IETF Logo Mail Archive

Re: [DNSOP] Multi-QTYPES (was: unsolicited HTTPSSVC responses)

Eric Orth <ericorth@google.com> Thu, 28 May 2020 19:21 UTC

Return-Path: <ericorth@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C39E3A09A2 for <dnsop@ietfa.amsl.com>; Thu, 28 May 2020 12:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27FdNgyUC_l5 for <dnsop@ietfa.amsl.com>; Thu, 28 May 2020 12:21:47 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D17EF3A0946 for <dnsop@ietf.org>; Thu, 28 May 2020 12:21:46 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id q11so434787wrp.3 for <dnsop@ietf.org>; Thu, 28 May 2020 12:21:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=WkcArdDiDGfIb+P7v24qbtIgLTQLViojF5WPWYQLiew=; b=PyG6bfwrOCTkRg38JxTxbuQbrH6OW73JqT5Sn8GAXjbxU2PnfG7UYzNfAGJJmzRE/u g4wdx8S//oCzmYaHbfCOksLN89KBcTuiCiuuYWslimgyOOQ2FHiVHK3KRUVgEsaiJNze sYt5htIdTP8NVLacoVxIQu06rJI6zU7jcJrDmRmvcdf5pjJOq5oijv/m0k6Q19dYz9GF v3KCQzPEXi7Y1LbNsWHUUaCzLQJZ5xn1Mrf21smjjHK/j4FRYlxfKwTvjjLo9QT9JhJQ YRrtE5RHC5THuFw4q5PE+UIulj0wMSKJ1ZUUgllTxV51KSr7Z1NsVgG+1CV4VpJmiPtC Us1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=WkcArdDiDGfIb+P7v24qbtIgLTQLViojF5WPWYQLiew=; b=l0S8sLAGhU37Mn+mn9IS/ICkjbGCl8DgJSDk8Mgi/E8zyPnLg1yCq1H3T0uiKK6Gyk sB+k9A30rpuo/VHg4hUWb0fS/eo6UvLjcoEO0vSADZtBNJp3qgsP+7K6Ozl22HgvIdL+ mQiTjtC3dJM/vcP4z81pvceDadFzjeFVEHToAg/8E8ljkGXHpXx01wmPfuVK9DIuh59Y m6Rf9KOh7GC70K9kblccHHyd0Zv5jSu1+wbDWWc33OONX2mAKsZDwA27dhA/udWZdugm 6L8rYaEzII+BAzmpRSyIHk///JaFKKqhTpI+T+S4pqHX7liR9kt/V7jIADZCgYzBNFYF sYWA==
X-Gm-Message-State: AOAM533gE2kjnDka36aKhQGFvYKBYk6o4RsTzV8tjrnKLXYeSJcyeWBJ gT/0u6qalAHo2M3NoB2s3XAq/4sB1LS/RsdqfdwQsdNc
X-Google-Smtp-Source: ABdhPJzdLiMLNigWwYuAvGOwHxE8UhILp86d/eHPc865vnyPTb0pJ5e8rmt8NLX98ZL/m2HuW+KsP9EagOU/OKMnOtY=
X-Received: by 2002:adf:de0b:: with SMTP id b11mr4865813wrm.346.1590693704304; Thu, 28 May 2020 12:21:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAMOjQcHAKC6ge2te8eqPz3JFmmLrpBoTSt2yKKxFXHpQEyjLqg@mail.gmail.com> <1852098.ajqZCkXiOD@linux-9daj> <e0567177-b1b4-e9e7-d2a8-faddbbc911bc@nic.cz> <2e1faccd-bdc4-b156-c460-1bada946d1c9@bellis.me.uk> <fa89c1ec-7748-3952-0597-524d6bd8ce6d@time-travellers.org> <3e349f68-3f59-82af-d81c-bfb24f54e65e@nic.cz>
In-Reply-To: <3e349f68-3f59-82af-d81c-bfb24f54e65e@nic.cz>
From: Eric Orth <ericorth@google.com>
Date: Thu, 28 May 2020 15:21:32 -0400
Message-ID: <CAMOjQcH9V5jP2vQmx1QU3d8qo6MMjfq27MsL4wFa4zQzh9-mFA@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003156ff05a6ba3d2c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sdsH1OMb7hOEi-xav-Lw2Afomj4>
Subject: Re: [DNSOP] Multi-QTYPES (was: unsolicited HTTPSSVC responses)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2020 19:21:49 -0000

I lead engineering for the stub resolver built into Chrome browser, so
while not an OS-level stub, maybe still prominent enough to count for the
"any communication" requested above.

