Re: [DNSOP] ANAME loop detection
Matthew Pounsett <matt@conundrum.com> Thu, 04 July 2019 12:32 UTC
Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F095212061C for <dnsop@ietfa.amsl.com>; Thu, 4 Jul 2019 05:32:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id chJk4x_SBGed for <dnsop@ietfa.amsl.com>; Thu, 4 Jul 2019 05:32:39 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78BE712006D for <dnsop@ietf.org>; Thu, 4 Jul 2019 05:32:39 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id m24so3036268ioo.2 for <dnsop@ietf.org>; Thu, 04 Jul 2019 05:32:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qvV4Gi2aI0VRmDMGPjuJzl66T83Mqa99QwKk2xEudIE=; b=ZRpv8cuDB+W/1TZ03A0LbEA9wHLYnAPAno9+O/HMDIaIckf5MdhW7foviaWGifjsWN tvF2ogpaQ0rUjEk3XayPbqAehDtAa2VXEt7CitxD9arvmtfy2V/ur63PjQs8P4qKH+Dq 1i+5F/Omh24Kq9IESKmfGxnSP+T4ne0uF2CrPkACE1b61QHz7jcsRfrCONEgKZ5t4XUv 8dhjdYhdUbQyBDTB09kOnCIXoR8zaSn2nCdLuH8cvzu9MmMBrM4f02zly3rweea/K2rN w5qkHgK8r4ro93QF0qIQ0HSIiheShOEIkXRO+934o8GCBubKxzPOzT3BlPCadVtqaJ23 E/aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qvV4Gi2aI0VRmDMGPjuJzl66T83Mqa99QwKk2xEudIE=; b=IinwQoZkwN4BoUpSs8NYXKKj8912SNDpw7/t5v+W5N+Dhe2JbToLiPJ1RcULOwV2tE ENHiEEdPyfJCIQFtyEBshY7ECVNlZ/Nsj5URNWCIyNQoUgMg4iiDScNAYoISOiH9175J 6gusuV/LpbvKKu9xbjJVNFBoVpo4YYOklS7JjORLrQTfGAH46rzqGAEoFxn9vNtnc6VQ OhBLeqpiWNKs6qn0/YZarn0DKN09+Fzfv/OoqDRNxU5iEmpkJ35doboYEBCskNHUqrg8 4jaMUNFU/p16PWeLYLnjepAw8muFr1eCBpkPniSVQsWysci+X68jvLGtuxH+Cq9EvHMy pOhg==
X-Gm-Message-State: APjAAAWCCQU8xBxr+aijB7rbNstV8x0y8/laQR7GfMBaek9O09LbkNIY QwdTZUkp5HH0a51idcpBTZt5XZD3y6oXdBq/h6zvC2p//4Q=
X-Google-Smtp-Source: APXvYqxVNmuJiAYXBqDML5HJHhZSCo3njvHkSfKHAbGg7TzCYH91020CZ3xh7RdmB7otqPJyzyA6vDIEC2F95V5EAIs=
X-Received: by 2002:a6b:641a:: with SMTP id t26mr9157019iog.3.1562243558560; Thu, 04 Jul 2019 05:32:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAM1xaJ9txy98s5Y+Sq5T5N1KaD-LvtrDTut=mUomjHFwTvWnDg@mail.gmail.com> <a4137531-7641-34f2-6443-1cd904b485e3@pletterpet.nl>
In-Reply-To: <a4137531-7641-34f2-6443-1cd904b485e3@pletterpet.nl>
From: Matthew Pounsett <matt@conundrum.com>
Date: Thu, 04 Jul 2019 08:32:27 -0400
Message-ID: <CAAiTEH8v4MqpOvvKzLCeY=3NL8UrY5=LehxXy_JVtAt48muMrw@mail.gmail.com>
To: Matthijs Mekking <matthijs@pletterpet.nl>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005c7f6a058cda2c0c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/x_wZdoUE1VIK1Ul2M5IkZjgNz84>
Subject: Re: [DNSOP] ANAME loop detection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jul 2019 12:32:42 -0000
On Thu, 4 Jul 2019 at 05:54, Matthijs Mekking <matthijs@pletterpet.nl> wrote: > > > > 1. EDNS "do not follow ANAME" option: The requester would indicate > > that it is capable of following ANAME and that the server receiving > > the query should not include the ANAME sibling address records. The > > loop detection would then work exactly the same ways as with CNAMEs. > > This would be an easy addition I think, however I thought the "do not > follow ANAME" option actually meant "really don't do a target lookup I > can do it myself". The authoritative server can still send the sibling > address records that are placed in the zone, they can be used if the > requester fails to perform the ANAME target lookup (for example due to a > network error or outage). > > Furthermore, a service provide receiving such a request might want to > ignore it if it feels strongly it should hand out more appropriate > addresses than the sibling records (basically because that is the > service they provide their customers, will they rely on an EDNS option > from the requester saying "no really I can do this"?). > I would say they should rely on that. Why shouldn't they? Isn't our goal to get downstream servers to adopt the extension and do their own lookup? The server-side lookups and sibling records are bolt-ons to handle the adoption period. Remember, this record is geared toward customers of CDNs being able to do get similar behaviour to: www.example.com. IN CNAME webfarm.cdn.net. at the apex of example.com. That was the original problem we're trying to solve. I read your statement above about "the service they provide their customers" being about the CDN resolving webfarm.cdn.net, which most CDNs can already do within their own infrastructure. Sending out the sibling records in the presence of this EDNS option might make sense as a backup, since that is low effort on the part of the authoritative, but a declaration by the querying server that it understands ANAME and is prepared to do its own lookups should be trusted by the authoritative server, and it should not to recursive lookups. To take that further, why would the authoritative server believe that the results of any lookups it does would not be thrown away? This EDNS option should also be useful to recursive servers that understand ANAME, and are planning to do their own ANAME resolution. They can get their answer from the authoritative server much faster this way. This is also a way to measure adoption. As the ratio of "EDNS do not follow ANAME" queries to total ANAME queries approaches 1.0, we know that adoption has been successful. Maybe we could even begin to deprecate authoritative resolution (of ANAMEs) at that point, and begin to get back to something that looks more like plain CNAME. I would suggest that better EDNS semantics would be just "I understand/support ANAME". That gets the desired information across without the sense of sending a command to the upstream server. Option #2 gets similar behaviour but at the cost of additional lookups. #3 and #4 don't work well in the presence of server farms.
- [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Matthew Pounsett
- Re: [DNSOP] ANAME loop detection Shane Kerr
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Tony Finch
- Re: [DNSOP] ANAME loop detection Matthew Pounsett
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Shane Kerr
- Re: [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Matthijs Mekking
- Re: [DNSOP] ANAME loop detection Jan Včelák
- Re: [DNSOP] ANAME loop detection Paul Vixie