Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex

Warren Kumari <warren@kumari.net> Fri, 22 June 2018 19:27 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59299130EDA for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 12:27:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LD-aAMrRl0js for <dnsop@ietfa.amsl.com>; Fri, 22 Jun 2018 12:27:25 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D335A130EC0 for <dnsop@ietf.org>; Fri, 22 Jun 2018 12:27:24 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id v131-v6so3787792wma.1 for <dnsop@ietf.org>; Fri, 22 Jun 2018 12:27:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JdtGm6yCAw+GueyK7DStj7Ec8i0VYTdtklvFYoxaXb4=; b=I22yt8nMtQziZH1FpST7hsVbIP6Sp1jDlHeH1BFuEYmtdI4vaJ/vvnIsPnO2wC5T3Y l8QEop5k+ZS/WyBZMAMZQSMq4GHImEv25J6W9BZvEbN4li7eHseAXd6Ww0AhkObJk8DN a6JKXhQxVHS84GI4V2s8bC218zUr5EYmMwemwduuw+AncMC03/rPUL9I58KAsBn7uTaT igd4zLjGLrdwXmkFGeL+8BeqsCRwdOLJF3/vkWit87shr9MY2NS5y7U5OlYV0v7Zcg7d L05BLL8erX/duJEmP6L9EFjGgjqETkrSSgib03nzWBFIam8AWhNGJJKzqKJ1TrpX0fix ukJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JdtGm6yCAw+GueyK7DStj7Ec8i0VYTdtklvFYoxaXb4=; b=baVYz1W65SO5usxbAZ78+jMa6rfchwJjwQcvB1P+OuF/Dgr2XpIahvefBmMRLqVhNP UnnPv5oqY8J85JOnd/LwV8RLzImB3jGhHJSxYAh1x3Sj9kU48A5H1PgQGeVtL5FgJnDK 3suqzTURvJl4263YZgwbQ1K+aQwFnyC3oQNbzXd6Fuq8V67EaRH4eRaATdIHGd7SqawA 2r/DFGoAb/cOe0EstU/h4+31S5nlelwx7o+xBPcHBZQ1rPT8So1ZbtiKyUa32s1Ye95y VFgINbsfwaAyq6uhGHTcyMIz/aNJ4ppcY3XcRGIxkfyiNIjflHgNdhe2WZlMuhiIFy/i jNkQ==
X-Gm-Message-State: APt69E0xL3aOOHvygaECmM7wRFxJLHWcA9t0dXm+4NSSLLukvtZ15kDH x7UejXshPgM6XWsmeQit4Bj5PMSktftEXaBNEPhuWw==
X-Google-Smtp-Source: ADUXVKK8jy5dUxGusrY5NSiJ4oZ48Q+CrIDTr2CMzCH00NnK8mZPgOS0BoWruq/KFhQLPzO2DGroWwYUjX44v3Oje0I=
X-Received: by 2002:a1c:4a9d:: with SMTP id n29-v6mr2465111wmi.46.1529695642932; Fri, 22 Jun 2018 12:27:22 -0700 (PDT)
MIME-Version: 1.0
References: <b73f3dc7-b378-d5d8-c7a2-42bc4326fbae@nic.cz> <alpine.DEB.2.11.1806191428250.916@grey.csi.cam.ac.uk> <691FC45D-E5B6-4131-95BF-878520351F3A@gmail.com> <bf0ba568-1a18-f8cf-c1a0-3f547d642a78@bellis.me.uk> <0438207E-A4C2-434D-9507-9D9F54765CFB@puck.nether.net> <alpine.DEB.2.11.1806191649350.916@grey.csi.cam.ac.uk> <9a0d1bae-dc58-99b5-40d1-caa7737dbfb1@bellis.me.uk> <1B7B2BB4-F0AE-4188-B89B-DF032BE7A237@automagic.org> <CAHw9_iKWhRjK6yzSSWVsCBqjdVfTnzVkUh8PMYC5nwQUb_=yvw@mail.gmail.com> <20180622191334.GA15349@jurassic>
In-Reply-To: <20180622191334.GA15349@jurassic>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 22 Jun 2018 15:26:46 -0400
Message-ID: <CAHw9_iLN0w=k0hZLsOCJXnA58afACuzxgXdYPPEn_HShm6Q4aw@mail.gmail.com>
To: muks@mukund.org
Cc: jabley@automagic.org, Tony Finch <dot@dotat.at>, dnsop <dnsop@ietf.org>, Ray Bellis <ray@bellis.me.uk>
Content-Type: multipart/alternative; boundary="0000000000006968b8056f400546"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wfMfWdi097gPr0TV5Jh6PBNENLY>
Subject: Re: [DNSOP] abandoning ANAME and standardizing CNAME at apex
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 19:27:29 -0000

