> > eyeball share in DNS (I don't know, thats a guesstimate) now doing
>> > edns0_client_subnet albiet with whitelist, so its a permit-list, but its
>> > functionally 'there'
>>
>> Whitelists are my biggest bugbear actually. All my other comments are
>> nice-to-haves. I hear that Google now adaptively whitelist which is a
>> nice strategy but I'd really like to see the whitelist approach
>> deprecated as much as possible. (And yes, I understand MarkA's stats
>> that show some small percentage of auth queries will break).
>>
>> I've been in other conversations lately where it was all about how do
>> we get "pick some larger resolver" to whitelist us? We all know that
>> doesn't scale. So interest appears to be growing.
>>
>> > Its probably already more widely deployed than IPv6...
>>
>> On the auth side I think you're right. It's the client side that's the
>> missing link. But this is a classic alignment-of-interest problem. The
>> relatively small number of auths who care implement, but there is
>> little incentive on the resolver side.
>>
>>
>> Mark.
>>
>
> --
>  Marcus Grando
>
>

v2.23.0 | Report a Bug | By Email