Re: [DNSOP] ANAME TTL vs GCD
Matthijs Mekking <matthijs@pletterpet.nl> Tue, 30 October 2018 13:25 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDACF130DDF for <dnsop@ietfa.amsl.com>; Tue, 30 Oct 2018 06:25:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XCaenI3Imv13 for <dnsop@ietfa.amsl.com>; Tue, 30 Oct 2018 06:25:40 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E906127AC2 for <dnsop@ietf.org>; Tue, 30 Oct 2018 06:25:38 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w9UDJB7v062388 for <dnsop@ietf.org>; Tue, 30 Oct 2018 13:25:37 GMT
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp2130.oracle.com with ESMTP id 2nducm0u2r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org>; Tue, 30 Oct 2018 13:25:36 +0000
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w9UDPUvt001053 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org>; Tue, 30 Oct 2018 13:25:31 GMT
Received: from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w9UDPUDE006136 for <dnsop@ietf.org>; Tue, 30 Oct 2018 13:25:30 GMT
Received: from [172.19.131.162] (/216.146.45.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 30 Oct 2018 06:25:30 -0700
To: dnsop@ietf.org
References: <alpine.DEB.2.20.1810301108050.24450@grey.csi.cam.ac.uk>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <9b94acf9-d68a-6c6e-36be-99228c3157fc@pletterpet.nl>
Date: Tue, 30 Oct 2018 14:25:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.20.1810301108050.24450@grey.csi.cam.ac.uk>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9061 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810300117
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kjDD5QlNOKx5dhvRsWEZSey_mBk>
Subject: Re: [DNSOP] ANAME TTL vs GCD
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2018 13:25:50 -0000
I am still of the opinion that the expanded A and AAAA records should use the ANAME TTL*, and the target TTL should be ignored. That TTL is only useful for the cache that is used as part of the ANAME expansion process. The ANAME TTL may be subject to decreasing, if sibling A and AAAA records already exist with a lower TTL. Best regards, Matthijs On 30-10-18 12:50, Tony Finch wrote: > One of the more complicated aspects of ANAME is working out how TTLs > should work, because there are a bunch of tricky constraints. There's > a fairly long rationale in an appendix about the various issues - > https://tools.ietf.org/html/draft-ietf-dnsop-aname-02#appendix-D > > As a design guideline (to help decide choices) I have tried to make ANAME > "like CNAME but only for address records", as much as possible. > > So, the current spec says that the TTL of the sibling address records is > the least TTL from the chain of ANAME and CNAME records and the ultimate > target address records. This tries to match the implicit TTL of a CNAME > chain, which is a result of the chain being followed each time on demand, > so the earliest time the result can change is when the record with the > least TTL changes. > > As a zone administrator, I prefer not having to care about TTLs too much, > so I prefer the ANAME mechanism to do the sensible thing without > hand-holding. I had a suggestion (from Matthijs Mekking I think?) of just > using the ANAME's TTL to set the TTL of the sibling address records, but > for the zones I look after, this would require a lot of special-case TTLs > and annoying manual work. > > However, I just realised the currently specified "least TTL" logic is > going to have interesting effects when the greatest common divisor of the > TTLs is less than the least TTL, when the ANAME processor is querying via > a resolver cache that is outside its control. > > e.g. consider what happens when there is an ANAME with TTL 30s and target > address records with TTL 45s. > > In the first round, the ANAME processor will choose a 30s TTL. > > In the second round, 30s later, it will get the target address records > from the cache with a 15s TTL, so it'll choose a 15s TTL. > > The in the third round it'll be back to 30s. > > The TTL will flip-flop, and there will be a lot of unwanted zone updates. > > This is ugly :-( I'm not sure what the best solution is. > > One possibility is to make the ANAME processor keep a bit more state. At > the moment its nearly-stateless algorithm naturally sees through caches to > converges on the target's authoritative TTL, because it re-checks after > the cache expires. If instead it explicitly tracks the TTLs of each link > in the ANAME+CNAME chain and deliberately works out the authoritative > TTLs, then it can avoid the GCD flip-flop. But it would makes the algorihm > and spec quite a lot more complicated, though I think I prefer that to > manual hand-holding... > > Tony. >
- [DNSOP] ANAME TTL vs GCD Tony Finch
- Re: [DNSOP] ANAME TTL vs GCD Bjørn Mork
- Re: [DNSOP] ANAME TTL vs GCD Matthijs Mekking
- Re: [DNSOP] ANAME TTL vs GCD Tony Finch
- Re: [DNSOP] ANAME TTL vs GCD Tony Finch