On Fri, Jun 22, 2018 at 3:13 PM Mukund Sivaraman <muks@mukund.org>; wrote:

> On Fri, Jun 22, 2018 at 03:02:35PM -0400, Warren Kumari wrote:
> > On Fri, Jun 22, 2018 at 8:57 AM Joe Abley <jabley@automagic.org>; wrote:
> >
> > > On 19 Jun 2018, at 17:03, Ray Bellis <ray@bellis.me.uk>; wrote:
> > >
> > > > On 19/06/2018 17:44, Tony Finch wrote:
> > > >
> > > >> SRV should have been part of the fix (and it was invented early
> > > >> enough to be!) but it wasn't a complete fix without support from the
> > > >> application protocols.
> > > >
> > > > AIUI, a large part of the supposed issue with SRV was the inertia of
> the
> > > > installed base of browsers that wouldn't know how to access them.
> > > >
> > > > Ironically the proposed fix seems to require upgrades to the
> > > > installed base of one of the most important network infrastructure
> > > > services on the planet.
> > > >
> > > > Meanwhile, a very large portion of the installed base of web browsers
> > > > gets automatically and silently upgraded every month or so...
> > >
> > > I think so long as there's a fallback for clients that don't yet have
> SRV
> > > implemented (e.g. publish A/AAAA RRSets at the same owner name as the
> SRV
> > > RRSet, and specify the behaviour by SRV-compliant servers in the event
> that
> > > both are present) this is not a plausible engineering argument.
> > >
> > > Processing an SRV might require additional DNS lookups to get name ->
> SRV
> > > -> SRV target -> address, but that's a one-time hit per TTL and I think
> > > it's a stretch to paint that as definitely a problem. Modelling is
> required
> > > and worst cases remain to be understood.
> > >
> >
> > ​It certainly is the ​case that a number of browser / large web
> properties
> > have stated that an additional DNS lookup is a price that they are not
> > willing to pay, especially for something not "critical".
> >
> > I believe that this also would require firing off simultaneous lookups
> for
> > SRV along with the A and AAAA (or, even worse, firing off a SRV, waiting
> > for the "nooerror" error and *then* trying for the A / AAAA) and waiting
> > for the long tail before you even know of you need to resolve the target.
>
> With additional-from-cache (default on), BIND will return address of
> target of SRV if it is already in cache. The second RTT will get
> amortized. It won't take a lot to make it fetch and return the target
> too, if it isn't found in cache.
>
>
​Ah, fair nuff.
I had tested this against a local bind instance, but didn't think to
manually trigger the target lookup to get it into the cache.

After doing so, it does indeed stuff it in the additional section.

I'm not sure if my host (OS X) will make use of it, but that's a local
issue...

W



dig -t srv _xmpp-server._tcp.crab.im

; <<>> DiG 9.11.1-P3 <<>> -t srv _xmpp-server._tcp.crab.im
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56937
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 93617acb30a0870d29a435625b2d4c107cbf4333363923bb (good)
;; QUESTION SECTION:
;_xmpp-server._tcp.crab.im.     IN      SRV

;; ANSWER SECTION:
_xmpp-server._tcp.crab.im. 300  IN      SRV     10 0 5269
malganis.fleshless.org.

