IETF Logo Mail Archive

Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing?

Matthew Pounsett <matt@conundrum.com> Thu, 11 April 2019 22:50 UTC

Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 703411201BD for <dnsop@ietfa.amsl.com>; Thu, 11 Apr 2019 15:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FZO3ElvLcj5l for <dnsop@ietfa.amsl.com>; Thu, 11 Apr 2019 15:50:23 -0700 (PDT)
Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E14312016A for <dnsop@ietf.org>; Thu, 11 Apr 2019 15:50:23 -0700 (PDT)
Received: by mail-it1-x12f.google.com with SMTP id x132so12604052itf.2 for <dnsop@ietf.org>; Thu, 11 Apr 2019 15:50:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Vsq3NKcSfEGAgf8n6Y+hvmTUZPwnphpToBiQeW+iFFg=; b=BlgNaBQCcfBAp2Zo0o6c7iCfZk23k+4kcJS+ohyWein5eWSdYYSdPIOBM3OWCk9e6j hHf0lZ2f5M4+jkYdAoLZQpAOJ55yh8dRZ3oHRe9F3B0s8ipEh6GTLRG5xHw+mdve2GWU WQ+WhTRpzO0iPa0WMRg7WZMJHZ21ZPvpNJ7AKck58HprcSyZKodu281wmb/dvxr4SNDh ZZRtHZ+JX7eSP4BqA8oY/POxjkPwDZI47XMsXJSs3XymbfWydh6iksN3xqTN7sz1aTBR llK6y91M3okDayh84JwAvjbb5v1GEYPGKg+IB2BURjSufHPlHdwqkLSGBmN/kiXwN4F0 7C0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Vsq3NKcSfEGAgf8n6Y+hvmTUZPwnphpToBiQeW+iFFg=; b=W60hElQCNGJgv+taS2JjdMlkzDuc2qcDOvERUJbIAedqBir9k0+C8iF3iEzBiaHIOw U4fYxqvMH279vLYWsTkelS26Zu7+ewHyZawNr/DuD2Afyn6OV/5HwNYdn+euJ0zUrzdB O3b6cgJgsRqfHv6NDxZKwUOl5rPQ2iAf7RJ9ZUStrpfzGyHM/h2xrntkeeQC95iuZRnC 4hU34CQ3TBGskARLH9vC5IRnAgiv9qKXuYmk+uty/cAxQgjcAXIg7J9Ea6ZPJpmFhRiB zAydqz5teYlNVihetj6nAE9EfU/+mcaXeLsiThCGIdSJAu0C3nsCTyiOYvEFdxqGwoJe vFgg==
X-Gm-Message-State: APjAAAXq5HQnq4+z9ODd7ylzLJjv7eV3Bh9Qv85ZCd+t93FtdqPpNiyK re5T/WQHZlnyM7qaHXQ/coJJJsI68YE0XYbzTPid5Q==
X-Google-Smtp-Source: APXvYqzIvqSFryDB2d9iMMKPxHHZjH5wI5GgIwS4VpP676gidgfiS2OA/QoCUw6E9K3QHfYGMtBv+gmFu6eabQNEI/Q=
X-Received: by 2002:a02:c6d8:: with SMTP id r24mr13927243jan.93.1555023022372; Thu, 11 Apr 2019 15:50:22 -0700 (PDT)
MIME-Version: 1.0
References: <d8ccad4a-cd0c-4c97-b4d7-2099657351dc@oracle.com> <CA+nkc8BM+mfTBm3XyOaZUF5hMg23t9aSY4nq4Y4=BQ-sjcjkVg@mail.gmail.com> <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com>
In-Reply-To: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com>
From: Matthew Pounsett <matt@conundrum.com>
Date: Thu, 11 Apr 2019 18:50:11 -0400
Message-ID: <CAAiTEH9Eg0oYw9HR9Ab5pYikFUvcbWXneF39_8xasp6tE9PpCA@mail.gmail.com>
To: Richard Gibson <richard.j.gibson@oracle.com>
Cc: Bob Harold <rharolde@umich.edu>, dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mPwn04WOyHvp3OFTXzZVUYtB3CA>
Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 22:50:25 -0000

On Wed, 10 Apr 2019 at 16:43, Richard Gibson
<richard.j.gibson@oracle.com> wrote:
>
>
> The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself.

I think I'm missing something here.  If, for example, the TTL of the
ANAME is 1 hour, what mechanism results in caching holding onto a
negative answer for a broken target name for a minimum of 10 hours,
and to 40 days?

>
> Both of these problems can be addressed by allowing/recommending/requiring ANAME-aware servers to preserve ANAME siblings when resolution of ANAME targets results in NXDOMAIN or NODATA responses, rather than replacing them with an empty RRSet... which, to be honest, seems to be always-undesirable behavior anyway—if anyone can think of a scenario where it would be beneficial to dynamically remove ANAME siblings, please share it.

I feel like this is creating an even bigger potential problem.  What
happens when the owner of the ANAME target legitimately wants that
name to go away, but some other zone owner is leaving an ANAME in
place pointing to that now-nonexistent name?  Continuing to serve the
sibling records indefinitely seems like serve-stale gone horribly
wrong.

v2.23.0 | Report a Bug | By Email