Re: [DNSOP] a CDN perspective on ANAME challenges
Matthijs Mekking <matthijs@pletterpet.nl> Tue, 23 July 2019 14:33 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FC5A120072 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 07:33:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mDCZOdzd6tNR for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 07:33:01 -0700 (PDT)
Received: from lb3-smtp-cloud9.xs4all.net (lb3-smtp-cloud9.xs4all.net [194.109.24.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13BF312011F for <dnsop@ietf.org>; Tue, 23 Jul 2019 07:33:00 -0700 (PDT)
Received: from [IPv6:2001:980:4eb1:1:c9ad:f345:f26a:8955] ([IPv6:2001:980:4eb1:1:c9ad:f345:f26a:8955]) by smtp-cloud9.xs4all.net with ESMTPSA id pvqVhi4AtuEBxpvqWhpE8V; Tue, 23 Jul 2019 16:32:55 +0200
To: Ben Schwartz <bemasc@google.com>
Cc: Erik Nygren <erik+ietf@nygren.org>, dnsop WG <dnsop@ietf.org>
References: <CAKC-DJjiwEA977sLpriPg5yyfm--yCQ=xMUGk7VbXyYd8uPE6g@mail.gmail.com> <d84769fe-77b7-a983-94ae-60416b449b7d@pletterpet.nl> <CAKC-DJjsTNxnb3f2_yWZ_GAqe6MMkH2W2Z9n0XpwZ1sjDa_6aQ@mail.gmail.com> <dafd8eff-d255-bec5-e1dd-f2af91163394@pletterpet.nl> <CAHbrMsDW8X+o-DXDYfTsVnEkV_fsiWysa2vND8yKEdP6G0TRPw@mail.gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <237d3e3d-b635-cc3e-ca5a-8ead42e923ed@pletterpet.nl>
Date: Tue, 23 Jul 2019 16:32:51 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CAHbrMsDW8X+o-DXDYfTsVnEkV_fsiWysa2vND8yKEdP6G0TRPw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfLuj47JM5Z709uiS1jJziRvpdPJEHziNRdi4g+Ud1+7xjMLd8J19tQX4O0toy5NEEQRNT4wX+IAJ8f3704gJ1wjq2tk7QdcwW8K1RyyOUUmaq/jiurQV Yx/V0dgD0RKF86PuBcDKo3gtK64H3MiAonisVUadDSUYJhakDLUd5C+cPoOR79uzhhU95A5qK++TdsPYp+Y8FthIG3hJH3DN9XIgknYOB2uLx6VzQXrWaDa9 vsec7GAegZ5RRPPbnajo2ioO295B7PX5WUtoVuBC6/kulCl9kvBee1QMe3SWfeLla9AN7PCk2bM/buBIK5wQzvOrcK+YWezgVJUiKOANNoU=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/i-MUYhQky0WgiGRj15-1LvR9zXc>
Subject: Re: [DNSOP] a CDN perspective on ANAME challenges
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 14:33:05 -0000
On 7/23/19 2:33 PM, Ben Schwartz wrote: > > > On Tue, Jul 23, 2019 at 4:39 AM Matthijs Mekking <matthijs@pletterpet.nl > <mailto:matthijs@pletterpet.nl>> wrote: > > Hi Erik, > > On 7/22/19 9:31 PM, Erik Nygren wrote: > > Reading the draft again, I think a challenge with the structure > relative > > to the CDN > > use-case is that requirements on how and where sibling record > resolution > > is done are derived from the target of the ANAME, not from the > > authoritative nameserver. > > > > It may make sense to be much more clear on this, as what it means to > > support ANAME > > on an Authority in an interoperable fashion depends on the DNS > > architecture > > of the expected targets of ANAMEs. If the common use-case of ANAME is > > to provide interoperability between authoritative DNS > infrastructure for > > zone apex ANAMEs that point to CDNs not operated by the DNS > infrastructure, > > then the common case for ANAME may need to be for authorities > > to "recurse with ECS to get the A/AAAA sibling record". > > > > Otherwise the interoperability goal won't be achieved. > > From the perspective I've seen from my $dayjob at Akamai > > (a large provider of CDN services), I suspect that CDNs > > may say "we only support being the target of an ANAME > > for third-party authorities that do X, Y, and Z" then it may > > be confusing to mutual customers if that set of things > > is only listed as being an optional variation in an appendix. > > This seems like it has lots of risk of confusion around > interoperability > > and what it means for an authoritative DNS provider to > > have "implemented ANAME". > > It almost feels like this is a separate document: "Interoperable ANAME > services for DNS providers". Describe how to implement ANAME for this > specific (but large) use case. > > Also, how does HTTPSSRVC deal with this? > > > HTTPSSVC gives responsibility for out-of-bailiwick lookups to the > recursive, or the stub if the recursive isn't HTTPSSVC-aware. The > authoritative doesn't have to perform recursive-style lookups. ANAME allows this too, but note that a solution that depends on the resolver is going to be a deployment issue. Target lookup for ANAME can be done at any point in time: At the provisioning, at the authoritative, at the resolver, at the stub. So the stub could already perform the out-of-bailiwick lookups by querying for type ANAME and chase it to the target. Best regards, Matthijs > > > > Best regards, > > Matthijs > > > >> > Authoritative resolvers do a mixture of the following, which is > >> Do you mean authoritative name servers here? > > > > Yes, authoritative nameservers, but also ones that effectively have > > to be resolvers in-order to do inline sibling record resolution (and > > caching) > > and sending ECS. > > > > Erik > > > > > > > > > > On Mon, Jul 15, 2019 at 4:56 AM Matthijs Mekking > <matthijs@pletterpet.nl <mailto:matthijs@pletterpet.nl> > > <mailto:matthijs@pletterpet.nl <mailto:matthijs@pletterpet.nl>>> > wrote: > > > > Hi Erik, > > > > Thanks for sharing this perspective. > > > > On 7/12/19 7:52 PM, Erik Nygren wrote: > > > One of the intended goals of ANAME is to improve > interoperability of > > > onboarding onto CDNs for URLs at a zone apex, such as > > > “http(s)://example.com <http://example.com> > <http://example.com> <http://example.com>”. > > > > > > > > > The TL;DR is that ANAME is unlikely to allow > interoperability here > > > unless authorities are willing to effectively and scalablely do > > > recursion-with-ECS for all requests (caching keyed by ECS > prefix and > > > obeying short, sub-minute TTLs). Simply resolving “sibling > address > > > records” on a zone master (per draft-ietf-dnsop-aname-04) is > likely to > > > be declared incompatible and unsupported (or at least severely > > > restricted) by at least some (if not many) CDNs. > > > > The document is written in such a way that it is > inter-operable, and can > > work with offline DNSSEC signing, but authorities can still > implement > > their own "on-the-fly" ANAME processing that takes into > account ECS and > > perform online DNSSEC signing. I suspect that authoritities > with CDN > > customers will do so, similar how they provide CNAME-at-the-apex > > functionality now. > > > > The benefit of ANAME over those vendor specific solutions is that > > customers can have provider diversity and transfer their zone > from one > > to another. > > > > > > (some more comments below) > > > > > For some background, Dan York highlights some sample > use-cases here: > > > > > > > > > https://tools.ietf.org/html/draft-york-dnsop-cname-at-apex-publisher-view-01 > > > > > > For example, web publishers want to do the equivalent of: > > > > > > example.com <http://example.com> <http://example.com> > <http://example.com> 300 IN > > CNAME > > > a123qk.example-cdn.net <http://a123qk.example-cdn.net> > <http://a123qk.example-cdn.net> > > <http://a123qk.example-cdn.net>. > > > > > > > > > Two use-cases (quoted from draft-york above): > > > > > > 1. users will be able to simply enter "example.com > <http://example.com> > > <http://example.com> > > > <http://example.com>" into their browser; and > > > > > > 2. users will only see "example.com <http://example.com> > <http://example.com> > > <http://example.com>" in their > > > address bar (if URLs are even displayed). > > > > > > > > > Note that for some CDNs, the “*MailScanner heeft een e-mail met > > mogelijk > > > een poging tot fraude gevonden van "a123qk..example-cdn.net > <http://example-cdn.net> > > <http://example-cdn.net>" * > > > a123qk.example-cdn.net <http://a123qk.example-cdn.net> > <http://a123qk.example-cdn.net> > > <http://a123qk..example-cdn.net <http://example-cdn.net> > <http://example-cdn.net>>” target name > > > dynamically selects which IP addresses to return based on a wide > > variety > > > of factors (recursive nameserver IP, end-user IP prefix > passed via > > ECS, > > > dynamic load and liveness conditions, product, customer security > > > requirements, TLS certificate needed for non-SNI-only > configurations, > > > etc) and often have short TTLs (often in the range of 20s to > 60s, > > > although sometimes up to 300s). > > > > > > > > > Some CDNs have had vertically-integrated solutions for > onboarding zone > > > apex names for years, allowing example.com > <http://example.com> <http://example.com> > > <http://example.com> to hand > > > back CDN IPs as long as the zone is delegated to the CDN > authorities. > > > The need for these to be vertically integrated comes from > the level of > > > complexity involved in calculating these answers. > > > > > > > > > Even these vertically integrated solutions may have > limitations. For > > > example, one early vertically-integrated solution had very > similar > > > functionality to some of the ANAME proposals. It only > covered case #1 > > > above, handing out a subset of CDN IPs (with limited > performance). > > Along > > > with this was a correlated site HTTP configuration that > would issue a > > > 30[127] redirect to “*MailScanner heeft een e-mail met > mogelijk een > > > poging tot fraude gevonden van "www.example.com > <http://www.example.com> > > <http://www.example.com>" * www..example.com > <http://example.com> <http://example.com> > > > <http://www.example.com>” which would in-turn use a normal > set of CDN > > > IPs. This doesn’t help for the “users will only see > ‘example.com <http://example.com> > > <http://example.com> > > > <http://example.com>’ in their address bar” case due to the > need to > > > redirect to a hostname that can fully CNAME. > > > > > > > > > More advanced vertically-integrated solutions that can also > handle > > case > > > #2 may involve high-volume feeds of proprietary dynamic > state and > > > configuration being fed to the authoritative nameservers, > allowing > > them > > > to construct answers on-the-fly. > > > > > > > > > It is unclear if third-party authoritative servers will be > able to do > > > enough here to be compatible with CDNs, at least until we > get to a > > point > > > where most/all recursive servers support ANAME sibling address > > > substitution (and there are huge numbers of these around the > world run > > > by a huge variety of operators!). > > > > > > > > > For third-party authoritative servers wishing to collapse > A/AAAA names > > > into a zone as signalled by an ANAME, some of the options > include: > > > > > > > > > 1. > > > > > > Primary zone master does sibling address substitution: > Some CDNs > > > will declare this to be strictly incompatible. (ie, all > traffic > > > would be directed to a small set of IPs associated with > where the > > > Primary Master is located). This would defeat the > purpose of > > using > > > a non-purely-anycast CDN. > > > > > > 2. > > > > > > Zone secondaries do frequent sibling address > substitution: Some > > > CDNs may still declare this to be incompatible. Traffic > is still > > > directed to a small subset of IPs associated with where > the zone > > > secondaries are located. If the zone secondaries are widely > > > deployed, some CDNs might be able to support this using > anycast > > > configurations, although that might limit to a subset of > > products or > > > limit to a subset of CDN server locations and might have > CDN SLA > > > limitations. > > > > > > 3. > > > > > > Authoritative resolvers do a mixture of the following, > which is > > > > Do you mean authoritative name servers here? > > > > > likely what would be needed to be compatible with CDNs > that do > > > DNS-based traffic direction: > > > > > > o > > > > > > Online / on-demand lookups using ECS, with response > caching. > > > (Possibly requiring collaboration with the CDN to be > on an ECS > > > ACL or allowlist.) > > > > > > o > > > > > > Online DNSSEC signing. > > > > > > o > > > > > > Honoring short (eg, 20s-60s) response TTLs. > > > > > > o > > > > > > Having the scale/capacity and attack resilience to > be able to > > > support this possibly-low-cache-hit-rate request > workload. > > > > > > > > > It is only the third of these that might actually work well > > enough, but > > > may add a huge amount of complexity to authorities, > requiring the > > > authority to also have many recursive functionality. It is > possible > > > that some authoritative operators are willing and able to do > this to > > > enable interoperability. However, if this set of > functionality is what > > > is required to make ANAME work well enough to achieve its goals, > > then we > > > should be clear on that. It would be a mistake to go through all > > of the > > > effort of rolling out ANAME only to find that CDNs declare > it to be > > > incompatible. > > > > I agree that ANAME should fit the CDN use case, but there are > other use > > cases for ANAME that does not require ECS, online DNSSEC > signing. I > > think the ANAME draft provides enough flexibility such that > > authoritative servers can combine ANAME with the above > features to fit > > the CDN use case, but can also be a very simple setup for the > "I just > > want an address redirection from my apex domain name to 'www'".. > > > > If you feel like something specific is missing for the CDN > case, please > > let me know. > > > > > > Thanks, > > > > Matthijs > > > > > > > I’ll add the caveat that the HTTPSSVC proposal doesn’t fully or > > > magically solve this problem either. It is likely that > A/AAAA records > > > will need to live at the zone apex for a long time to come. If > > those are > > > static addresses, they’ll likely still need to do 30[127]-style > > > redirects to “www.example.com <http://www.example.com> > <http://www.example.com> > > <http://www.example.com>” names. However > > > HTTPSSVC leaves an option for “example.com > <http://example.com> <http://example.com> > > <http://example.com>” > > > requests (eg, those containing an Alt-Used request header) > to not need > > > to return a redirect, allowing a somewhat more graceful > transition as > > > client adoption picks up. > > > > > > > > > Erik > > > > > > > > > _______________________________________________ > > > DNSOP mailing list > > > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > <mailto:DNSOP@ietf.org <mailto:DNSOP@ietf.org>> > > > https://www.ietf.org/mailman/listinfo/dnsop > > > > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org <mailto:DNSOP@ietf.org> <mailto:DNSOP@ietf.org > <mailto:DNSOP@ietf.org>> > > https://www.ietf.org/mailman/listinfo/dnsop > > > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > > https://www.ietf.org/mailman/listinfo/dnsop > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] a CDN perspective on ANAME challenges Erik Nygren
- Re: [DNSOP] a CDN perspective on ANAME challenges Mark Andrews
- Re: [DNSOP] a CDN perspective on ANAME challenges Matthijs Mekking
- Re: [DNSOP] a CDN perspective on ANAME challenges Erik Nygren
- Re: [DNSOP] a CDN perspective on ANAME challenges Matthijs Mekking
- Re: [DNSOP] a CDN perspective on ANAME challenges Ben Schwartz
- Re: [DNSOP] a CDN perspective on ANAME challenges Matthijs Mekking