Re: [DNSOP] a CDN perspective on ANAME challenges

On 7/23/19 2:33 PM, Ben Schwartz wrote:
> 
> 
> On Tue, Jul 23, 2019 at 4:39 AM Matthijs Mekking <matthijs@pletterpet.nl
> <mailto:matthijs@pletterpet.nl>> wrote:
> 
>     Hi Erik,
> 
>     On 7/22/19 9:31 PM, Erik Nygren wrote:
>     > Reading the draft again, I think a challenge with the structure
>     relative
>     > to the CDN
>     > use-case is that requirements on how and where sibling record
>     resolution
>     > is done are derived from the target of the ANAME, not from the
>     > authoritative nameserver.
>     >
>     > It may make sense to be much more clear on this, as what it means to
>     > support ANAME
>     > on an Authority  in an interoperable fashion depends on the DNS
>     > architecture
>     > of the expected targets of ANAMEs.  If the common use-case of ANAME is
>     > to provide interoperability between authoritative DNS
>     infrastructure for
>     > zone apex ANAMEs that point to CDNs not operated by the DNS
>     infrastructure,
>     > then the common case for ANAME may need to be for authorities
>     > to  "recurse with ECS to get the A/AAAA sibling record".
>     >
>     > Otherwise the interoperability goal won't be achieved.
>     > From the perspective I've seen from my $dayjob at Akamai
>     > (a large provider of CDN services), I suspect that CDNs
>     > may say "we only support being the target of an ANAME
>     > for third-party authorities that do X, Y, and Z" then it may
>     > be confusing to mutual customers if that set of things
>     > is only listed as being an optional variation in an appendix.
>     > This seems like it has lots of risk of confusion around
>     interoperability
>     > and what it means for an authoritative DNS provider to
>     > have "implemented ANAME".
> 
>     It almost feels like this is a separate document: "Interoperable ANAME
>     services for DNS providers". Describe how to implement ANAME for this
>     specific (but large) use case.
> 
>     Also, how does HTTPSSRVC deal with this?
> 
> 
> HTTPSSVC gives responsibility for out-of-bailiwick lookups to the
> recursive, or the stub if the recursive isn't HTTPSSVC-aware.  The
> authoritative doesn't have to perform recursive-style lookups.

ANAME allows this too, but note that a solution that depends on the
resolver is going to be a deployment issue.

Target lookup for ANAME can be done at any point in time: At the
provisioning, at the authoritative, at the resolver, at the stub. So the
stub could already perform the out-of-bailiwick lookups by querying for
type ANAME and chase it to the target.

