IETF Logo Mail Archive

Re: [dnssd] Strategy of advertising proxy for hostname conflicts during key lease period? (draft-ietf-dnssd-advertising-proxy-00)

Ted Lemon <mellon@fugue.com> Sat, 18 June 2022 00:56 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96465C14F727 for <dnssd@ietfa.amsl.com>; Fri, 17 Jun 2022 17:56:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgRCjXYfmnmy for <dnssd@ietfa.amsl.com>; Fri, 17 Jun 2022 17:56:50 -0700 (PDT)
Received: from mail-oo1-xc2b.google.com (mail-oo1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78DD0C157B43 for <dnssd@ietf.org>; Fri, 17 Jun 2022 17:56:50 -0700 (PDT)
Received: by mail-oo1-xc2b.google.com with SMTP id n24-20020a4ae758000000b0041b82638b42so1070914oov.9 for <dnssd@ietf.org>; Fri, 17 Jun 2022 17:56:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5ScBhAgOqY21sZd78vexNp+chJAJDE/4nWrU0mBh9E0=; b=EMSg8YWh5SeM+GnRTA/0wPicKHGQHFYq5qJnUPtR1V6Hd1Y9fJ+Azz9WCcXqy0U1SB vIxKyg5bhUGCZ6JaHMuIIQBaojuRIg//WyvzEj1lUs4tqa0cnY30bXDgdqP1hMOdaVcr xXRmYTi1OVhEcbZCDeTWRPjagJQrIMNVqftmHmxGeG5zTMQJgO8vjmILVgANo07j0Uqz 0X5Y2zBh3YOdfkMqpnIYHM9YXlf5hffYvBV3rvIvRKaFaDL3E8+66flA+GcZFHCqI5io XcB9XUcGlSZlc3Ph7cceVqCZZxxpaVQvXMP9sMSvtNQToMwzNQS63Of39RCx15Sd2V9L /0zA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5ScBhAgOqY21sZd78vexNp+chJAJDE/4nWrU0mBh9E0=; b=cYBBp98+eYyi8Y36d8fcn3AhlQuMpl1C5ZNq7PxnYl80imRv3Fq8HZL0BwVLSjWbtK PnY+R8V6sxaSL46Ww2YdLmyrKxaeSOK2NYeCJj8Q6lii9xwZ+dThao42Ll1GFJKtbPY8 QM5WPWikTwzsaqZW2rUtFtY/+XhiB25Z3lE1kYmGflt/LlUlqwuWnVgD3DebBWVkhDzW PqyPApEAbIiTK2ssr/LA3UC69pXBRTZv3XT1Jb+eEpSVA1lOD/TF6+GiJK1OLdCc3iG4 c7TE46e33ywIF/gHy2r7YqnsXcbbQ2KIwe5GyR8MuZPrRfwv1lmi77sURrYRK/cviEOh ySkA==
X-Gm-Message-State: AJIora/vovnEchD1kt2KiYH5iR3a3Ky7dqFA9hTwk6L6rJE9T/uilthf Vq2ZWCYkxZDvlQDIfqSkfaSfkz49lLZSRNzoUxVgZuj5v5jjHA==
X-Google-Smtp-Source: AGRyM1s2WQMPiFwWAVWhtKIjbZDuG3T1trcwaQjccCclpJvUOpDxqgAnrEyhUZkXcqfmEfhdb0Aag3JmXCtZUuXy/hs=
X-Received: by 2002:a05:6820:316:b0:41b:f40a:f9ff with SMTP id l22-20020a056820031600b0041bf40af9ffmr5002910ooe.3.1655513808805; Fri, 17 Jun 2022 17:56:48 -0700 (PDT)
MIME-Version: 1.0
References: <DU0P190MB1978D4C3F784B67C8AF39A7DFDA49@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <CAPt1N1nFYVMYiEuhSM4Kuickvb2VBgyanEV=VgGtX996oZW5EA@mail.gmail.com> <DU0P190MB197866CA95A9ABBB013ED9D9FDA79@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <DU0P190MB1978B2BF4465D735DF2FC24BFDAC9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <CAPt1N1n-cmg4bydwM56Z9EZF_si19Ve1YNbBg=4H2YksWDd++A@mail.gmail.com>
In-Reply-To: <CAPt1N1n-cmg4bydwM56Z9EZF_si19Ve1YNbBg=4H2YksWDd++A@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Fri, 17 Jun 2022 20:56:13 -0400
Message-ID: <CAPt1N1kD7VT0OKoEbH6LHZh4v0goNj1jV1aTSrE4kY9pLF3pQA@mail.gmail.com>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: "dnssd@ietf.org" <dnssd@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007eb43605e1ae58ff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/gP_dkR1KiS_GcdytFSajqO0e4RU>
Subject: Re: [dnssd] Strategy of advertising proxy for hostname conflicts during key lease period? (draft-ietf-dnssd-advertising-proxy-00)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jun 2022 00:56:54 -0000

I wanted to check with Stuart before answering. RFC6762 is somewhat
ambiguous on this topic: Section 8.1 says:

It also allows a host to verify exclusive ownership of a name for all
> rrtypes, which is desirable in most cases.  It would be confusing, for
> example, if one host owned the "A" record for "myhost.local.", but a
> different host owned the "AAAA" record for that name.


However, section 9 says:

A conflict occurs when a Multicast DNS responder has a unique record for
> which it is currently authoritative, and it receives a Multicast DNS
> response message containing a record with the same name, rrtype and
> rrclass, but inconsistent rdata.


So as you said, when the probe goes out, it queries for ANY, and if it sees
a KEY record, even if its goal is to advertise an A record, it will take
that as "ownership of the name" and not advertise the A record on that
name. Simultaneous probe resolution will also do the right thing. On the
other hand, in theory at least,  if two servers have already decided to
advertise the same data, and later on one gets a response containing only a
KEY record on a name on which it is advertising an A record, it won't see a
conflict (late conflict detection) at least according to the RFC.

In practice, what I see with mDNSResponder is that it detects all of these
events as conflicts, even the late conflict. I think maybe an update to
RFC6762 is in order to clarify this—I think the spec ought to be clear on
this, and it doesn't make sense that only in the late conflict case do we
not care that two hosts are advertising different records on the same owner
name.

So, back to the use of the KEY record, I think that your description of the
behavior for address and KEY records is right. However, the KEY record is
actually supposed to be used to hold not only the hostname but also the
service instance name(s), so you would see a KEY record on the service
instance names in a unicast DNS key query. You would not see them in mDNS,
because it's hard to make that work, and not worth the effort, since in any
non-SRP use case that produces a conflict, which I think is what we'd be
concerned about, the instance name is nearly always going to be the same as
the hostname plus the service type and transport type labels.

On Thu, Jun 16, 2022 at 1:24 PM Ted Lemon <mellon@fugue.com> wrote:

> Sorry for not responding quickly to this. You're asking about fairly deep
> technical details of the mDNS protocol, and I am not actually an expert, so
> I can't say that your understanding is correct or not.
>
> I will try to get Stuart to weigh in on this.
>
> On Thu, Jun 16, 2022 at 9:03 AM Esko Dijk <esko.dijk@iotconsultancy.nl>
> wrote:
>
>> FYI - I’m now assuming the following behavior of an advertising proxy,
>> for an incoming mDNS query. This is for the case  there’s only a single
>> registered (SRP) service that is expired; and host lease is also expired at
>> the same time. And the host’s key-lease is still active:
>>
>>
>>
>>    - QTYPE = PTR , QNAME=<service instance name or service type name> :
>>    No response
>>    - QTYPE = SRV, QNAME=<service instance name or service type name> :
>>    No response
>>    - QTYPE = ANY, QNAME=<service instance name or service type name> :
>>    No response
>>    - QTYPE = AAAA, QNAME=<host name> : Response with success (NoError)
>>    status and 0 answer records
>>    - QTYPE = ANY, QNAME=<host name> : Respond with KEY record for <host
>>    name>.local
>>    - QTYPE = KEY, QNAME=<host name> : Respond with KEY record for <host
>>    name>.local
>>
>>
>>
>>
>>
>> Same case but when using the authoritative DNS server on the same host,
>> for an incoming unicast DNS query:
>>
>>
>>
>>    - QTYPE = PTR , QNAME=<service instance name or service type name> :
>>    Respond NXDOMAIN
>>    - QTYPE = SRV, QNAME=<service instance name or service type name> :
>>    Respond NXDOMAIN
>>    - QTYPE = ANY, QNAME=<service instance name or service type name> :
>>    Respond NXDOMAIN
>>    - QTYPE = AAAA, QNAME=<host name> : Response with success (NoError)
>>    status and 0 answer records
>>    - QTYPE = ANY, QNAME=<host name> : Respond with KEY record for <host
>>    name>.default.service.arpa
>>    - QTYPE = KEY, QNAME=<host name> : Respond with KEY record for <host
>>    name>.default.service.arpa
>>
>>
>>
>> Esko
>>
>>
>>
>> *From:* dnssd <dnssd-bounces@ietf.org> *On Behalf Of * Esko Dijk
>> *Sent:* Thursday, June 9, 2022 12:14
>> *To:* Ted Lemon <mellon@fugue.com>
>> *Cc:* dnssd@ietf.org
>> *Subject:* Re: [dnssd] Strategy of advertising proxy for hostname
>> conflicts during key lease period? (draft-ietf-dnssd-advertising-proxy-00)
>>
>>
>>
>> That sounds like a good approach. So a potential competitor would first
>> send a probe-query for the hostname with rrtype “ANY”; and then the
>> advertising proxy would respond with its answer including the hostname and
>> an rrtype “KEY’ record  - is that correct?
>>
>>
>>
>> Does this also mean the SRP server will answer DNS unicast queries for
>> this hostname and e.g. rrtype ANY, with the KEY record? While the key lease
>> is still valid.
>>
>>
>>
>> Esko
>>
>>
>>
>> *From:* Ted Lemon <mellon@fugue.com>
>> *Sent:* Wednesday, June 8, 2022 20:45
>> *To:* Esko Dijk <esko.dijk@iotconsultancy.nl>
>> *Cc:* dnssd@ietf.org
>> *Subject:* Re: [dnssd] Strategy of advertising proxy for hostname
>> conflicts during key lease period? (draft-ietf-dnssd-advertising-proxy-00)
>>
>>
>>
>> You are correct. Fortunately, we always have a KEY record that we can
>> publish on the owner name. This is what the advertising proxy should do to
>> defend the name. If some non-SRP service tries to register the name, it
>> will get a hostname conflict.
>>
>>
>>
>> On Wed, Jun 8, 2022 at 9:36 AM Esko Dijk <esko.dijk@iotconsultancy.nl>
>> wrote:
>>
>> Hi all,
>>
>>
>>
>> Something that could be added to draft-ietf-dnssd-advertising-proxy-00 is
>> the handling of hostname conflicts; and how an advertising proxy would
>> “defend” an SRP registration on the mDNS link side. (There was a previous
>> thread on this too.)
>>
>>
>>
>> In particular, what if a host registration has already expired but the
>> key-lease is still active? In SRP, then no-one else can claim this
>> hostname. But in mDNS, we don’t seem to have such mechanism i.e. the
>> advertising proxy doesn’t “defend” the hostname registration on the mDNS
>> link. Or does it?
>>
>> So it could happen that this hostname is claimed on the mDNS side by an
>> mDNS native device, even though a particular SRP client still has the
>> key-lease on this name.
>>
>>
>>
>> The original name owner (SRP client) could later come back online and it
>> may need to claim the name again – conflicting with the mDNS link.
>>
>>
>>
>> Best regards
>>
>> Esko
>>
>>
>>
>> *IoTconsultancy.nl*  |  Email/Teams: esko.dijk@iotconsultancy.nl    |
>> +31 6 2385 8339
>>
>>
>>
>> _______________________________________________
>> dnssd mailing list
>> dnssd@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnssd
>>
>>

v2.23.0 | Report a Bug | By Email