My biggest concern with an approach like this is ossification from
middleboxes (especially some old home routers) that may not be ideally
engineered for the modern web.  Chrome has seen significant issues in the
past with such middleboxes creating pain (super slow responses mostly) for
a small number of our users on sending unusual queries or an increased
amount of queries.  As such, we're generally afraid of sending out anything
other than basic and rate-limited requests when it comes to Classic DNS.
Attempting new things and falling back to conservative behavior on an issue
is not necessarily a reasonable approach because the middlebox pain is not
always limited to the individual queries.  In some cases, probing or
experimenting with resolver capabilities can cause user pain for all
subsequent queries for a period of time on the order of minutes.

Since this specific multi-query proposal encodes it in EDNS, it might be
more reasonable.  I don't have any actual data to back this up, but I would
guess that unknown EDNS options are less likely to cause issues than
completely unknown queries.  So it might be safe enough to at least do
super cautious experimentation around it.

Note that none of these ossification issues are really a concern with DoH
(or DoT) where we can be reasonably sure we're talking to a modern
non-ossified resolver.  The usefulness of combining queries is a little
reduced since DoT and DoH often use connection sharing for multiple
requests anyway.  But there's still some potential value.  In ECH (ESNI)
discussions, it has come up a few times that an attacker could try to force
a downgrade from ECH by identifying and blocking the larger packets
containing HTTPSSVC responses that contain ECH keys but not address
resolves.  Much safer if A/AAAA and HTTPSSVC can be in the same
query/response to force an attacker to block everything or nothing.

Additional possible issues with this multi-query proposal:
*By combining A and AAAA, you might lose nice abilities to try to speed
things up using Happy Eyeballs v2 style algorithms to immediately start
using addresses as they come in, before all addresses are received.  Not
currently a huge issue for Chrome DNS because we don't currently support
Happy Eyeballs v2, but we'd be hesitant to lose the ability to make that
improvement.
*The current proposal seems to give the resolver a lot of leeway to only
sometimes include the additional results and includes a TODO note that
maybe there should be a way for clients to mark qtypes as mandatory.  I
don't think the client would get as much use out of multiple qtypes unless
it had reasonable confidence that it would at least usually get all the
responses.  Otherwise, the client is often going to have to make multiple
requests in parallel anyway to ensure it can get all the responses
reasonably quickly in parallel.  Then again, if it's something like
requesting an extra qtype that we would be afraid to send in Classic DNS
anyway (due to the ossification issues), eg HTTPSVC, I suppose there's more
value of just adding in the additional qtype and using the response
opportunistically when received.

On Thu, May 28, 2020 at 12:22 PM Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
wrote:

> Hello.
>
> On 5/28/20 10:00 AM, Shane Kerr wrote:
> > As I have mentioned several times on microphone, I think this draft
> > has huge potential, potentially cutting the number of queries handled
> > by recursive resolvers almost in half - since they could ask for A and
> > AAAA records in a single query.
>
> I'm not sure if it would be a net benefit if we consider the added
> complexity (like the few unpleasant corner cases), the need to implement
> on both sides, and other ways that are available.  Is saving the number
> of IP-layer packets the only significant motivation?
>
> For resolver-to-auth case I do suspect some potential.  Plain UDP will
> probably still stay popular there for some time.  Though I'm afraid this
> might _sometimes_ push the answer sizes too large to fit into one packet
> (in signed zones), which in my eyes slightly reduces attractiveness of
> the technique, now that we know that UDP over 1.5 kB is no good.
>
> For non-auth cases, you typically communicate with just one upstream
> resolver (or very few), so if the number of packets is a concern, I'd go
> for a long-lived TCP or TLS connection (there's e.g. privacy motivation,
> too).  That's all standardized already, and it naturally avoids those
> extra corner cases.  Sure, it's probably possible to improve
> significantly on session timers and resuming, performance, usage of
> Nagle's algorithm, etc. but ATM to me that feels a more worthwhile
> investment than any of the multi-answer proposals.  One advantage is
> that many of the TCP/TLS improvements can be deployed one-sidedly with
> some effect but multi-QTYPEs can't.
>
> --Vladimir
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email