IETF Logo Mail Archive

Re: [DNSOP] ANAME loop detection

Shane Kerr <shane@time-travellers.org> Fri, 05 July 2019 08:16 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 926AE120128 for <dnsop@ietfa.amsl.com>; Fri, 5 Jul 2019 01:16:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gx_JvKY37pZB for <dnsop@ietfa.amsl.com>; Fri, 5 Jul 2019 01:16:48 -0700 (PDT)
Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DF111200CE for <dnsop@ietf.org>; Fri, 5 Jul 2019 01:16:48 -0700 (PDT)
Received: from [2001:470:78c8:2:8d24:87fa:64b4:b983] by time-travellers.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <shane@time-travellers.org>) id 1hjJOg-0002Nf-16 for dnsop@ietf.org; Fri, 05 Jul 2019 08:16:46 +0000
To: dnsop@ietf.org
References: <CAM1xaJ9txy98s5Y+Sq5T5N1KaD-LvtrDTut=mUomjHFwTvWnDg@mail.gmail.com> <a4137531-7641-34f2-6443-1cd904b485e3@pletterpet.nl> <78d6f44a-2946-5fbc-a31f-6708f8ceb246@time-travellers.org> <2d637c56-7c83-597b-af0b-39f2ded40caf@pletterpet.nl>
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <d7e93a44-44e0-7756-9bf8-c0fa4574242a@time-travellers.org>
Date: Fri, 05 Jul 2019 10:16:45 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <2d637c56-7c83-597b-af0b-39f2ded40caf@pletterpet.nl>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/edVpNhIRy_tt1MtbXPjcSrpcjdw>
Subject: Re: [DNSOP] ANAME loop detection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2019 08:16:50 -0000

Matthijs,

On 04/07/2019 15.19, Matthijs Mekking wrote:
> 
> On 7/4/19 2:29 PM, Shane Kerr wrote:
>>>> 2. QTYPE=ANAME: According to the current version of the draft, server
>>>> answering to ANAME must include the ANAME and should include the
>>>> sibling records. Let's modify the behavior and say the server should
>>>> not (must not) include the sibling records. Then the server performing
>>>> ANAME sibling address resolution could first query for ANAME before
>>>> trying A or AAAA. We get the same loop detection mechanism as with
>>>> CNAMEs at the cost of an extra query per ANAME
>>>
>>> Again, I think what we should clarify is that it is a signal to not do
>>> do ANAME target lookup. Sibling address records are fine and required at
>>> some point.
>>>
>>> I like this option the best, because the requester is interested in the
>>> ANAME record in the particular zone, and so there is no need for
>>> chasing.  While with address queries the requester is actually
>>> interested in the target address, and so chasing makes sense.
>>>
>>> We could change the specification such that a server that does ANAME
>>> target lookups MUST use QTYPE=ANAME and servers receiving ANAME queries
>>> MUST NOT chase the target and would solve the loop problem.
>>
>> My main concern about this approach is the extra lookup required.
>>
>> Keep in mind that most ANAME targets are NOT going to be ANAME
>> themselves (although probably many will), so this means that in most
>> cases ANAME servers will have to do an extra lookup before moving on to
>> usual A/AAAA lookups. These QTYPE=ANAME cannot be done in parallel with
>> A/AAAA queries, since those might trigger the ANAME loops that we are
>> trying to prevent.
> 
> If we change the specification such that sibling address records MUST be
> in the response to an ANAME request that extra lookup is not needed.

I mean in the sense that it requires an extra lookup where the ANAME 
target is not another ANAME.

The logic looks something like this:

if answer.rrtype == ANAME:
     discovered_aname = query_for_aname(answer.rdata)
     if discovered_aname:
         answer.update_with_aname(discovered_aname)
     else:
         discovered_a = query_for_a(answer.rdata)
         answer.update_with_a(discovered_a)
         discovered_aaaa = query_for_aaaa(answer.rdata)
         answer.update_with_aaaa(discovered_aaaa)
reply(answer)

That query_for_aname() call is the extra lookup that using this method 
requires.

If the ANAME target is itself an ANAME, then indeed no extra work is 
required (in fact probably less).

However, if the ANAME target is not an ANAME, then an extra query and 
the associated delay is required (this is probably the more common 
path). The A & AAAA queries can be done in parallel, but they both have 
to wait until the ANAME is finished to avoid loops.

Cheers,

--
Shane

v2.23.0 | Report a Bug | By Email