Re: [DNSOP] ANAME loop detection
Matthew Pounsett <matt@conundrum.com> Thu, 04 July 2019 15:39 UTC
Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ADD3120162 for <dnsop@ietfa.amsl.com>; Thu, 4 Jul 2019 08:39:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gHtiOLVpofTm for <dnsop@ietfa.amsl.com>; Thu, 4 Jul 2019 08:39:48 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37AD412029E for <dnsop@ietf.org>; Thu, 4 Jul 2019 08:39:47 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id u13so9263023iop.0 for <dnsop@ietf.org>; Thu, 04 Jul 2019 08:39:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/Ab9sanXx53fxSeHPRZ25CyJTXvLHOOoEoH2ry/WBnc=; b=Ttsa5hPiEQxeqQqpdiO/+fENRbsjRQGz5zvZ4WeFVURWkw1dM0qruICJRq3PMevdgO osrJk1+G5znKjrY/D1Wt4e1XZERpI/oEPKALWMWP/hWPmRFl6sRQFEudGs2lBXg8KzFA JPAk7V8W3SCDjGQHv+5EdcyHVL5rHh8L3gsQAU58dyV7SK+UOfNNOe4vC3H5SbYP1YqQ uJH9xikVUAM5EL27Hc+yaCvO3lfPRdHUVaEekJ6lDu6nLAAzRe1/MdxboTeupy6RB0j6 bbspu/2bo+kRyYI0EaamiKVjXf2SFQW1qwZBdpfQ1BuGxv6YFnI36ud53HHA2iR/vHRJ k+zQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/Ab9sanXx53fxSeHPRZ25CyJTXvLHOOoEoH2ry/WBnc=; b=k/bh2SAXg9/Qoyp8TscAuN4QW7BSdRE+TRiN1rgwlFaH8GbNoE5fsWyps3BqeUl6Yc ASBSPryVucondo+RxOqcduYze/ewE8V+XVVpLnLwKWlcPXVcbHWuNPWlfACxA5lk1tcG PANKkZ2zLZO1QfGVLwtjgiRuU/9XoTQSm/36xQadn/sBQTZLhOQlu4r7DL1uyZwHt4qf ISWdiN+oE2ihDmX2QfEA61Yv9jWJR/wvwe6bclxeKd+e1oeYpfIwxFxmovfwr50m9Xok op0zBkGlmCc9ncIGBAJkYJxz2vETxL38Sn2I/v5PS1uvU+n/dCtgJWjYQIEJXfeYkMpP IJNg==
X-Gm-Message-State: APjAAAXPGiDB1HDjjue+i0Ua4DTOUNX70Z7+cxgl0zYWCDrJ1o3fcZ4v UmJxcUAaRJotRSkL8ekGxTW4aSLL5OV9S9qq9lz5Pef8xJI=
X-Google-Smtp-Source: APXvYqyzA1r3H52iBQMBgnjozEfM5ENwVg7KmY09b/v0muk0I9/BJzjQWOVXIgQWEGadjQRJlIdJsPcs6nEJr2VlZ2I=
X-Received: by 2002:a6b:641a:: with SMTP id t26mr10078803iog.3.1562254786430; Thu, 04 Jul 2019 08:39:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAM1xaJ9txy98s5Y+Sq5T5N1KaD-LvtrDTut=mUomjHFwTvWnDg@mail.gmail.com> <a4137531-7641-34f2-6443-1cd904b485e3@pletterpet.nl> <CAAiTEH8v4MqpOvvKzLCeY=3NL8UrY5=LehxXy_JVtAt48muMrw@mail.gmail.com> <38b61acb-d223-2d4e-bfd4-02cee87341a5@pletterpet.nl>
In-Reply-To: <38b61acb-d223-2d4e-bfd4-02cee87341a5@pletterpet.nl>
From: Matthew Pounsett <matt@conundrum.com>
Date: Thu, 04 Jul 2019 11:39:35 -0400
Message-ID: <CAAiTEH-JLuhyBBzsivcGTiVjpo_ZW-pA9W_z6m77eC8n6=5ndg@mail.gmail.com>
To: Matthijs Mekking <matthijs@pletterpet.nl>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009821af058cdcc980"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/c5uJvjwGuy3jx0xt-d5ctOUWnXo>
Subject: Re: [DNSOP] ANAME loop detection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jul 2019 15:39:56 -0000
On Thu, 4 Jul 2019 at 10:54, Matthijs Mekking <matthijs@pletterpet.nl> wrote: > Matthew, > > > I would say they should rely on that. Why shouldn't they? Isn't our > > goal to get downstream servers to adopt the extension and do their own > > lookup? The server-side lookups and sibling records are bolt-ons to > > handle the adoption period. Remember, this record is geared toward > > customers of CDNs being able to do get similar behaviour to: > > www.example.com <http://www.example.com>. IN CNAME webfarm.cdn.net > > <http://webfarm.cdn.net>. > > at the apex of example.com <http://example.com>. That was the original > > problem we're trying to solve. I read your statement above about "the > > service they provide their customers" being about the CDN resolving > > webfarm.cdn.net <http://webfarm.cdn.net>, which most CDNs can already do > > within their own infrastructure. > > I am talking about DNS providers that perform CNAME at the Apex like > features: a customer goes to them and opts in to this feature. Such a > provider wants to make sure that it is providing the behavior the > customer expects and thus wants to make sure it hands out appropriate > addresses. > And "CNAME at the Apex like feeatures" is to hand out a CNAME and let the downstream server process that. It may include additional information from other zones it is authoritative for, but it doesn't do side-lookups. I think that's the behaviour we should be aiming for, and to do that some sort of "I understand ANAME" signal would allow the authoritative server to behave more like CNAME. > > Also what is wrong with an authoritative server already giving out more > optimal answers than just the ANAME and sibling address records? > Nothing, as long as it's not going to increase the time it takes to respond to the query. But, you didn't respond to my question. Let me rephrase it a bit: If the authoritative server knows the client understands ANAME, why would the authoritative server not assume that any additional data it supplies will be thrown away? I suggest that it would be wise for an authoritative server to assume that a client that understands ANAME will resolve its own ANAME and ignore any other data it gets. > > > Option #2 gets similar behaviour but at the cost of additional lookups. > > #3 and #4 don't work well in the presence of server farms. > > If addresses are in the response to the ANAME request there is no > difference in number of lookups between 2 and 3 I think. > Did you mean "lookups between 1 and 2"? I didn't say anything about the number of lookups required for 3. I think 3 and 4 are poor choices because they won't behave well with most server farms.
- [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Matthew Pounsett
- Re: [DNSOP] ANAME loop detection Shane Kerr
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Tony Finch
- Re: [DNSOP] ANAME loop detection Matthew Pounsett
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Shane Kerr
- Re: [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Paul Vixie