Re: [dnssd] Interaction between a DNS server and Discovery Proxy on the same host - where to describe?
Ted Lemon <mellon@fugue.com> Mon, 18 July 2022 16:34 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE653C14F74E for <dnssd@ietfa.amsl.com>; Mon, 18 Jul 2022 09:34:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6Z68j9_Mxt3 for <dnssd@ietfa.amsl.com>; Mon, 18 Jul 2022 09:34:54 -0700 (PDT)
Received: from mail-oa1-x36.google.com (mail-oa1-x36.google.com [IPv6:2001:4860:4864:20::36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3841DC14F721 for <dnssd@ietf.org>; Mon, 18 Jul 2022 09:34:53 -0700 (PDT)
Received: by mail-oa1-x36.google.com with SMTP id 586e51a60fabf-10c0d96953fso25161145fac.0 for <dnssd@ietf.org>; Mon, 18 Jul 2022 09:34:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XyOTEHSJfa9/fXg8zETnYXSMIsczcumRcidi4nNKAyc=; b=5EQ4QJbJ9/RWFhrA/O3H1EPHnFmdgoPONnvgZnsgRFSN0bJMX1gqsdYekkaFrc/pXC YF8lG4MzJ+GoTd+Hn5MG+zMuTLj7U8VIvyie0Ab0HYUED2vggqO6Ok3Ur4wYVrJY0MR2 W0UZTYHioAm9fa3ySw9E1WAGxk3ra249rGdhRE7OjXY9N40SSraDDLewEqQw7+tSx/J1 YdCDmIPTwNdonQXWGEmOC8rTVZSRDO1HJ5bWLGUWaU3pMAj2zosCR/3v8QTFeQ47zB8X f6w44J5Dw8nygargqYSQKRLks0SbLafeXorV9kYEIpXbTHTYdp2PSJIojWN+R6Q+iaFN IWEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XyOTEHSJfa9/fXg8zETnYXSMIsczcumRcidi4nNKAyc=; b=i4BItD3a4mFGM+dB/SLEjTKp/xxUUv1UKm1M/iij4ArMDKa0WVQFFaTxCjFcdy/oXn bX+WR+F0Uqf9SEGAT7ipvcXpqztXG/IwHvzLAtI2a/JdVRDP/hRfaxFgFBnV6WWElM07 UeuF+AOCrNA3EIVD/hAQy3Mewhdm3dS7XMtPAtBb8DqF69mOQ3+EMS55PSfoDcAclD5c KsuSIK9IT0NQNqtQSYE9+/PChrDP3UJn+zW5gPVVb/TFlAR2tZQnuK8cLx4nkigCjbAJ txW+cH7xJlTpLUXNdNQKxNB6Qk4awGsQw/qDmZRjybRe889JJC479e5C90TnBrg2XGW9 eJ9A==
X-Gm-Message-State: AJIora9niWMI5LAkJTu5ryO9WGGA6ytNj+AL5LUOYbN6Z4GqNgQcJk+r GFqtlfa41YzGIrGiwfDcPqsaMtvBACIty+gq9NpeWXtX/M3ilYqS
X-Google-Smtp-Source: AGRyM1ub+fzQ0LhO/cavf757/frdHtYKQsg3O05U7698hduyCmvhLgCvLFIYOU7+WfIBwSSFoJJVttb7MBgZiEEbbcc=
X-Received: by 2002:a05:6870:f287:b0:109:d5fb:15be with SMTP id u7-20020a056870f28700b00109d5fb15bemr15154115oap.12.1658162091718; Mon, 18 Jul 2022 09:34:51 -0700 (PDT)
MIME-Version: 1.0
References: <DU0P190MB197807AC880A5E1AB18339B0FD8C9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <DU0P190MB197807AC880A5E1AB18339B0FD8C9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 18 Jul 2022 12:34:16 -0400
Message-ID: <CAPt1N1kfVfCFnpfaxFVi8NdAtQ-4QgR-XvopQ=f0H_kAuY3dXA@mail.gmail.com>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: "dnssd@ietf.org" <dnssd@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007510d605e416f2fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/Rkh8JzPG8cQTnhVkFSDVKWI08pU>
Subject: Re: [dnssd] Interaction between a DNS server and Discovery Proxy on the same host - where to describe?
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2022 16:34:58 -0000
There's some text about this in the Advertising Proxy document. It's not clear to me that this is the right place for it, but it definitely needs to be described somewhere. To your question, I think that the behavior of the combined advertising proxy/auth server/DNS caching resolver/DNS proxy (!) looks a bit like the Discovery Broker that Stuart described here: https://datatracker.ietf.org/doc/html/draft-sctl-discovery-broker I haven't looked at that document in a long time, so I don't know if it does the job anymore, but the point is that in order for the behavior you're asking about to matter, we need for it to be the case that some DNS query asks a question that the DNS responder answers by synthesizing answers from a set of zero or more domains. For instance, a query for _hap._udp.default.service.arpa might be translated into a query for a set of domains, some of which would be served by regular DNS, some by an advertising proxy (which is effectively regular DNS) and some by a discovery proxy (which is not). It would make sense for the rules from the Discovery Proxy RFC to apply here: if there is information available to answer with, answer immediately. If not, issue queries as needed; as soon as some answer is available, send the response. Since there are multiple query sources, a negative response can't be taken to mean "answer negatively right away." But when all sources have answered negatively, then a negative response can be sent. The way this would likely work is that some data might be present locally (authoritative data) and this data is available for answering immediately. The Discovery Proxy has a cache, and data might already be in the cache; if so, this should be included in the response. I would say that this is true even if it means that the discovery broker doesn't have direct access to the Discovery Proxy cache, although that complicates things a bit. Similarly, we probably ought to do the DNS query and wait a reasonable amount of time for a response, for non-local data. Otherwise, we are preferring the authoritative data, and it's not clear that's what we should do. But we should definitely answer quickly, and not wait for six seconds for a response as is recommended in the Discovery Proxy document, if some data is available. It might be worth thinking about scenarios where this will actually happen. For example, in a Thread Border Router, a query to _hap._udp.default.service.arpa will want data from the local infrastructure link (WiFi) and the Thread network (802.15.4 mesh). The Thread network service information will have been registered using SRP, and so it will already be available. Information from the local link will come from the Discovery Proxy, and might be in cache, or might not. If it's not in cache, the Discovery Proxy will start a mDNS query. Discovering if it is in cache may require some RPC mechanism to be used, which might produce an asynchronous response. E.g., in the Apple implementation, the Discovery Proxy is going to do an RPC call to mDNSResponder, which is a local process, and mDNSResponder will respond immediately if there is any cached data, for some value of "immediately." If there is no cached data, mDNSResponder does not say "there is no cached data"—it just doesn't respond. So the implementation would have to time out quickly enough to respond to the DNS query in a timely manner, but wait long enough that cached data would be returned. Perhaps mDNSResponder should be extended to formally indicate that no cached data is available. Anyway, that's the implementation problem that I think you are talking about. I'd be curious to know what people think of this. Is it bad if we always wind up answering the query with SRP data (if present) because we have that in an authority database that can be consulted synchronously? On Mon, Jul 18, 2022 at 4:19 AM Esko Dijk <esko.dijk@iotconsultancy.nl> wrote: > Hello, > > > > During implementation work a question came up how a DNS server with > integrated Discovery Proxy (on the same host) should behave. > > RFC 8766 describes the situation that every request made by a DNS client > is handled by the Discovery Proxy. But in practice, if the Discover Proxy > is collocated with a DNS server, some interaction between both may be > required: the DNS response may include locally stored records and/or > records found by the Discovery Proxy. > > > > The question was specifically to the case of “standard” DNS queries (i.e. > not using DNS Push Notifications and not using LLQ). Section 5.6 Answer > Aggregation in RFC 8766 already describes the behavior towards the DNS > client for this case: the proxy will respond back with the first answer(s) > it can get hold of and not spend any effort obtaining more answers or > waiting for more answers. > > > > But the situation where the same DNS server also hosts locally stored > records in its database is not described there. This may happen e.g. if > there’s an SRP server integrated into the same host (as in our case), or > there may be another reason why there’s a DNS server. > > > > A first question is: where should this type of interaction be described? > Do we need a new document for this? > > > > Second question: what’s the preferred behavior in this case? My > assumption was that we want to continue the RFC 8766 defined behavior > towards the client, which would mean: > > 1. If the DNS server locally does not have any matching answer, and > also the Discovery Proxy cache has none, then the Discovery Proxy will send > an mDNS request. Per Case 1 “Standard DNS query; no answer in cache” of > 8766. > 2. If the DNS server locally does not have any matching answer, but > the Discovery Proxy cache has at least 1 answer, then the DNS server > answers with those cached answers and does not send a new mDNS request. > Case 2 “Standard DNS query; at least one answer in cache”. > 3. If the DNS server locally holds any answer record(s) then the > Discovery Proxy does not need to send a new mDNS request; the DNS server > will answer with the local matching record(s) including those taken from > Discovery Proxy cache if any. Case 2 “Standard DNS query; at least one > answer in cache”. > > > > The assumption in above is that the DNS query is for a domain for which > the DNS server (including its integrated Discovery Proxy) is authoritative. > > > > Best regards > > Esko > > > > > > IoTconsultancy.nl | Email/Teams: esko.dijk@iotconsultancy.nl > > > > > _______________________________________________ > dnssd mailing list > dnssd@ietf.org > https://www.ietf.org/mailman/listinfo/dnssd >