Re: [DNSOP] Hybird Resolver/ DNS invariants
Paul Vixie <paul@redbarn.org> Tue, 16 June 2020 16:03 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8B133A181C for <dnsop@ietfa.amsl.com>; Tue, 16 Jun 2020 09:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W2rbtswhYt-a for <dnsop@ietfa.amsl.com>; Tue, 16 Jun 2020 09:03:38 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 098DD3A180D for <dnsop@ietf.org>; Tue, 16 Jun 2020 09:03:37 -0700 (PDT)
Received: from linux-9daj.localnet (dhcp-166.access.rits.tisf.net [24.104.150.166]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (1024 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id AA39EB07D0; Tue, 16 Jun 2020 16:03:35 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: Davey Song <songlinjian@gmail.com>, dnsop@ietf.org
Cc: dnsop <dnsop@ietf.org>, Ralf Weber <dns@fl1ger.de>
Date: Tue, 16 Jun 2020 16:03:34 +0000
Message-ID: <5589359.aibOfOBbj8@linux-9daj>
Organization: none
In-Reply-To: <CD96B024-5B82-4CA7-AE1E-52597741E642@fl1ger.de>
References: <CAAObRXJF5S59jt9ipBtOLw3TK9x64+MJ3XaecWzURKBnhLtF7A@mail.gmail.com> <CD96B024-5B82-4CA7-AE1E-52597741E642@fl1ger.de>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pWqgY-dqEJCjNyMld-8zinITNmw>
Subject: Re: [DNSOP] Hybird Resolver/ DNS invariants
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 16:03:42 -0000
On Tuesday, 16 June 2020 06:56:49 UTC Ralf Weber wrote:
> Moin!
>
> On 16 Jun 2020, at 4:23, Davey Song wrote:
> > ...
> > I hope it is helpful to provide information including risk for people who
> > are doing or going to the same thing.
> >
> > There are some existing cases in the discussion:
> > 1. A resolver syncs (pull or receive server push) with an authoritative
> > server. It reduces the recursion and resolves the very-short TTL
> > requirement. RFC7706 provides an approach. Other resolveless approaches
> > are used as well..
i've described this to you (when you were at BII) several times as a kind of
microtransfer or lease, where cooperating initiators (RDNS in this case) and
responders (ADNS in this case) can agree on a NOTIFY TSIG key to be used
later, so that an RRset if changed or removed in the authority, a few million
leaseholder RDNS can be told about this. i still think it's a good idea but as
before i'm in no position, schedule-wise, to drive it. if you start an effort
on it, i'll contribute. as you know, synchronizing the root zone (RFC 7706)
solves almost none of the problem of occasional connectivity, since so many
other NS, DS, glue, key, and signature data are needed in-cache to continue
retrieving other answers during times of disconnectivity. we (you) should do
this.
> > 2. A resolver can forward queries to another resolver if the load is high
> > to reduce the recursion.
if by this you mean the potential for a DNS Ring, where a cooperating set of
RDNS servers agrees to randomly forward queries through other RDNS servers in
order to obscure the real source of a query, then i'm in favour of it. it's
long been known that ECS is a privacy nightmare; we must obsolete it and also
erase set-associativity currently available by non-anycasted RDNS servers. i'd
like to see a world where every house, every VM cluster (including laptops
like mine) can run their own recursive validating iterating caching DNS server
and have almost none of those queries reach an ADNS server with any sort of
topology or other identifying characteristics. we (you) should do this also. i
think it would be _very_ popular in these anti- pervasive monitoring times.
> > 3. A resolver/authoritative server mode serving Apps via DoH or other
> > Application-level DNS. Operators of apps can edit each response on demand
> > and propagate the changes of DNS RR in seconds. It also provides a private
> > zone and names for each Apps.
i think a correct and complete microtransfer / lease method as described for
#1 above would answer this App level requirement, and that working on this
requirement discretely would qualify as unnecessary systemic complexity.
> > 4. A Hybrid DNS which is used as a name server but cache and pull the
> > authoritative data from another authoritative server. It provides an
> > approach to easily scale the system without any change of existing
> > authoritative DNS.
i think ralf's observation (below) applies here. existing RDNS implementations
already do this. i think it's justified for NS/DS, glue, key and signature
chains needed to re-fetch and re-validate high-usage cache content, and that
it may also be justified for high-usage content itself. but if it's to become
a standard, it should be part of #1 above ("if the ADNS doesn't agree to share
a NOTIFY TSIG key") rather than pursued independently.
> > Do you think it is a useful effort for DNSOP WG? Any suggestions or
> > observed related discussions on the DNS invariants?
i think DNSOP is the wrong working group, and that the IRTF would be better at
this early stage. however, if you begin the work, several of us will
contribute.
> ...
>
> What you describe is mix of observed behaviour and local implementations,
> and IMHO not the best way to deploy DNS, but others may have different
> opinions here. So if you want to describe these deployments, so that we can
> discuss them go ahead. But I don’t think that we want to require DNS being
> build that way.
ralf's comments are evidence that DNSOP is the wrong working group for this. i
think that good solutions to #1 and #2 from davey's list will require protocol
changes, and that if those existed they would be popular. however, DNS vendors
and operators who dominate discussions in DNSOP, have more important things to
work on. (to ralf's point, each of these extensions would be opportunistic,
and the risk of having them become required is at least 20 years in the
future.)
--
Paul
- [DNSOP] Hybird Resolver/ DNS invariants Davey Song
- Re: [DNSOP] Hybird Resolver/ DNS invariants Ralf Weber
- Re: [DNSOP] Hybird Resolver/ DNS invariants Mats Dufberg
- Re: [DNSOP] Hybird Resolver/ DNS invariants Paul Vixie
- Re: [DNSOP] Hybird Resolver/ DNS invariants Davey Song
- Re: [DNSOP] Hybird Resolver/ DNS invariants Paul Vixie