IETF Logo Mail Archive

Re: [DNSOP] ANAME in answer or additional section [issue #62]

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 13 June 2019 22:34 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04D13120136 for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 15:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUjkKMWRAjLK for <dnsop@ietfa.amsl.com>; Thu, 13 Jun 2019 15:34:11 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2620912006B for <dnsop@ietf.org>; Thu, 13 Jun 2019 15:34:11 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id m29so348585qtu.1 for <dnsop@ietf.org>; Thu, 13 Jun 2019 15:34:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BHZr6TDmR+T+elhlEZpOzl0m9oxzd6O+n+N75G1ArRE=; b=XECBqVJ6UQ9ALKSloyOTWPr7brCQqKWr0Gj9rshrDY0VVBBVvoMnT/vKPdUSfK+FOX UMCgmYAUVYhm3nHFDUqqOAauF+bO9f2rhTl5/2ZsYB59OuGSZ23si92BMiC/DoLz18Yd bkymg9G0rlE9pekVhJoBficRCd31vSjXcl52cRzvXSYPBcT0pQiUBokcPBIQhzU9Me++ vuPmgfUe6XDFSxzAGJWfYFZH60/ABCcLgzSdXPzMCm88Bj8FI6ICIoe//yEciAS2icO7 ifjVODViH66B0NZddEG268k75Y3zVGfni9ZbUgFDwI4+nfE9PZtimmcLSmSFiK7YE1RP kXgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BHZr6TDmR+T+elhlEZpOzl0m9oxzd6O+n+N75G1ArRE=; b=tzi87gtKpI7G1b/QdurF0aAUmvqJk1cp5bBEjrRdFnpSeXKMbry+GuRDjGY64ruJCF aUkd+2IFFtfMZetUPsSPmnAgmsqsNh9IniUEdmFMNsG1r31jxqVzpJqc7WMxlxV9W8Va ZHHPYL7T8Bw3bOIENOLVGEFChZvh/M9jWu7yYLVHrjCxBu4t+FkliZ35flbo4mYmMVpL +v7QXOKhvNKwkCS+g0VoQaofiHXfjjEmviQP7ywwXcIoEOVwLoB1BWOs4VuvI6d0ogaX Iv0VJ4YkpGYtqJSPGq5jDmE3ZxtHwQDztY5X7HvxfKbHedGBilFhF6KEjBbpla5fEb8L qffQ==
X-Gm-Message-State: APjAAAWGNvr1C/PgukNLdEajtn09NJdPbdNEy8bETgJhNfUl/M1/kFSt QPcf0DCg+w/PNaX47UQ+KwA8MBCS3/SpLyweFSI=
X-Google-Smtp-Source: APXvYqzF8LsjBfKMpfFXl3Qi1iYvrMszeD5tpe7gxjnWKgfCciM4WpCPnejWCHbW1Ifqbl5H0L+fJhRl3B0PVUoVcg4=
X-Received: by 2002:aed:22f2:: with SMTP id q47mr172878qtc.106.1560465250114; Thu, 13 Jun 2019 15:34:10 -0700 (PDT)
MIME-Version: 1.0
References: <3b136e34-7ec0-e144-2c2a-0885185ec2b1@pletterpet.nl> <20190612000459.GA60387@isc.org> <CAJhMdTP-iDbbgnCDV7WRhbh495KvhOW3cGS+0tu74VAoYfU=gg@mail.gmail.com> <CAH1iCiqE70T3fWVcCrSvA86=qJKoWwuRGFRzKnQyediMrm404A@mail.gmail.com> <68b5997e-1c24-a366-1165-9874a36169b5@pletterpet.nl> <CAH1iCiqp1dbP-No4K3t2hNQ2+kD4RVGPgUHB_sHgByzEOsAxuw@mail.gmail.com> <CA+nkc8BcNcYHkpAadsjgCBbSONOkU7G9kUu+t=0AAKZ92WvVAg@mail.gmail.com>
In-Reply-To: <CA+nkc8BcNcYHkpAadsjgCBbSONOkU7G9kUu+t=0AAKZ92WvVAg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 13 Jun 2019 15:33:58 -0700
Message-ID: <CAH1iCirO8JX6Ynmk2Rt4GQbTKivT7-dosAuqryN9+sGofZ-RRQ@mail.gmail.com>
To: Bob Harold <rharolde@umich.edu>
Cc: Matthijs Mekking <matthijs@pletterpet.nl>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eae1a7058b3c2033"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dpKBRf-2a0kefGf26sXbVUlDISM>
Subject: Re: [DNSOP] ANAME in answer or additional section [issue #62]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 22:34:14 -0000

On Thu, Jun 13, 2019 at 1:51 PM Bob Harold <rharolde@umich.edu> wrote:

>
> On Thu, Jun 13, 2019 at 1:50 PM Brian Dickson <
> brian.peter.dickson@gmail.com> wrote:
>
>>
>>
>> On Wed, Jun 12, 2019 at 1:11 AM Matthijs Mekking <matthijs@pletterpet.nl>
>> wrote:
>>
>>> Brian,
>>>
>>> Thanks for the detailed background on why DNAME worked. There are a few
>>> things that caught my attention:
>>>
>>> > When a recursive queried an authority server, if it got back a DNAME
>>> but did not understand it, it ignored the DNAME but processed the CNAME
>>> (as if only the CNAME existed) (plus any other data like chained CNAMEs
>>> or A/AAAA records)
>>>
>>> > All of this is unfortunate, because of the fact that there is no
>>> genuinely backward compatible record similar to ANAME that can be used,
>>> without a very strong likelihood of breaking things. From authority to
>>> recursive: You can't return an ANAME and a CNAME (as a
>>> backward-compatible rewrite signal that corresponds to the ANAME), since
>>> the CNAME will effectively obscure other RRTYPEs that might coexist
>>> (e.g. at the zone apex).
>>>
>>> This is fine, because that is not what we want: We would like to add the
>>> ANAME in the answer section with the A/AAAA records (not a CNAME).
>>>
>>> > The real problem here, is the "other" record for backward
>>> compatibility isn't a rewrite-type (such as CNAME or DNAME), but is a
>>> "promoted" A/AAAA record of potentially limited utility and questionable
>>> provenance (due to geo-ip stuff, TTL stuff, and RRSIG problems).
>>>
>>> I actually see the A/AAAA record as the backward compatibility records:
>>> An ANAME-aware resolver would understand the ANAME and can act upon it,
>>> an ANAME-unaware resolver will use the A/AAAA records that the
>>> authoritative returned.
>>>
>>
>> So, this is where the analogy to DNAME diverges from reality of ANAME,
>> and IMHO is the the crux of one of the main problems with ANAME.
>>
>> In the DNAME/CNAME example, the A/AAAA records are returned ONLY IF the
>> server that is authoritative for the DNAME is also authoritative for the
>> DNAME "target" (right-hand-side/RDATA).
>> If the DNAME auth server is not, it will only return DNAME+CNAME records.
>>
>> The only "legitimate" (in my opinion) reason that the ANAME authoritative
>> server should also return A/AAAA records, is if it is also authoritative
>> for the ANAME "target" (right-hand-side/RDATA).
>>
>> (And the reason that having the ANAME authoritative server obtain and
>> return A/AAAA records itself leads to what I called:
>>
>>> potentially limited utility and questionable provenance (due to geo-ip
>>> stuff, TTL stuff, and RRSIG problems).
>>>
>>
>> I have elaborated on this problem previously, but will do so again for
>> completeness/context:
>>
>>    - There can be differences (possibly significant differences) in the
>>    results returned for resolution of the "target" between the ANAME
>>    authoritative server, and the querying resolver.
>>       - E.g. Any sort of "stupid DNS tricks" that return different
>>       values based on either physical topology (anycast instance) or geo-ip
>>       (client-subnet)
>>       - That discrepancy can direct clients to a suboptimal server,
>>       where suboptimal can even be, from a user perspective, badly broken (e..g.
>>       wrong language, illegal content, etc.)
>>    - The interactions on TTLs and the need for repeated lookups can have
>>    adverse impacts on both clients, resolvers, and auth servers
>>       - An auth server might want to use longer TTLs to reduce query
>>       volume, for ANAME values that do not change frequently (A/AAAA TTL set to
>>       same as ANAME TTL)
>>       - The original A/AAAA TTL (for the "target" owner name's A/AAAA
>>       RRDATA) might be short because it changes frequently (e.g. CDNs)
>>    - If the "sibling" data is only a hint, non-upgraded resolvers will
>>    serve A/AAAA records that are either poor (longer latency, higher loss),
>>    wrong (incorrect language due to wrong CDN node), broken (long TTL -> wrong
>>    server), or slow (requery required)
>>
>> I don't have a better suggestion on how to fix this within the context of
>> ANAME; IMNSHO it is an intractable issue, a fundamental problem with ANAME
>> if sibling records are required.
>>
>> Brian
>>
>
> I see two main cases:
>
>    - ANAME replaces a CNAME record, so that other records can be attached
>    to the same name. I don't think this is likely to be a big use case. In
>    this case, all your concerns apply.
>
>
>    - ANAME replaces A/AAAA records, most likely at a zone apex, where
>    CNAME was desired but not allowed. I think this is the main case for ANAME.
>    And in this case, the old A/AAAA records are returned as previously, but
>    with the added ANAME record. Your concerns only apply if they already
>    applied to the A/AAAA records - nothing has gotten any worse.
>
> Is there another major case I am missing?
>

Yes, ANAME placed at apex, where no A/AAAA exists or existed. Typically
when there is a "www" CNAME, and the zone owner wants to make a "magic apex
CNAME" that points the same place as "www" currently does.

I think that (addition of ANAME) is going to be 95% of the deployments,
versus a 5% migration of already-existing proprietary RRTYPEs or
pseudo-types (vertical integration) to ANAME. (If those weren't the
expected levels of deployment, I don't the the efforts on ANAME would be
worthwhile.)

Brian

v2.23.0 | Report a Bug | By Email