Re: [DNSOP] a CDN perspective on ANAME challenges
Erik Nygren <erik+ietf@nygren.org> Mon, 22 July 2019 19:31 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7228912008C for <dnsop@ietfa.amsl.com>; Mon, 22 Jul 2019 12:31:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.557
X-Spam-Level:
X-Spam-Status: No, score=-1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.091, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nbh2RVq45j8a for <dnsop@ietfa.amsl.com>; Mon, 22 Jul 2019 12:31:53 -0700 (PDT)
Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C32F12004E for <dnsop@ietf.org>; Mon, 22 Jul 2019 12:31:53 -0700 (PDT)
Received: by mail-wm1-f49.google.com with SMTP id a15so36281298wmj.5 for <dnsop@ietf.org>; Mon, 22 Jul 2019 12:31:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7HKr6pcRzLFcSKjNiELeGH64YRTsOZlJB1jyNc2YIDY=; b=ghl6nqo7FWseiDjZADpryDcVevqFBL161qcHYcoWH2sSRG8o4UA+kQfVLjcVDguRlM 07LeM49CXjUm58Cya//jZiw+p6z72zM7sQeWDHhdiQdWa2BV5yAMsJ+/fNZ+P75fGSJo RvvFr47FzTnb8uw0ONb4LRiWQ6B/G6C3RldZow22j9UOEo9xS/1V7jtBKTZXTV5scV21 PIMYTkuVuo7vG0BZFFMpUI/ALeQMlixtQY1lTpWBxjKGbeZfNelTAbar/XQGTtM8xiB0 Goyl+guf8EvJ1+pKsM8FX4B5kRu6GhAfl/PX7wZ28ZY3t1EWVU19YpcDyL0Wsm8676RJ 5cTA==
X-Gm-Message-State: APjAAAUHK2Rk5L/RWAYPLwT3C1UTlFp3zbsarPffDVHE5bze4iBPl7SB 5zZBXhRtOFuLG+ybezs7W/W+97OeowSle84909M=
X-Google-Smtp-Source: APXvYqzNLuUS2KOdWG1TwDJDPzq0tXiUTcn4tl7nBCE6WWn8stVUtyB4AuGC5Bp2knqPKOj9FKFjuXYoqfYLvh96QJE=
X-Received: by 2002:a05:600c:20c3:: with SMTP id y3mr66957998wmm.3.1563823911422; Mon, 22 Jul 2019 12:31:51 -0700 (PDT)
MIME-Version: 1.0
References: <CAKC-DJjiwEA977sLpriPg5yyfm--yCQ=xMUGk7VbXyYd8uPE6g@mail.gmail.com> <d84769fe-77b7-a983-94ae-60416b449b7d@pletterpet.nl>
In-Reply-To: <d84769fe-77b7-a983-94ae-60416b449b7d@pletterpet.nl>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Mon, 22 Jul 2019 15:31:38 -0400
Message-ID: <CAKC-DJjsTNxnb3f2_yWZ_GAqe6MMkH2W2Z9n0XpwZ1sjDa_6aQ@mail.gmail.com>
To: Matthijs Mekking <matthijs@pletterpet.nl>
Cc: dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb51bb058e4a202b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cVScHfWjxD_lYNDqeIoPubwL0Uk>
Subject: Re: [DNSOP] a CDN perspective on ANAME challenges
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 19:31:58 -0000
Reading the draft again, I think a challenge with the structure relative to
the CDN
use-case is that requirements on how and where sibling record resolution
is done are derived from the target of the ANAME, not from the
authoritative nameserver.
It may make sense to be much more clear on this, as what it means to
support ANAME
on an Authority in an interoperable fashion depends on the DNS
architecture
of the expected targets of ANAMEs. If the common use-case of ANAME is
to provide interoperability between authoritative DNS infrastructure for
zone apex ANAMEs that point to CDNs not operated by the DNS infrastructure,
then the common case for ANAME may need to be for authorities
to "recurse with ECS to get the A/AAAA sibling record".
Otherwise the interoperability goal won't be achieved.
>From the perspective I've seen from my $dayjob at Akamai
(a large provider of CDN services), I suspect that CDNs
may say "we only support being the target of an ANAME
for third-party authorities that do X, Y, and Z" then it may
be confusing to mutual customers if that set of things
is only listed as being an optional variation in an appendix.
