IETF Logo Mail Archive

Re: [DNSOP] Terminology: "primary master"

Paul Vixie <paul@redbarn.org> Fri, 24 November 2017 23:51 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89551129434 for <dnsop@ietfa.amsl.com>; Fri, 24 Nov 2017 15:51:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I1sCJQoUbDCM for <dnsop@ietfa.amsl.com>; Fri, 24 Nov 2017 15:51:56 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7E87129431 for <dnsop@ietf.org>; Fri, 24 Nov 2017 15:51:56 -0800 (PST)
Received: from [10.1.10.138] (50-255-33-26-static.hfc.comcastbusiness.net [50.255.33.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 46A1561FA2; Fri, 24 Nov 2017 23:51:56 +0000 (UTC)
Message-ID: <5A18B098.3050100@redbarn.org>
Date: Fri, 24 Nov 2017 15:51:52 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Joe Abley <jabley@hopcount.ca>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
References: <20171123.121943.1115399549648860645.he@uninett.no> <34F896BC-B044-4E46-AC60-8562A8BE782F@hopcount.ca> <alpine.DEB.2.11.1711231740240.4416@grey.csi.cam.ac.uk> <5562271920774233970@unknownmsgid> <5A171818.4080507@redbarn.org> <8978397E-B39F-415C-9F72-F675818A41CC@hopcount.ca>
In-Reply-To: <8978397E-B39F-415C-9F72-F675818A41CC@hopcount.ca>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tcqQXSaom3COMmbaX6dq5cX-dFM>
Subject: Re: [DNSOP] Terminology: "primary master"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Nov 2017 23:51:58 -0000


Joe Abley wrote:
> Hi Paul,
> ...
> I presume you mean existing, not extant. ...

yes. thanks for understanding what i mean in spite of what i said.

> The principal challenges I have seen using a non-trivial transfer
> graph with NOTIFY and [AI]XFR are when a pair of candidate masters for a
> particular slave each receive a new revision of a particular zone at a
> different time. The one that receives it first sends NOTIFY messages to
> its slaves; if slaves don't use the NOTIFY source to select the master
> subsequently used to send SOA queries and [AI]XFR requests to (and it is
> normal not to in many/most/all widely-used implementations) there is a
> chance they will talk to the master that hasn't yet been updated and
> hence not retrieve the new revision of the zone. Presumably all masters
> update eventually, however, so normality will eventually be restored.

first let's clarify that this can't happen between the PM and its DM's,
because in my example, the PM was HA. i do know that not all NOTIFY
responders will try-first the server who sent them the NOTIFY, and that 
this can result in not learning a new serial number after a NOTIFY. the
BIND4 version of the NOTIFY code did this correctly, but i'm guessing
that RFC 1996 was not as clear on this topic as it might have been.

my preferred solution to this woe is to fix the NOTIFY responders, but 
as we know this is often outside our powers. my actual solutions to this 
have been to either delay all NOTIFY's for some amount of time that's 
long enough to get the DM's to all settle, and make sure that the 
settle-time is as short as i can make it. or better still, give the 
slave-operators only one address for "zone master", and anycast that one 
to get redundancy.

as an aside, the computed random delay-before-notify was not specified 
as a way to get a longer settling time; it was just to prevent all of 
the recipients of a NOTIFY-burst from doing their AXFR's in parallel. 
this was damnfoolishness related to BIND4's "fork on AXFR" logic, and i 
deeply regret it. 1996 was my first RFC and it shows.

> The state involved in processing NOTIFY messages, especially when
> there's loss in a path somewhere which triggers timeouts, back-off and
> retransfer, can be painful to manage at scale. I have seen some abuse of
> the specification in the form of fire-and-forget NOTIFYs to avoid the
> state problem (discard NOTIFY responses received and never attempt to
> retry sending, assuming that if ours didn't get through a NOTIFY from
> another master probably will).

alas, many operators solve only the problem they know they're having, 
without regard to the ones they don't know about, and without regard for 
the problems their solutions might cause for others. "monkey DNA".

> Davey Song described a scenario that played out in the Yeti project
> where multiple masters each serving zones that were equivalent but
> different caused problems to downstream IXFR clients. The zones were
> equivalent in the sense that they only differed in RRSIGs -- each server
> used a local ZSK, corresponding properly to an RR in the DNSKEY RRSet,
> to sign all the non-DNSKEY RRSets -- but different in the sense that the
> RRSIGs were different, so really they were different zones with the same
> origin. IXFR clients got confused, which I think in retrospect was
> probably to be expected. This feels like the kind of scenario that Tony
> was talking about in his earlier message in this thread.

yeti is probably a degenerate non-teaching corner case. since it deals
with the root zone, we had to politicize the design -- there are three
DM's whose only shared data is the IANA source zone they start with, and 
the KSK they sign ZSK's with. we had to avoid annointing any one party 
as having a special relationship to root-like zone data. this is 
unlikely to be a problem for anyone else or for any other zone.

>>see http://family.redbarn.org/~vixie/mz.pdf ...

> I used an earlier version of that back in the day, as you might
> remember. Pretty much everything I've been involved in since then has
> used out-of-band provisioning of zone targets though, using devopsy
> automation tools (ansible, chef, puppet) or provisioning databases that
> were replicated independently of the DNS.

that's what a lot of the professionals do. however, i won't recommend 
technology that hasn't been documented and tested for interoperability, 
portability, and lack of IPR encumbrance.

> One notable exception used
> supermasters in PowerDNS, which you could call in-band (but still a
> different approach from
> metazones)

MZ was influenced by BIND, and only implemented for BIND, but was meant 
to be name-server independent. i would like to see something like this 
gain broad industry traction, so that we can all spend our time solving 
things that somebody else hasn't already solved.

-- 
P Vixie

v2.23.0 | Report a Bug | By Email