Best regards,

Matthijs

>  
> 
> 
>     Best regards,
> 
>     Matthijs
> 
> 
>     >> >     Authoritative resolvers do a mixture of the following, which is
>     >> Do you mean authoritative name servers here?
>     >
>     > Yes, authoritative nameservers, but also ones that effectively have
>     > to be resolvers in-order to do inline sibling record resolution (and
>     > caching)
>     > and sending ECS.
>     >  
>     >        Erik
>     >
>     >
>     >
>     >
>     > On Mon, Jul 15, 2019 at 4:56 AM Matthijs Mekking
>     <matthijs@pletterpet.nl <mailto:matthijs@pletterpet.nl>
>     > <mailto:matthijs@pletterpet.nl <mailto:matthijs@pletterpet.nl>>>
>     wrote:
>     >
>     >     Hi Erik,
>     >
>     >     Thanks for sharing this perspective.
>     >
>     >     On 7/12/19 7:52 PM, Erik Nygren wrote:
>     >     > One of the intended goals of ANAME is to improve
>     interoperability of
>     >     > onboarding onto CDNs for URLs at a zone apex, such as
>     >     > “http(s)://example.com <http://example.com>
>     <http://example.com> <http://example.com>”.  
>     >     >
>     >     >
>     >     > The TL;DR is that ANAME is unlikely to allow
>     interoperability here
>     >     > unless authorities are willing to effectively and scalablely do
>     >     > recursion-with-ECS for all requests (caching keyed by ECS
>     prefix and
>     >     > obeying short, sub-minute TTLs).  Simply resolving “sibling
>     address
>     >     > records” on a zone master (per draft-ietf-dnsop-aname-04) is
>     likely to
>     >     > be declared incompatible and unsupported (or at least severely
>     >     > restricted) by at least some (if not many) CDNs.
>     >
>     >     The document is written in such a way that it is
>     inter-operable, and can
>     >     work with offline DNSSEC signing, but authorities can still
>     implement
>     >     their own "on-the-fly" ANAME processing that takes into
>     account ECS and
>     >     perform online DNSSEC signing.  I suspect that authoritities
>     with CDN
>     >     customers will do so, similar how they provide CNAME-at-the-apex
>     >     functionality now.
>     >
>     >     The benefit of ANAME over those vendor specific solutions is that
>     >     customers can have provider diversity and transfer their zone
>     from one
>     >     to another.
>     >
>     >
>     >     (some more comments below)
>     >
>     >     > For some background, Dan York highlights some sample
>     use-cases here:
>     >     >
>     >     >
>     >   
>           https://tools.ietf.org/html/draft-york-dnsop-cname-at-apex-publisher-view-01
>     >     >
>     >     > For example, web publishers want to do the equivalent of:
>     >     >
>     >     >      example.com <http://example.com> <http://example.com>
>     <http://example.com>  300 IN
>     >     CNAME
>     >     > a123qk.example-cdn.net <http://a123qk.example-cdn.net>
>     <http://a123qk.example-cdn.net>
>     >     <http://a123qk.example-cdn.net>.
>     >     >
>     >     >
>     >     > Two use-cases (quoted from draft-york above):
>     >     >
>     >     > 1.  users will be able to simply enter "example.com
>     <http://example.com>
>     >     <http://example.com>
>     >     > <http://example.com>" into their browser; and
>     >     >
>     >     > 2.  users will only see "example.com <http://example.com>
>     <http://example.com>
>     >     <http://example.com>" in their
>     >     > address bar (if URLs are even displayed).
>     >     >
>     >     >
>     >     > Note that for some CDNs, the “*MailScanner heeft een e-mail met
>     >     mogelijk
>     >     > een poging tot fraude gevonden van "a123qk..example-cdn.net
>     <http://example-cdn.net>
>     >     <http://example-cdn.net>" *
>     >     > a123qk.example-cdn.net <http://a123qk.example-cdn.net>
>     <http://a123qk.example-cdn.net>
>     >     <http://a123qk..example-cdn.net <http://example-cdn.net>
>     <http://example-cdn.net>>” target name
>     >     > dynamically selects which IP addresses to return based on a wide
>     >     variety
>     >     > of factors (recursive nameserver IP, end-user IP prefix
>     passed via
>     >     ECS,
>     >     > dynamic load and liveness conditions, product, customer security
>     >     > requirements, TLS certificate needed for non-SNI-only
>     configurations,
>     >     > etc) and often have short TTLs (often in the range of 20s to
>     60s,
>     >     > although sometimes up to 300s).
>     >     >
>     >     >
>     >     > Some CDNs have had vertically-integrated solutions for
>     onboarding zone
>     >     > apex names for years, allowing example.com
>     <http://example.com> <http://example.com>
>     >     <http://example.com> to hand
>     >     > back CDN IPs as long as the zone is delegated to the CDN
>     authorities. 
>     >     > The need for these to be vertically integrated comes from
>     the level of
>     >     > complexity involved in calculating these answers.
>     >     >
>     >     >
>     >     > Even these vertically integrated solutions may have
>     limitations.  For
>     >     > example, one early vertically-integrated solution had very
>     similar
>     >     > functionality to some of the ANAME proposals.  It only
>     covered case #1
>     >     > above, handing out a subset of CDN IPs (with limited
>     performance).
>     >     Along
>     >     > with this was a correlated site HTTP configuration that
>     would issue a
>     >     > 30[127] redirect to “*MailScanner heeft een e-mail met
>     mogelijk een
>     >     > poging tot fraude gevonden van "www.example.com
>     <http://www.example.com>
>     >     <http://www.example.com>" * www..example.com
>     <http://example.com> <http://example.com>
>     >     > <http://www.example.com>” which would in-turn use a normal
>     set of CDN
>     >     > IPs.  This doesn’t help for the “users will only see
>     ‘example.com <http://example.com>
>     >     <http://example.com>
>     >     > <http://example.com>’ in their address bar” case due to the
>     need to
>     >     > redirect to a hostname that can fully CNAME.  
>     >     >
>     >     >
>     >     > More advanced vertically-integrated solutions that can also
>     handle
>     >     case
>     >     > #2 may involve high-volume feeds of proprietary dynamic
>     state and