This seems like it has lots of risk of confusion around interoperability
and what it means for an authoritative DNS provider to
have "implemented ANAME".
> > Authoritative resolvers do a mixture of the following, which is
> Do you mean authoritative name servers here?
Yes, authoritative nameservers, but also ones that effectively have
to be resolvers in-order to do inline sibling record resolution (and
caching)
and sending ECS.
Erik
On Mon, Jul 15, 2019 at 4:56 AM Matthijs Mekking <matthijs@pletterpet.nl>
wrote:
> Hi Erik,
>
> Thanks for sharing this perspective.
>
> On 7/12/19 7:52 PM, Erik Nygren wrote:
> > One of the intended goals of ANAME is to improve interoperability of
> > onboarding onto CDNs for URLs at a zone apex, such as
> > “http(s)://example.com <http://example.com>”.
> >
> >
> > The TL;DR is that ANAME is unlikely to allow interoperability here
> > unless authorities are willing to effectively and scalablely do
> > recursion-with-ECS for all requests (caching keyed by ECS prefix and
> > obeying short, sub-minute TTLs). Simply resolving “sibling address
> > records” on a zone master (per draft-ietf-dnsop-aname-04) is likely to
> > be declared incompatible and unsupported (or at least severely
> > restricted) by at least some (if not many) CDNs.
>
> The document is written in such a way that it is inter-operable, and can
> work with offline DNSSEC signing, but authorities can still implement
> their own "on-the-fly" ANAME processing that takes into account ECS and
> perform online DNSSEC signing. I suspect that authoritities with CDN
> customers will do so, similar how they provide CNAME-at-the-apex
> functionality now.
>
> The benefit of ANAME over those vendor specific solutions is that
> customers can have provider diversity and transfer their zone from one
> to another.
>
>
> (some more comments below)
>
> > For some background, Dan York highlights some sample use-cases here:
> >
> >
> https://tools.ietf.org/html/draft-york-dnsop-cname-at-apex-publisher-view-01
> >
> > For example, web publishers want to do the equivalent of:
> >
> > example.com <http://example.com> 300 IN CNAME
> > a123qk.example-cdn.net <http://a123qk.example-cdn.net>.
> >
> >
> > Two use-cases (quoted from draft-york above):
> >
> > 1. users will be able to simply enter "example.com
> > <http://example.com>" into their browser; and
> >
> > 2. users will only see "example.com <http://example.com>" in their
> > address bar (if URLs are even displayed).
> >
> >
> > Note that for some CDNs, the “*MailScanner heeft een e-mail met mogelijk
> > een poging tot fraude gevonden van "a123qk..example-cdn.net" *
> > a123qk.example-cdn.net <http://a123qk..example-cdn.net>” target name
> > dynamically selects which IP addresses to return based on a wide variety
> > of factors (recursive nameserver IP, end-user IP prefix passed via ECS,
> > dynamic load and liveness conditions, product, customer security
> > requirements, TLS certificate needed for non-SNI-only configurations,
> > etc) and often have short TTLs (often in the range of 20s to 60s,
> > although sometimes up to 300s).
> >
> >
> > Some CDNs have had vertically-integrated solutions for onboarding zone
> > apex names for years, allowing example.com <http://example.com> to hand
> > back CDN IPs as long as the zone is delegated to the CDN authorities.
> > The need for these to be vertically integrated comes from the level of
> > complexity involved in calculating these answers.
> >
> >
> > Even these vertically integrated solutions may have limitations. For
> > example, one early vertically-integrated solution had very similar
> > functionality to some of the ANAME proposals. It only covered case #1
> > above, handing out a subset of CDN IPs (with limited performance). Along
> > with this was a correlated site HTTP configuration that would issue a
> > 30[127] redirect to “*MailScanner heeft een e-mail met mogelijk een
> > poging tot fraude gevonden van "www.example.com" * www..example.com
> > <http://www.example.com>” which would in-turn use a normal set of CDN
> > IPs. This doesn’t help for the “users will only see ‘example.com
> > <http://example.com>’ in their address bar” case due to the need to
> > redirect to a hostname that can fully CNAME.
