Re: [DNSOP] I-D Action: draft-ietf-dnsop-caching-resolution-failures-00.txt
Petr Špaček <pspacek@isc.org> Thu, 28 July 2022 09:06 UTC
Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E0BCC13C503 for <dnsop@ietfa.amsl.com>; Thu, 28 Jul 2022 02:06:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.131
X-Spam-Level:
X-Spam-Status: No, score=-7.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=hsny/cwW; dkim=pass (1024-bit key) header.d=isc.org header.b=jWY//Llz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qH3gyskB1-s0 for <dnsop@ietfa.amsl.com>; Thu, 28 Jul 2022 02:06:54 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7930DC14F725 for <dnsop@ietf.org>; Thu, 28 Jul 2022 02:06:53 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id ADDE13AB009 for <dnsop@ietf.org>; Thu, 28 Jul 2022 09:06:52 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org ADDE13AB009
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.1.12
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1658999212; cv=none; b=SgeVEuuf0f3/SX/RftRgw0aaR/Av1PWYBFgnlEnMvwACLa1RQ6FK37JngBMrLNm0PhZJZs9xO/moji4L+iFai8JcgWh4iR1TrpWZgnjcuorDigK2GDX+t78Vf1LHROBF0G/jy33dwtQ1Uy0K+TqPpzjPDdOJmE7fJQ/oOq+H8as=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1658999212; c=relaxed/relaxed; bh=ajBrJbl9wuAZVMDQ4M+hViIeL7iDVvgbC4334Dwmw0c=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version:To: From:Subject; b=h5P2tY5dVE6NI0n+lsXAyG/5WZoDpokvH+s+fQW8ePr7qX72EgT4uypK40JbKPChp8sB8QMrlplx444gl19m6acL9BU2hIsweLwMZuaHx0o3DB+62+C10ZGED+0dD9oUfp29MR4Ad2AZb8e71/9qw1huoi/f6SzneLJ3DHtWpQo=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org ADDE13AB009
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1658999212; bh=BL0ieKSwZ8HUYC6j78o94YKAREVIkdPnU8nFe9SEM5w=; h=Date:To:References:From:Subject:In-Reply-To; b=hsny/cwWjG5v2oEhvpBSxCh0c14fEq3f46xW6Q3zP6fGNkUw3rilqFXgDv6ISATXS 5CIkfr2jF5xOIIC8g1CFiwMtamP0jUM9RI2MwSG465RnHTAkYm2WkWOzTJxlXFBRl0 frErGX5UiBtXEsIZwmTuk++Lv3xps/VA2eQMOEvo=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 9DF14964355 for <dnsop@ietf.org>; Thu, 28 Jul 2022 09:06:52 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 742E3964455 for <dnsop@ietf.org>; Thu, 28 Jul 2022 09:06:52 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 742E3964455
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1658999212; bh=ajBrJbl9wuAZVMDQ4M+hViIeL7iDVvgbC4334Dwmw0c=; h=Message-ID:Date:MIME-Version:To:From; b=jWY//LlzFKqskFFPEuk36vVqoLEHTWa1W6lIxjucWdutaL6rs00w6UqW8YHIi33tI W49Q81ZpTMY+EJSVRSBYhNTxiop9Bznqk9SlnI9aE0pBwniXUADxyfYZWZj4W6tQox RoauWi6f3k2jg+HGYgg9VXrY5iApkSZEHbo6Lg24=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id V0ytAVrhk0Px for <dnsop@ietf.org>; Thu, 28 Jul 2022 09:06:52 +0000 (UTC)
Received: from [192.168.0.158] (ip-86-49-248-142.bb.vodafone.cz [86.49.248.142]) by zimbrang.isc.org (Postfix) with ESMTPSA id 038B5964355 for <dnsop@ietf.org>; Thu, 28 Jul 2022 09:06:51 +0000 (UTC)
Message-ID: <58f37c7c-1570-da5e-9da0-ffbfa63bdcb5@isc.org>
Date: Thu, 28 Jul 2022 11:06:49 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: dnsop@ietf.org
References: <165894373370.51850.14299148943378295267@ietfa.amsl.com>
From: Petr Špaček <pspacek@isc.org>
In-Reply-To: <165894373370.51850.14299148943378295267@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sJlbyhro-4bDhfGBnXhhD5Htcew>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-caching-resolution-failures-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 09:06:58 -0000
On 27. 07. 22 19:42, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Domain Name System Operations WG of the IETF. > > Title : Negative Caching of DNS Resolution Failures > Authors : Duane Wessels > William Carroll > Matthew Thomas > Filename : draft-ietf-dnsop-caching-resolution-failures-00.txt I think this is an important clarification to the protocol and we should adopt it and work on it. I like the document up until end of section 2. After that I have reservations about the specific proposals put forth in the section 3. I hope this will kick off discussion, please don't take points personally. I'm questioning the technical aspects. > 3. DNS Negative Caching Requirements > > 3.1. Retries and Timeouts > > A resolver MUST NOT retry more than twice (i.e., three queries in > total) before considering a server unresponsive. > > This document does not place any requirements on timeout values, > which may be implementation- or configuration-dependent. It is > generally expected that typical timeout values range from 3 to 30 > seconds. I'm curious about reasoning about this. My motivation: Random drop or temporarily saturated/malfunctioning link should not cause resolver to fail for several seconds. As an extreme case, think of validating resolver on a laptop forwarding elsewhere. Should really two packet drops cause it to servfail for several seconds? Related to this, I have a principal objection: IMHO we should NOT be inventing flow control from scratch ourselves. On the contrary - we should be borrowing prior art from existing flow control algorithms and adapt them if necessary. > 3.2. TTLs > > Resolvers MUST cache resolution failures for at least 5 seconds. > Resolvers SHOULD employ an exponential backoff algorithm to increase > the amount of time for subsequent resolution failures. For example, > the initial TTL for negatively caching a resolution failure is set to > 5 seconds. The TTL is doubled after each retry that results in > another resolution failure. Consistent with [RFC2308], resolution > failures MUST NOT be cached for longer than 5 minutes. My motivation: Rapid recovery. Why 5 seconds? Why not 1? Or why not 0.5 s? ... I would like to see reasoning behind specific numbers. IMHO most problems is caused by unlimited retries and as soon as _a_ limit is in place the problem is alleviated, and with exponential backoff we should be able to start small. I'm not sure that a specific number should be mandated. > 3.3. Scope > > Resolution failures MUST be cached against the specific query tuple > <query name, type, class, server IP address>. Why this tuple was selected? Why not <class, zone, server IP> for, say, timeouts? Or why not <server IP> for timeouts? What about transport protocol and its parameters? (TCP, UDP, DoT...) etc. My motivation: - Simplify cache management. - Imagine an attacker attempting to misuse this new cache. The cache has to be bounded in size. It has to somehow manage overflow etc. Generally I think this MUST is too prescriptive. It should allow for less specific caching if an implementation decides it is fit for a given type of failure and configuration, or depending on operational conditions. -- Petr Špaček
- [DNSOP] I-D Action: draft-ietf-dnsop-caching-reso… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-caching-… Petr Špaček
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-caching-… Wessels, Duane