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d54c5241ef721df5f76b0d7e5b2d4c188a89ef7e1293b2c4 (good)
;; QUESTION SECTION:
;_xmpp-server._tcp.crab.im.     IN      SRV

;; ANSWER SECTION:
_xmpp-server._tcp.crab.im. 292  IN      SRV     10 0 5269
malganis.fleshless.org.

;; AUTHORITY SECTION:
crab.im.                259191  IN      NS      ns1lmy.name.com.
crab.im.                259191  IN      NS      ns4htz.name.com.
crab.im.                259191  IN      NS      ns3cgw.name.com.
crab.im.                259191  IN      NS      ns2fkr.name.com.

;; ADDITIONAL SECTION:
ns1lmy.name.com.        292     IN      A       162.88.61.47
ns2fkr.name.com.        292     IN      A       162.88.60.47
ns3cgw.name.com.        292     IN      A       162.88.61.49
ns4htz.name.com.        292     IN      A       162.88.60.49

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 22 15:20:56 EDT 2018
;; MSG SIZE  rcvd: 280

root@ron[0]:/etc/namedb# dig -t srv _xmpp-server._tcp.crab.im @localhost

; <<>> DiG 9.11.1-P3 <<>> -t srv _xmpp-server._tcp.crab.im @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64703
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;malganis.fleshless.org.                IN      A

;; ANSWER SECTION:
malganis.fleshless.org. 299     IN      A       176.9.22.146

;; Query time: 110 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 22 15:21:51 EDT 2018
;; MSG SIZE  rcvd: 67

root@ron[0]:/etc/namedb# dig -t srv _xmpp-server._tcp.crab.im @localhost

; <<>> DiG 9.11.1-P3 <<>> -t srv _xmpp-server._tcp.crab.im @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47059
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 58159e9daff595240cd3d0d45b2d4c53ea5cc1bb748254a9 (good)
;; QUESTION SECTION:
;_xmpp-server._tcp.crab.im.     IN      SRV

;; ANSWER SECTION:
_xmpp-server._tcp.crab.im. 233  IN      SRV     10 0 5269
malganis.fleshless.org.

;; AUTHORITY SECTION:
crab.im.                259132  IN      NS      ns2fkr.name.com.
crab.im.                259132  IN      NS      ns3cgw.name.com.
crab.im.                259132  IN      NS      ns1lmy.name.com.
crab.im.                259132  IN      NS      ns4htz.name.com.

;; ADDITIONAL SECTION:
malganis.fleshless.org. 295     IN      A       176.9.22.146
ns1lmy.name.com.        233     IN      A       162.88.61.47
ns2fkr.name.com.        233     IN      A       162.88.60.47
ns3cgw.name.com.        233     IN      A       162.88.61.49
ns4htz.name.com.        233     IN      A       162.88.60.49

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 22 15:21:55 EDT 2018
;; MSG SIZE  rcvd: 296​




> [muks@jurassic ~]$ dig -t srv _xmpp-server._tcp.conference.banu.com
>
> ; <<>> DiG 9.11.3-RedHat-9.11.3-4.fc27 <<>> -t srv _xmpp-server._
> tcp.conference.banu.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42270
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 0578a97e07ef62a47b1993205b2d491527ff6b5b4672bea0 (good)
> ;; QUESTION SECTION:
> ;_xmpp-server._tcp.conference.banu.com. IN SRV
>
> ;; ANSWER SECTION:
> _xmpp-server._tcp.conference.banu.com. 3543 IN SRV 0 0 5269
> jabber.banu.com.
>
> ;; AUTHORITY SECTION:
> banu.com.               3003    IN      NS      ns2.akira.org.
> banu.com.               3003    IN      NS      ns1.banu.com.
>
> ;; ADDITIONAL SECTION:
> jabber.banu.com.        3599    IN      A       46.4.129.229
> ns2.akira.org.          3004    IN      A       46.4.129.253
> ns1.banu.com.           3003    IN      A       46.4.83.135
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Jun 23 00:38:05 IST 2018
> ;; MSG SIZE  rcvd: 222
>
> [muks@jurassic ~]$
>
>                 Mukund
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf