Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt

Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 18 July 2017 18:02 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33769131B66 for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 11:02:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=NMm1kR2w; dkim=pass (1024-bit key) header.d=yitter.info header.b=fF/WZuy7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxJn_YCn_zRY for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 11:02:06 -0700 (PDT)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 595A3131A66 for <dnsop@ietf.org>; Tue, 18 Jul 2017 11:02:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 8E24DBD996 for <dnsop@ietf.org>; Tue, 18 Jul 2017 18:01:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1500400895; bh=ioWRzELjJ9npbQvU3ZtLVkWNxPLvyLwHvW8aZOGWpHM=; h=Date:From:To:Subject:References:In-Reply-To:From; b=NMm1kR2w9vLqEItKZiZhQ+CYhjUffrLxYZOwwCTwJhk44E3+cJh42JGbfIT3pxwof iW6XMKlOMwjNWB1VX9i0S/L1gysloGgNeuXQoH0wxd1Bg2czxPT7dzmvpKt33oFDqV +WGuqq8SqTZFJbGuGdIBIXMeaA783p0ppna4WjAQ=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9R8OJ9hKzGtE for <dnsop@ietf.org>; Tue, 18 Jul 2017 18:01:34 +0000 (UTC)
Date: Tue, 18 Jul 2017 14:01:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1500400894; bh=ioWRzELjJ9npbQvU3ZtLVkWNxPLvyLwHvW8aZOGWpHM=; h=Date:From:To:Subject:References:In-Reply-To:From; b=fF/WZuy7KoyaDk1V/3xAi4GY94DQNm0Ykv33+oDgPF2mP4Pqg/lxgO6BPTG00Ve4F r4ps27Lrirc86o8xI/nDIJfuJmg4nMoUgFli7N9J6OTafQEAmQSm4JJI7peiyIVlnk ADnae3uo6ndS1BoJIHNBGfD/tYEBaNi+rCUINaD8=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20170718180128.omffg7ce5kbhoqjr@mx4.yitter.info>
References: <149592096439.3966.11385984990945858242@ietfa.amsl.com> <0edbf3f2-e575-3b34-d3f2-f1424f29f6e4@nlnetlabs.nl> <alpine.DEB.2.11.1707181622300.27210@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.11.1707181622300.27210@grey.csi.cam.ac.uk>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iwi6iLOPxxN2aoUInSKhkSy2l-w>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 18:02:08 -0000

Hi,

On Tue, Jul 18, 2017 at 05:09:00PM +0100, Tony Finch wrote:
> In my view an authoritative server which does online signing and on-demand
> record synthesis is a master server. You can make all your public
> authoritative servers into masters if you like, but it must not be
> required.
> 
> If (like me) you have a more traditional setup then ANAME is an
> instruction to the master server about zone maintenance, saying that it
> needs to periodically update the sibling A and AAAA records, similar to
> periodic re-signing, or as if some script were periodically `nsupdate`ing
> the records. The secondary servers can continue to work the same as they
> do now, but they'll work better if they know about some helpful additional
> section rules for ANAME.

I think I (at least mostly) agree.  One possible way to sort out these
bits of potential confusion is to break the problem up into conceptual
parts, so that one can see the way that they work together.  One part
is, "How do you give this instruction to the master server(s)?"  It
covers representation in the master file format, what a master is
supposed to do on input, how to refresh the data, and so on.  A second
part is, "How do you give this instruction to a slave?".  This covers
transferring zones, the trade-offs in handing the slaves the ANAME vs
the "resolved" records, refresh timers and so on.  DNSSEC
considerations at least are split between these, which suggests to me
that these topics could be covered by one document in two parts; but
these are nevertheless separate and separable functional questions.

A third part has to do with downstream resolvers and caches and so on.
This is really a separate problem: how to handle ANAME-aware vs
ANAME-unaware systems, the consequences of an ANAME-unaware cache
ending up with an ANAME in the cache, the effects of having an A and
not AAAA in cache, &c &c.  A fourth part, which might be yet a
separate problem or might be the same document, is what this all looks
like from a stub and what happens when there are chains of forwarders
and caches and so on with a mix of ANAME-awareness and -obliviousness.

I still think that in addition a clear description of why this is hard
would be helpful.  The troublesome thing about Stupid DNS Tricks is
that they're always >80% there, and all the really hard parts are in
that last <20%, and the difficulties in those <20% cases are manifold
and completely unexpected when you think in the abstract cases.  The
people who worked through all the gnarly problems of caches and the
interaction with DNSSEC already went through this once (I came in at
the tail end and mercifully missed most of that), but we're about to
revisit those problems for a different set of questions.  I think we
need to understand why this is more complicated than it looks, and I
think any future implementer will need a clear guide to that also.

 ### WARNING: IETF ADMINISTRATIVE WRANGLING AHEAD ###

Since there's been talk about an interim, it strikes me that the
current issue is the sort of specific topic that deserves one.  But I
also wonder whether this isn't bumping up pretty hard against the
DNSOP charter, and whether this mightn't be a case where we put
together a tightly focussed statement of work that gets chartered as a
WG, with a plan never to meet (or to meet only as "part of" a DNSOP
meeting or something like that), if only to avoid pain and misery when
the documents describing all this go to IETF LC.  I am not interested
even a little bit in making more administrative overhead, but I'm very
much interested in avoiding a "this is off charter" discussion during
IETF LC should we get there.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com