> >
> >
> > More advanced vertically-integrated solutions that can also handle case
> > #2 may involve high-volume feeds of proprietary dynamic state and
> > configuration being fed to the authoritative nameservers, allowing them
> > to construct answers on-the-fly.
> >
> >
> > It is unclear if third-party authoritative servers will be able to do
> > enough here to be compatible with CDNs, at least until we get to a point
> > where most/all recursive servers support ANAME sibling address
> > substitution (and there are huge numbers of these around the world run
> > by a huge variety of operators!).
> >
> >
> > For third-party authoritative servers wishing to collapse A/AAAA names
> > into a zone as signalled by an ANAME, some of the options include:
> >
> >
> > 1.
> >
> > Primary zone master does sibling address substitution: Some CDNs
> > will declare this to be strictly incompatible. (ie, all traffic
> > would be directed to a small set of IPs associated with where the
> > Primary Master is located). This would defeat the purpose of using
> > a non-purely-anycast CDN.
> >
> > 2.
> >
> > Zone secondaries do frequent sibling address substitution: Some
> > CDNs may still declare this to be incompatible. Traffic is still
> > directed to a small subset of IPs associated with where the zone
> > secondaries are located. If the zone secondaries are widely
> > deployed, some CDNs might be able to support this using anycast
> > configurations, although that might limit to a subset of products or
> > limit to a subset of CDN server locations and might have CDN SLA
> > limitations.
> >
> > 3.
> >
> > Authoritative resolvers do a mixture of the following, which is
>
> Do you mean authoritative name servers here?
>
> > likely what would be needed to be compatible with CDNs that do
> > DNS-based traffic direction:
> >
> > o
> >
> > Online / on-demand lookups using ECS, with response caching.
> > (Possibly requiring collaboration with the CDN to be on an ECS
> > ACL or allowlist.)
> >
> > o
> >
> > Online DNSSEC signing.
> >
> > o
> >
> > Honoring short (eg, 20s-60s) response TTLs.
> >
> > o
> >
> > Having the scale/capacity and attack resilience to be able to
> > support this possibly-low-cache-hit-rate request workload.
> >
> >
> > It is only the third of these that might actually work well enough, but
> > may add a huge amount of complexity to authorities, requiring the
> > authority to also have many recursive functionality. It is possible
> > that some authoritative operators are willing and able to do this to
> > enable interoperability. However, if this set of functionality is what
> > is required to make ANAME work well enough to achieve its goals, then we
> > should be clear on that. It would be a mistake to go through all of the
> > effort of rolling out ANAME only to find that CDNs declare it to be
> > incompatible.
>
> I agree that ANAME should fit the CDN use case, but there are other use
> cases for ANAME that does not require ECS, online DNSSEC signing. I
> think the ANAME draft provides enough flexibility such that
> authoritative servers can combine ANAME with the above features to fit
> the CDN use case, but can also be a very simple setup for the "I just
> want an address redirection from my apex domain name to 'www'".
>
> If you feel like something specific is missing for the CDN case, please
> let me know.
>
>
> Thanks,
>
> Matthijs
>
>
> > I’ll add the caveat that the HTTPSSVC proposal doesn’t fully or
> > magically solve this problem either. It is likely that A/AAAA records
> > will need to live at the zone apex for a long time to come. If those are
> > static addresses, they’ll likely still need to do 30[127]-style
> > redirects to “www.example.com <http://www.example.com>” names. However
> > HTTPSSVC leaves an option for “example.com <http://example.com>”
> > requests (eg, those containing an Alt-Used request header) to not need
> > to return a redirect, allowing a somewhat more graceful transition as
> > client adoption picks up.
> >
> >
> > Erik
> >
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
- [DNSOP] a CDN perspective on ANAME challenges Erik Nygren
- Re: [DNSOP] a CDN perspective on ANAME challenges Mark Andrews
- Re: [DNSOP] a CDN perspective on ANAME challenges Matthijs Mekking
- Re: [DNSOP] a CDN perspective on ANAME challenges Erik Nygren
- Re: [DNSOP] a CDN perspective on ANAME challenges Matthijs Mekking
- Re: [DNSOP] a CDN perspective on ANAME challenges Ben Schwartz
- Re: [DNSOP] a CDN perspective on ANAME challenges Matthijs Mekking