>     >     > configuration being fed to the authoritative nameservers,
>     allowing
>     >     them
>     >     > to construct answers on-the-fly.
>     >     >
>     >     >
>     >     > It is unclear if third-party authoritative servers will be
>     able to do
>     >     > enough here to be compatible with CDNs, at least until we
>     get to a
>     >     point
>     >     > where most/all recursive servers support ANAME sibling address
>     >     > substitution (and there are huge numbers of these around the
>     world run
>     >     > by a huge variety of operators!).  
>     >     >
>     >     >
>     >     > For third-party authoritative servers wishing to collapse
>     A/AAAA names
>     >     > into a zone as signalled by an ANAME, some of the options
>     include:
>     >     >
>     >     >
>     >     >  1.
>     >     >
>     >     >     Primary zone master does sibling address substitution: 
>     Some CDNs
>     >     >     will declare this to be strictly incompatible.  (ie, all
>     traffic
>     >     >     would be directed to a small set of IPs associated with
>     where the
>     >     >     Primary Master is located).  This would defeat the
>     purpose of
>     >     using
>     >     >     a non-purely-anycast CDN.   
>     >     >
>     >     >  2.
>     >     >
>     >     >     Zone secondaries do frequent sibling address
>     substitution:  Some
>     >     >     CDNs may still declare this to be incompatible. Traffic
>     is still
>     >     >     directed to a small subset of IPs associated with where
>     the zone
>     >     >     secondaries are located.  If the zone secondaries are widely
>     >     >     deployed, some CDNs might be able to support this using
>     anycast
>     >     >     configurations, although that might limit to a subset of
>     >     products or
>     >     >     limit to a subset of CDN server locations and might have
>     CDN SLA
>     >     >     limitations.
>     >     >
>     >     >  3.
>     >     >
>     >     >     Authoritative resolvers do a mixture of the following,
>     which is
>     >
>     >     Do you mean authoritative name servers here?
>     >
>     >     >     likely what would be needed to be compatible with CDNs
>     that do
>     >     >     DNS-based traffic direction:
>     >     >
>     >     >       o
>     >     >
>     >     >         Online / on-demand lookups using ECS, with response
>     caching. 
>     >     >         (Possibly requiring collaboration with the CDN to be
>     on an ECS
>     >     >         ACL or allowlist.)
>     >     >
>     >     >       o
>     >     >
>     >     >         Online DNSSEC signing.
>     >     >
>     >     >       o
>     >     >
>     >     >         Honoring short (eg, 20s-60s) response TTLs.
>     >     >
>     >     >       o
>     >     >
>     >     >         Having the scale/capacity and attack resilience to
>     be able to
>     >     >         support this possibly-low-cache-hit-rate request
>     workload.
>     >     >
>     >     >
>     >     > It is only the third of these that might actually work well
>     >     enough, but
>     >     > may add a huge amount of complexity to authorities,
>     requiring the
>     >     > authority to also have many recursive functionality.  It is
>     possible
>     >     > that some authoritative operators are willing and able to do
>     this to
>     >     > enable interoperability. However, if this set of
>     functionality is what
>     >     > is required to make ANAME work well enough to achieve its goals,
>     >     then we
>     >     > should be clear on that. It would be a mistake to go through all
>     >     of the
>     >     > effort of rolling out ANAME only to find that CDNs declare
>     it to be
>     >     > incompatible.
>     >
>     >     I agree that ANAME should fit the CDN use case, but there are
>     other use
>     >     cases for ANAME that does not require ECS, online DNSSEC
>     signing.  I
>     >     think the ANAME draft provides enough flexibility such that
>     >     authoritative servers can combine ANAME with the above
>     features to fit
>     >     the CDN use case, but can also be a very simple setup for the
>     "I just
>     >     want an address redirection from my apex domain name to 'www'"..
>     >
>     >     If you feel like something specific is missing for the CDN
>     case, please
>     >     let me know.
>     >
>     >
>     >     Thanks,
>     >
>     >     Matthijs
>     >
>     >
>     >     > I’ll add the caveat that the HTTPSSVC proposal doesn’t fully or
>     >     > magically solve this problem either.  It is likely that
>     A/AAAA records
>     >     > will need to live at the zone apex for a long time to come. If
>     >     those are
>     >     > static addresses, they’ll likely still need to do 30[127]-style
>     >     > redirects to “www.example.com <http://www.example.com>
>     <http://www.example.com>
>     >     <http://www.example.com>” names.  However
>     >     > HTTPSSVC leaves an option for “example.com
>     <http://example.com> <http://example.com>
>     >     <http://example.com>”
>     >     > requests (eg, those containing an Alt-Used request header)
>     to not need
>     >     > to return a redirect, allowing a somewhat more graceful
>     transition as
>     >     > client adoption picks up.
>     >     >
>     >     >
>     >     >     Erik
>     >     >
>     >     >
>     >     > _______________________________________________
>     >     > DNSOP mailing list
>     >     > DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>     <mailto:DNSOP@ietf.org <mailto:DNSOP@ietf.org>>
>     >     > https://www.ietf.org/mailman/listinfo/dnsop
>     >     >
>     >
>     >     _______________________________________________
>     >     DNSOP mailing list
>     >     DNSOP@ietf.org <mailto:DNSOP@ietf.org> <mailto:DNSOP@ietf.org
>     <mailto:DNSOP@ietf.org>>
>     >     https://www.ietf.org/mailman/listinfo/dnsop
>     >
>     >
>     > _______________________________________________
>     > DNSOP mailing list
>     > DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>     > https://www.ietf.org/mailman/listinfo/dnsop
>     >
> 
>     _______________________________________________
>     DNSOP mailing list
>     DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>     https://www.ietf.org/mailman/listinfo/dnsop
> 