Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-client-subnet-07.txt
Mukund Sivaraman <muks@isc.org> Mon, 21 March 2016 13:52 UTC
Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3E6612D809 for <dnsop@ietfa.amsl.com>; Mon, 21 Mar 2016 06:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-f2jLUSt2qf for <dnsop@ietfa.amsl.com>; Mon, 21 Mar 2016 06:52:06 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by ietfa.amsl.com (Postfix) with ESMTP id C3A5812D84D for <dnsop@ietf.org>; Mon, 21 Mar 2016 06:52:05 -0700 (PDT)
Received: from jurassic.l0.malgudi.org (unknown [49.248.243.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 9509B2FA01D3; Mon, 21 Mar 2016 13:52:02 +0000 (GMT)
Date: Mon, 21 Mar 2016 19:21:59 +0530
From: Mukund Sivaraman <muks@isc.org>
To: dnsop@ietf.org
Message-ID: <20160321135159.GB28581@jurassic.l0.malgudi.org>
References: <20160321130839.31949.19155.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="dTy3Mrz/UPE2dbVg"
Content-Disposition: inline
In-Reply-To: <20160321130839.31949.19155.idtracker@ietfa.amsl.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/mBSBKmFu1ePKXiliNbSRUv4Y1F4>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-client-subnet-07.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2016 13:52:08 -0000
Hi all On Mon, Mar 21, 2016 at 06:08:39AM -0700, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Domain Name System Operations of the IETF. > > Title : Client Subnet in DNS Queries > Authors : Carlo Contavalli > Wilmer van der Gaast > David C Lawrence > Warren Kumari > Filename : draft-ietf-dnsop-edns-client-subnet-07.txt > Pages : 32 > Date : 2016-03-21 > > Abstract: > This document describes an EDNS0 extension that is in active use to > carry information about the network that originated a DNS query, and > the network for which the subsequent response can be cached. Since > it has some known operational and privacy shortcomings, a revision > will be worked through the IETF for improvement. This revision is a welcome improvement on the previous revision of the draft. There are still some minor topics that need consideration (after off-list discussions among people on the dnsop list). These have been sent to the author. I'm listing them here for completeness: (1) Section 7.2.1. Authoritative Nameserver: > When deaggregating to correct the overlap, prefix lengths should be > optimized to use the minimum necessary to cover the address space, in > order to reduce the overhead that results from having multipe copies > of the same answer. As a trivial example, if the Tailored Response > for 1.2.0/20 is A but there is one exception of 1.2.3/24 for B, then > the Authoritative Nameserver would need to provide Tailored Responses > for 1.2.0/23, 1.2.2/24, 1.2.4/22, and 1.2.8/21 all pointing to A, and > 1.2.3/24 to B. This is a greatly improved description. It would be good to add here that the authoritative server would also have to provide the following *exact-match* tailored responses in ADDRESS/SOURCE/SCOPE syntax (for corresponding ADDRESS/SOURCE queries): 1.2.2/23/24 pointing to A 1.2.0/22/24 pointing to A 1.2.0/21/24 pointing to A 1.2.0/20/24 pointing to A which should be cached to exactly match the SOURCE prefix length. (2) Section 7.3.2. Answering from Cache: > o If there was an ECS option specifying SOURCE PREFIX-LENGTH but no > ADDRESS, the client's address is used but SOURCE PREFIX-LENGTH is > initially ignored. Wouldn't this be a FORMERR according to section 6 (option format)? (3) An authoritative server replies with SCOPE > SOURCE in some cases. This is now described in detail in the -07 revision of the draft. Let's assume a local resolver as SOURCE=16 configured as policy. A client 10.0.0.1 queries the resolver and the resolver's cache is empty. The resolver queries a remote nameserver with 10.0.0.0/16 and the auth server responds with 10.0.0.0/16/24. It means that the answer is strictly valid for 10.0.0.0/16 only, because it has a more specific /24 answer for some subnet under 10.0.0.0/16. In this case, the resolver caches the answer at 10.0.0.0/16 with an exact-match flag set to true. Now assume that the same client 10.0.0.1 sends a second query to the resolver for the same question. Now, these two cases can happen: (a) the resolver looks in cache for 10.0.0.0/16 for a previously cached answer because SOURCE=16 and finds the exactly matching answer. (b) the resolver looks in cache for 10.0.0.1/32 and does not find the previously cached answer. It seems that (a) is the correct or desirable behavior. However, the draft seems to suggest (b) which is not optimal. See section 7.3.2 (Answering from Cache): > Cache lookups are first done as usual for a DNS query, using the > query tuple of <name, type, class>. Then the appropriate RRset MUST > be chosen based on longest prefix matching. The client address to > use for comparison will depend on whether the Intermediate Nameserver > received an ECS option in its client query. > > o If no ECS option was provided, the client's address is used. This should be updated to say something like "If no ECS option was provided, the client's address and the value of its maximum cacheable prefix length are used to construct an address prefix to search in the cache". (4) This observation is from Stephen Morris: From section 7.3.1 (Caching the Response): > If SOURCE PREFIX-LENGTH is shorter than the configured maximum and > SCOPE PREFiX-LENGTH is longer than SOURCE PREFIX-LENGTH, store SOURCE > PREFIX-LENGTH bits of ADDRESS and mark the response as only valid to > answer client queries that specify exactly the same SOURCE PREFIX- > LENGTH in their own ECS option. When there are overlapping answers, and SCOPE > SOURCE is returned, if the SOURCE PREFIX-LENGTH that is returned by the authoritative server is the *shortest* prefix length of a more specific answer that the authoritative server has under /SOURCE, the answer would be valid not just for subsequent queries exactly matching /SOURCE, but all the way from SOURCE to SCOPE-1. Example 1: (1) Let's say that for a question Q, the authoritative server has answer A1 for /0, answer A2 for 10.0.0/24, answer A3 for 10.0.1/24. (2) The caching resolver queries for Q with ECS=10.0/16. The authoritative server returns 10.0/16/24. Here, the answer is not just valid for 10.0/16, but also for 10.0.x/17, 10.0.x/18, ... 10.0.x/23 (where "x" address bits are don't-care bits, i.e., they can be 0 or 1 valued). This is because /24 is the shortest address prefix length under /16 for which the authoritiative server has overlapping answers. Example 2: (1) Let's say that for a question Q, the authoritative server has answer A1 for /0 and answer A2 for 10.0.0/20, and answer A3 for 10.0.0/24. (2) The caching resolver queries for Q with ECS=10.0/16. The authoritative server returns 10.0/16/20. Here, the answer is not just valid for 10.0/16, but also for 10.0.x/17, 10.0.x/18 and 10.0.x/19 (where "x" address bits are don't-care bits, i.e., they can be 0 or 1 valued). This is because /20 is the shortest address prefix length under /16 for which the authoritiative server has overlapping answers. Depending on what the authors decide, the draft may be updated to permit this case. Mukund
- [DNSOP] I-D Action: draft-ietf-dnsop-edns-client-… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cli… Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cli… 神明達哉
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cli… Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cli… 神明達哉
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cli… Mukund Sivaraman