IETF Logo Mail Archive

Re: [DNSOP] Authoritative servers announcing capabilities

Joe Abley <jabley@hopcount.ca> Sat, 12 September 2020 10:57 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8B23A0D75 for <dnsop@ietfa.amsl.com>; Sat, 12 Sep 2020 03:57:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1haYZCI5Hnp7 for <dnsop@ietfa.amsl.com>; Sat, 12 Sep 2020 03:57:40 -0700 (PDT)
Received: from mail-qv1-xf42.google.com (mail-qv1-xf42.google.com [IPv6:2607:f8b0:4864:20::f42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEFB13A0D81 for <dnsop@ietf.org>; Sat, 12 Sep 2020 03:57:39 -0700 (PDT)
Received: by mail-qv1-xf42.google.com with SMTP id z18so6521845qvp.6 for <dnsop@ietf.org>; Sat, 12 Sep 2020 03:57:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-transfer-encoding:mime-version:subject:from:in-reply-to:cc :date:message-id:references:to; bh=KexJp31LfRDQm0NYw/ZQ0q442AwKXZiFWfG1xSI6m1o=; b=RkQN6TpPkXo0YZnaWaicTGu8U47iNViX7LMFENEdoHsbsQ1WuVjWw1kQF/fkkI0L3C 9BsvWbVSvcTOZ4HJTOpYnrniCFBnQtObjjPhjiR8WIsP0J8iW8l8f7NYqrTNi9os9eRc H8d6IcmNnj3arFma/x4DhizMbwCasI/zeUhbI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:mime-version:subject :from:in-reply-to:cc:date:message-id:references:to; bh=KexJp31LfRDQm0NYw/ZQ0q442AwKXZiFWfG1xSI6m1o=; b=hQ9lZMvi7PGYDee2d42nyLuZl4S6i94SyCGlkjJZF8tbyDkVZUC7aIXZE+3n2nsDOe 3ALl3AvBdlGlYVaK0+CkzbjbmoukgZDn3AmSiIdk9P93jMgEe0SBtMkU+jYrFn+Wej9i C7cnxXSoirKDiU8G0V6uRlEI0Ri+kEr1/E0lB0PVlRzOEaGJa9c5DnXMWC2BAcekHpyh U5FuL15L0DNzhupeEotVHZ3PSpB5Eu53RY3AjvmFWR222EFxZ2nw+kEArVE96dFL1hPZ kde8r4JvFiArXVBtdjsXqhlqXJW9PYJHHNZp+pqjNZ5QZmXnNZhm77sviarC6OpT+aOI kIAw==
X-Gm-Message-State: AOAM532ZhJRXri/A7tp5+mYConFkfCrt4ltxI7h7nrySvBz9oxikWFK4 8WiLZ6VRxYM3ZXQPgR3kuZU4BCu82rFUMn/g
X-Google-Smtp-Source: ABdhPJyk53iJFaUolhnUReI41fw7sqes8ky/uss1dtNg2jvxMBWGTIV/BFFbHZvv1j22/N5L+rE3aQ==
X-Received: by 2002:a0c:9e04:: with SMTP id p4mr4989693qve.30.1599908258253; Sat, 12 Sep 2020 03:57:38 -0700 (PDT)
Received: from localhost.localdomain ([199.167.24.149]) by smtp.gmail.com with ESMTPSA id m1sm6430129qkn.89.2020.09.12.03.57.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 12 Sep 2020 03:57:37 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <20200912004747.62kehhyez3fxyez5@family.redbarn.org>
Cc: Mark Andrews <marka@isc.org>, dnsop@ietf.org, Patrick Mevzek <mevzek@uniregistry.com>
Date: Sat, 12 Sep 2020 12:57:28 +0200
Message-Id: <2E8CCF6F-743C-42C8-B1F8-18C1E15F59B5@hopcount.ca>
References: <20200912004747.62kehhyez3fxyez5@family.redbarn.org>
To: Paul Vixie <paul@redbarn.org>
X-Mailer: iPad Mail (18A5373a)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uFQfAIkSDs15QKeWQjgEt4nRxuA>
Subject: Re: [DNSOP] Authoritative servers announcing capabilities
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2020 10:57:43 -0000

On Sep 12, 2020, at 02:47, Paul Vixie <paul@redbarn.org> wrote:

> On Sat, Sep 12, 2020 at 09:40:11AM +1000, Mark Andrews wrote:
>> and why is it a RR type at all.  An EDNS option or a opcode is better suited
>> for this sort of thing.
> 
> +1.

Plus lots. See below for TL;DR.

Operational reality is that there are often a different set of nameservers authoritative for the zone than are anticipated by whomever is responsible for the zone contents. Examples are mismatches between NS RRSets above and below the zone cut, and people opportunistically serving zones from from their own authoritative servers for their own local reasons (e.g. RFC 8806).

It's not reasonable to assume that all authoritative servers for any particular zone have the same server characteristics. Almost by definition, different servers live in different places with different local conditions in all layers up to and beyond 9, operated by different people with no existing requirement to centralise operational changes with the people responsible for zone data. To address the example given in the draft, it's ok some authoritative servers for a zone support ECS and others do not; some will give ECS-specific answers and some will not. Clients will still get answers. More generally, if the goal is a general mechanism that might be used to describe as-yet-unknown characteristics about a server, it ought to allow individual servers to be described.

It's not reasonable to assume that an individual hostname as exposed in a single NS RR corresponds to a single server. Authoritative servers are routinely provisioned as clusters or anycast clouds, and the details of what individual server might look like can change between successive queries.

It's always possible to imagine a very simple set of authoritative servers for a particular zone which would not run into these kinds of problems. However, such a mechanism would fail in exciting ways for pretty much any zone you can imagine that sees any real traffic. High-traffic zones with twitchy end-users are not usually provisioned in onto static, simple sets of authoritative servers.

If there is to be a general mechanism that describes the characteristic of an individual authoritative server, it ought to be one that embeds information in a specific response in such a way that it will never normally be cached.

Whether there is a convincing use-case for such a mechanism is a separate question. The example given in the draft does not seem very convincing, simply because there is an existing mechanism to achieve the same thing (see RFC 7871 section 7.2.1).


Joe

v2.23.0 | Report a Bug | By Email