Re: [DNSOP] ANAME loop detection
Matthijs Mekking <matthijs@pletterpet.nl> Thu, 04 July 2019 13:19 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DBC81206F5 for <dnsop@ietfa.amsl.com>; Thu, 4 Jul 2019 06:19:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lDRntAsEkwb4 for <dnsop@ietfa.amsl.com>; Thu, 4 Jul 2019 06:19:16 -0700 (PDT)
Received: from lb2-smtp-cloud9.xs4all.net (lb2-smtp-cloud9.xs4all.net [194.109.24.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F0291206BA for <dnsop@ietf.org>; Thu, 4 Jul 2019 06:19:15 -0700 (PDT)
Received: from [IPv6:2001:980:4eb1:1:3992:4add:1cf0:92e1] ([IPv6:2001:980:4eb1:1:3992:4add:1cf0:92e1]) by smtp-cloud9.xs4all.net with ESMTPSA id j1dlhBcvQAOfNj1dmhyNLU; Thu, 04 Jul 2019 15:19:12 +0200
To: Shane Kerr <shane@time-travellers.org>, dnsop@ietf.org
References: <CAM1xaJ9txy98s5Y+Sq5T5N1KaD-LvtrDTut=mUomjHFwTvWnDg@mail.gmail.com> <a4137531-7641-34f2-6443-1cd904b485e3@pletterpet.nl> <78d6f44a-2946-5fbc-a31f-6708f8ceb246@time-travellers.org>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <2d637c56-7c83-597b-af0b-39f2ded40caf@pletterpet.nl>
Date: Thu, 04 Jul 2019 15:19:09 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <78d6f44a-2946-5fbc-a31f-6708f8ceb246@time-travellers.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfNvWD52PxusiNLbUCKA8nqNbh3qDOSGWQQn7jH/zhQiR75Gj3tdqYUHHBUXrUMIvA23W65xlg7D96ktGdiqbRJ7qUG3dQMRVZUhCpyFPeMuHEURC2AKj fluRwJ3LCH0ylLXprX7jw54kKakJm1sS4m7B5TUDxOkcOUIj0Dao66Q0IlwDWjizlm3RMQvinwcSxIMc9wvMX+Gd+i0K+PIYfzTpMlp7Bgyb56gtqtLfAFTS 67eJn8phjQU70yfIhhM7T2lDy1UQAy4rJuwrhZTX1WFV4Jh3rqqm67F0uZULQo9Bs5zLvO2+ppf3+tVllU8Elw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lP4uwdjpM6FegzcBDGvofNYmKf0>
Subject: Re: [DNSOP] ANAME loop detection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jul 2019 13:19:18 -0000
Shane, On 7/4/19 2:29 PM, Shane Kerr wrote: >>> 2. QTYPE=ANAME: According to the current version of the draft, server >>> answering to ANAME must include the ANAME and should include the >>> sibling records. Let's modify the behavior and say the server should >>> not (must not) include the sibling records. Then the server performing >>> ANAME sibling address resolution could first query for ANAME before >>> trying A or AAAA. We get the same loop detection mechanism as with >>> CNAMEs at the cost of an extra query per ANAME >> >> Again, I think what we should clarify is that it is a signal to not do >> do ANAME target lookup. Sibling address records are fine and required at >> some point. >> >> I like this option the best, because the requester is interested in the >> ANAME record in the particular zone, and so there is no need for >> chasing. While with address queries the requester is actually >> interested in the target address, and so chasing makes sense. >> >> We could change the specification such that a server that does ANAME >> target lookups MUST use QTYPE=ANAME and servers receiving ANAME queries >> MUST NOT chase the target and would solve the loop problem. > > My main concern about this approach is the extra lookup required. > > Keep in mind that most ANAME targets are NOT going to be ANAME > themselves (although probably many will), so this means that in most > cases ANAME servers will have to do an extra lookup before moving on to > usual A/AAAA lookups. These QTYPE=ANAME cannot be done in parallel with > A/AAAA queries, since those might trigger the ANAME loops that we are > trying to prevent. If we change the specification such that sibling address records MUST be in the response to an ANAME request that extra lookup is not needed.
- [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Matthew Pounsett
- Re: [DNSOP] ANAME loop detection Shane Kerr
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Tony Finch
- Re: [DNSOP] ANAME loop detection Matthew Pounsett
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Shane Kerr
- Re: [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Paul Vixie