Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing?
Bob Harold <rharolde@umich.edu> Thu, 11 April 2019 13:48 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 280801202CC for <dnsop@ietfa.amsl.com>; Thu, 11 Apr 2019 06:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x6T0b5uxT6fj for <dnsop@ietfa.amsl.com>; Thu, 11 Apr 2019 06:48:35 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 452E41202E2 for <dnsop@ietf.org>; Thu, 11 Apr 2019 06:48:34 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id l7so5588858ljg.6 for <dnsop@ietf.org>; Thu, 11 Apr 2019 06:48:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0zxnddxYkeGT47fbYWFSgtdR2pdSjQOW41ADq08+kEk=; b=D5p3flpkuoFPSIHAOUOPNW+RjmT+cYD9WH4LWqjd1CHbTkhIXnBx85/ZVX0jsOAUfH U0ZsFRm4bBZvx2ym6qSO7kdAvaLzNB3ITaUzjpw1c3kuN9UIsVzCkAvU2ZSySkBI7gQo vPwcgdHW0Q579qpKfHb/XV1POgmfIt8WivuytFdA2emDDs458yAUB7yGlDlqIAhLjVfg OqevMxKZpy5MCNzeF1kcaNt5LfrcrDe1VX1MU0Qszvt9+Y6t4cO3h50VG2wvlKzsEhUs lOPzKJJSF3YY7dEz8Bn5GkyNhP4hDBXLCSF5AMuqysPrBBnQCJgw2bO8OYy3UsfbNo/T 0nDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0zxnddxYkeGT47fbYWFSgtdR2pdSjQOW41ADq08+kEk=; b=pw8zgaHUXvnj5J+j9nxOEYQujU34KpRe699h4/sh4ByRXXR2ToNrvJIzCyxVK+JZxT w6JYu92ic3mDQUnuG16F0SqZ6ziE/Y/EKYsZEJsO7pXEEjBdw8eaFqUfV7jZoWu4X1kn Jxll0vxoyfTH9N0zZhP7LuVsmZs3N6bnSI8+2/DUF5gffEvaEC9XERvnGAf43k7ebVBD vpPq7oc+j2dDeeo7MeyHLdHsVH4x9HFS2qBAx34W5ZkKUQMf/45jMfuKfwvf338wiXm2 2T0eacV0bhKxw+glVGSDlPrVEdoIIfRty2dJT4JEiJS8G/AqvOFWZchTEtVDtw4uEGR2 9J6g==
X-Gm-Message-State: APjAAAXt5MDIfD0q+acxarxjlJEkkPuXgMFIhUq5c7wOu3vc9EVIeKm5 V6cZ7peONqjGIGZDNWENoTP4bM4Wor45CiXUg8E8kA==
X-Google-Smtp-Source: APXvYqypxVdB1Ifb07sYjDf3rNLXUw+ICu8e7KMEW3ox/wsVqaFNly/m3Grl5hFG7TXXzkNSAUM5ZwPaGUr4n/VPmVA=
X-Received: by 2002:a2e:9213:: with SMTP id k19mr12156356ljg.118.1554990512971; Thu, 11 Apr 2019 06:48:32 -0700 (PDT)
MIME-Version: 1.0
References: <d8ccad4a-cd0c-4c97-b4d7-2099657351dc@oracle.com> <CA+nkc8BM+mfTBm3XyOaZUF5hMg23t9aSY4nq4Y4=BQ-sjcjkVg@mail.gmail.com> <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com>
In-Reply-To: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com>
From: Bob Harold <rharolde@umich.edu>
Date: Thu, 11 Apr 2019 09:48:21 -0400
Message-ID: <CA+nkc8BenquOhpkdbv-6bntZ6NKnqfx_Cowiova7WGeWq_jZLw@mail.gmail.com>
To: Richard Gibson <richard.j.gibson@oracle.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000027b63d0586417188"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/y9MRmum-pQHGsrBZC87FEutA2fE>
Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 13:48:38 -0000
On Wed, Apr 10, 2019 at 4:42 PM Richard Gibson <richard.j.gibson@oracle.com> wrote: > Responses below. > On 4/9/19 16:04, Bob Harold wrote: > > If it gets an authoritative answer saying that there are no address > records, then it should respect that answer. If that is incorrect, then > whatever gave that answer is broken or misconfigured and should be fixed. > > Perhaps I am missing something. In what cases can you imagine getting a > response with no errors and no records? > > Misconfiguration is precisely the case, but quite possibly > misconfiguration in the zone of *target* records as opposed to the zone > containing the ANAME. And there are two problems with respecting that > [negative] answer. > > The first problem is for the owner of the ANAME-containing zone, for whom > the upstream misconfiguration will result in downtime and be extended by > caching to the MINIMUM value from their SOA, which in many cases will be > one to three orders of magnitude greater than the TTL of the ANAME itself. > > The second problem is for the query originator and their ANAME-aware > resolver, which will be forced to resolve the SOA of the ANAME-containing > zone in order to issue a proper RFC 2308 Type 2 NODATA response > <https://tools.ietf.org/html/rfc2308#section-2.2.1>—and such resolution > must take place synchronously, tying up resolver resources and increasing > end-user latency (insignificantly when the SOA is already cached, > significantly when it is not). > > Both of these problems can be addressed by allowing/recommending/requiring > ANAME-aware servers to preserve ANAME siblings when resolution of ANAME > targets results in NXDOMAIN or NODATA responses, rather than replacing them > with an empty RRSet... which, to be honest, seems to be always-undesirable > behavior anyway—if anyone can think of a scenario where it would be > *beneficial* to dynamically remove ANAME siblings, please share it. > Fair enough. I would rather solve the long MINIMUM problem in general, rather than only for this specific case. But here was have a fairly easy source of backup answers, so it will be easier than a general solution. I don't like it, but I see your point. As for when we might want an NXDOMAIN answer, perhaps: CDN is overwhelmed or web servers are all down, so stop users from trying to connect. Or server changes and we don't want users to fall back to old, incorrect addresses. -- Bob Harold
- [DNSOP] What should ANAME-aware servers do when t… Richard Gibson
- Re: [DNSOP] What should ANAME-aware servers do wh… Bob Harold
- Re: [DNSOP] What should ANAME-aware servers do wh… Richard Gibson
- Re: [DNSOP] What should ANAME-aware servers do wh… Bob Harold
- Re: [DNSOP] What should ANAME-aware servers do wh… Matthew Pounsett
- Re: [DNSOP] What should ANAME-aware servers do wh… Richard Gibson
- Re: [DNSOP] What should ANAME-aware servers do wh… Matthew Pounsett
- Re: [DNSOP] What should ANAME-aware servers do wh… Tony Finch
- Re: [DNSOP] What should ANAME-aware servers do wh… Matthijs Mekking
- Re: [DNSOP] What should ANAME-aware servers do wh… Richard Gibson
- Re: [DNSOP] What should ANAME-aware servers do wh… Joe Abley
- Re: [DNSOP] What should ANAME-aware servers do wh… Richard Gibson
- Re: [DNSOP] What should ANAME-aware servers do wh… Richard Gibson