Re: [DNSOP] BCP on rrset ordering for round-robin? Also head's up on bind 9.12 bug (sorting rrsets by default)

Colm MacCárthaigh <colm@allcosts.net> Sat, 16 June 2018 00:01 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EF95130E5A for <dnsop@ietfa.amsl.com>; Fri, 15 Jun 2018 17:01:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMck1lnU6gzC for <dnsop@ietfa.amsl.com>; Fri, 15 Jun 2018 17:01:17 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCA9712D949 for <dnsop@ietf.org>; Fri, 15 Jun 2018 17:01:16 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id q7-v6so3909536ywd.9 for <dnsop@ietf.org>; Fri, 15 Jun 2018 17:01:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=HLadl45xpspT1rkeOtryZA+FA1ZiR/nooy3GdtzLEFc=; b=1ulj0IqcNNPkZ9vVCYjd+oshmCVWOTQ2v0vF+BTzdqBHM5dxM+keaMy4R79NrYybmg ARpk1GuRLEIge5NgXCVnHp6B+9xCxbyUJ7m+1+RdFv0vpVMU4YDViirThYM6rbP/ecpK S7NX76vX5M3sAuWau/gFOmOF7EQcd3IrL8Zqs5k7RkxUBLqOOhan5+V8ei26tbl5rshx gb/1op3TpQibmQYfq4K2jcWHqQW6+xupfB89btAwOo/SzIc/1A1Rch1XDpchle2mS5/r xraKCHAmXVNWoJbZPwwXYZJfcuLknSHKEYirvil4cHji4KPLfIM1EupevyL90qUYi9fO txjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=HLadl45xpspT1rkeOtryZA+FA1ZiR/nooy3GdtzLEFc=; b=OkBnMRjvD1hKYZN740kTleQSAkcf2pwcom7PcgPgL7YGEv1D32KnFvvMkh2vbXjsz1 d04XQ5XeERfDsxcGEEv4qEEyMGmRwCBJw2rwWZO4WQwPaMkBZ8FPXNS8Qqjp8rw1aYjO tC+5cO81JosoqW+6iSttu/1z0X/mW4w05zXV31GjtzFW3suGBIs6Fv2GXDSBrYp/pdp1 l9kL7SKbLLXSbRXJ3XpPMLjkhGu5q2XpU3KNwJp6VzNPcZDjGhBDUP2vaxTJjC+gem1+ VVlUUPVhJjLHVp+/Lh/+U0IksEv/s836BoziiU4En8sqFI7ddRWQ2yfsVbhNdnb0R/f0 oINA==
X-Gm-Message-State: APt69E1kzHG4c8N67kepuzsqiTYhEvHw1Gf8bJbKkroqDnYeEMYbpHUC Dw/nTGTjGAs/KYemjD5HztK8Mxs9XauJFyMFklGVMI43
X-Google-Smtp-Source: ADUXVKIPzru8aXFXRalfUS2YUcUiSQuqeS6Nb90BHBBW0zAlTtudPtbDBNbFwEbe/psG86K8FG6ahkz8zgH8nlo2nHY=
X-Received: by 2002:a81:e44b:: with SMTP id t11-v6mr1957889ywl.176.1529107275908; Fri, 15 Jun 2018 17:01:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a81:7bc4:0:0:0:0:0 with HTTP; Fri, 15 Jun 2018 17:01:15 -0700 (PDT)
In-Reply-To: <CAHPuVdW9O0Dsb+05TxtqrUS228ifAYHLWxFs5eXGV+6o=XO9Xg@mail.gmail.com>
References: <CAKC-DJimMOtNCSE95kRs6Dy3dC_mxB=8O2WVA7badp8GK2ci-Q@mail.gmail.com> <20180615171231.GF1126@mx4.yitter.info> <CAHPuVdWP=DVj52diWYTHKqHBET0hFyUWvACT-VpH20iKzed-ww@mail.gmail.com> <CA+nkc8AS6+cZfi_NGT2T+FeQkQ5fKn--HQOOuusL1cYFkdKbKA@mail.gmail.com> <20180615195232.GA5926@jurassic> <CAKC-DJhRJwg7cw8iexCgq9axgjyjnQQaXP2+wD4u=sk3PtypRg@mail.gmail.com> <CAAF6GDfSoE9-VhuFeh2QkABamC0zmLO61qggV6YjP13wvLaQ7g@mail.gmail.com> <CAHPuVdW9O0Dsb+05TxtqrUS228ifAYHLWxFs5eXGV+6o=XO9Xg@mail.gmail.com>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
Date: Fri, 15 Jun 2018 17:01:15 -0700
Message-ID: <CAAF6GDd1ha8b2fafLWsqw=QsPy0Z8U6qhrRRKuDo=8U8F4bfuQ@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: Erik Nygren <erik+ietf@nygren.org>, Bob Harold <rharolde@umich.edu>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Andrew Sullivan <ajs@anvilwalrusden.com>, Mukund Sivaraman <muks@mukund.org>
Content-Type: multipart/alternative; boundary="0000000000000127bf056eb708b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/e-uYA414a7-BZcYMxEyqRS0ylNI>
Subject: Re: [DNSOP] BCP on rrset ordering for round-robin? Also head's up on bind 9.12 bug (sorting rrsets by default)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jun 2018 00:01:19 -0000

I think so too; and I wouldn't be so strict on backwards compatibility
there.

That behavior is a side-channel that defeats DNS privacy in some cases.
E.g. I can query a record, watch you send an encrypted query, then query
the record again, and tell what you queried. Within some probability at
least.

For that reason, It'd be worth experimenting with an implementation that
does shuffle the results each time.

On Fri, Jun 15, 2018 at 4:54 PM, Shumon Huque <shuque@gmail.com> wrote:

> On Fri, Jun 15, 2018 at 5:55 PM Colm MacCárthaigh <colm@allcosts.net>
> wrote:
>
>>
>> Just a question on this: was the old/classic behavior really
>> random/shuffled? Or was it that bind would "rotate" through iterations
>> where the order was the same each time if you think of the rrset list as a
>> ring, but with a different start and end point within that ring? (That's
>> what's described here: https://docstore..mik.ua/
>> orelly/networking_2ndEd/dns/ch10_07.htm
>> <https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_07.htm>)
>>
>
> ISC veterans can confirm, but my recollection is that the earliest
> implementations were indeed as described above - the response RRset was
> cycled/rotated, rather than randomized.
>
> Shumon.
>
>


-- 
Colm