[DNSOP] ANAME loop detection
Jan Včelák <jv@fcelda.cz> Thu, 04 July 2019 09:37 UTC
Return-Path: <jv@fcelda.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC3B51201D4 for <dnsop@ietfa.amsl.com>; Thu, 4 Jul 2019 02:37:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fcelda.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ga3YbFF5A8eE for <dnsop@ietfa.amsl.com>; Thu, 4 Jul 2019 02:37:55 -0700 (PDT)
Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AD9E12009C for <dnsop@ietf.org>; Thu, 4 Jul 2019 02:37:54 -0700 (PDT)
Received: by mail-ua1-x92e.google.com with SMTP id z13so923747uaa.4 for <dnsop@ietf.org>; Thu, 04 Jul 2019 02:37:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fcelda.cz; s=google; h=mime-version:from:date:message-id:subject:to; bh=BsWk25y00bshBVdv8mh77ph+IV4fXNWHs99nbQUW1j8=; b=B8O5ywf9hhOCXmz8pHH78WHlWb6rvwjOPZ+sT68qHTZNtGuKwmfvQYynfbLxLVwwz3 07CAwiep+XrqD+eQlQQTIAytufmIFnO6Mn++A9qsMuN12bghdDNkk8omnJRs9bVHDOAh sDHZoKnOifuAa9ev+Zezn6L8jhDx098i19Obs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=BsWk25y00bshBVdv8mh77ph+IV4fXNWHs99nbQUW1j8=; b=ndsQZ5IKFQVXVYWT5sHlZQYIbMX2XcDVLZXZAt3ch+j65nZMZnzp1F4YLupe3NzxP8 RwxfEJ0i3REDGd+mMT2/SkGIMnpr1cTmvliezBxevfPALlKf1smguPN3tHovSXs5vG6S sTEqO1apPIu2A/B4ChmRr5wp0TtzvMGZB9+r9JHENNbf6KEelXMaz6/jn8vyunzb/vac c8FkODzNRk5ubkynRuANmT9yyPXP/54XUi36ASy59C7T5bhNS09x80oTkqTBN/EwFBmH i9p8Y0AXkPhqGczWh/4SbKofD3cpj9NbVDXn5/O+Gz/zKut88uwyuU2YktDuN0todtcc PrIA==
X-Gm-Message-State: APjAAAXLp09FH1hvrxmgCvd/nnLqZ/ccbnBJp2jQm3RoWuAE9lyuaSFJ 2JgocEtR9ogj6M/qUt5NYiJPr7vcGeMBtLfSUCIVCXfXTR1utVVG
X-Google-Smtp-Source: APXvYqwb/cuksjKm9OMzWty+ERJO35Fxh93SMuzD5YIMJ3NEt29IerGQIu/3ynNSkoQhLF+g3CMTqg/YIIIb2zCdEDY=
X-Received: by 2002:ab0:44b:: with SMTP id 69mr19792217uav.51.1562233073670; Thu, 04 Jul 2019 02:37:53 -0700 (PDT)
MIME-Version: 1.0
From: Jan Včelák <jv@fcelda.cz>
Date: Thu, 04 Jul 2019 11:37:42 +0200
Message-ID: <CAM1xaJ9txy98s5Y+Sq5T5N1KaD-LvtrDTut=mUomjHFwTvWnDg@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pDMmaOHtBWYz8acsIsYU-gHUCTo>
Subject: [DNSOP] ANAME loop detection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jul 2019 09:37:58 -0000
Hello. I would like to resurrect the discussion about ANAME loops handling and detection. I attempted to write a discussion section on this topic for draft-ietf-dnsop-aname [https://github.com/each/draft-aname/pull/70] and we also talked about this a little off-list with Shane and Matthijs. If you are still not concerned about the loops, imagine this setup: Let's have two authoritative servers X and Y performing ANAME sibling address substition on the fly (i.e. they attempt to resolve the ANAME target when the client query arrives). If server X gets a query for FOO.TEST which is an ANAME to BAR.TEST, it will send a query to server Y for BAR.TEST which is an ANAME to FOO.TEST. Server Y will then start a new query to server X, which has no way to know that it is regarding the original FOO.TEST lookup. The only indicator of the presence of the loop in the described setup is the network timeout. Ideally we would recognize the loop explicitly based on the exchanged DNS messages. The on-the-fly ANAME substitution is allowed by the draft and it's just the most obvious scenario where the problem can be demonstrated. I'm quite sure there are other cases which do not involve authoritative server doing on-the-fly substitution and where the loops will still be a problem. The root cause is that when the server gets a query it doesn't know why and that the server always attempts to fully resolve the ANAME target before sending the response. We had been thinking about how this could be fixed and here is what we have came with: 1. EDNS "do not follow ANAME" option: The requester would indicate that it is capable of following ANAME and that the server receiving the query should not include the ANAME sibling address records. The loop detection would then work exactly the same ways as with CNAMEs. 2. QTYPE=ANAME: According to the current version of the draft, server answering to ANAME must include the ANAME and should include the sibling records. Let's modify the behavior and say the server should not (must not) include the sibling records. Then the server performing ANAME sibling address resolution could first query for ANAME before trying A or AAAA. We get the same loop detection mechanism as with CNAMEs at the cost of an extra query per ANAME 3. EDNS "seen names" options: An option with a list of visited ANAMEs would be introduced. The requester would add the option into the query when resolving an ANAME target. The receiving server would consult the list in case another ANAME was encountered and either broke the loop or forwarded the updated option to the next server. 4. EDNS "nonce" option: Variance on the previous option which would include a numeric nonce instead of full domain names. A receiving server would break the loop if it has seen their nonce. It would be more compact but the question is how to select the nonce pragmatically especially if there can be more servers serving the same zone. Do you have thoughts on the listed options or brand new suggestions? It's also worth mentioning that this is an optimization in a sense. The timeouts will be the only option to resolve the loop with ANAME-unaware resolvers. Jan
- [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Matthew Pounsett
- Re: [DNSOP] ANAME loop detection Shane Kerr
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Tony Finch
- Re: [DNSOP] ANAME loop detection Matthew Pounsett
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Shane Kerr
- Re: [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Paul Vixie