Re: [Doh] [Ext] Does the HTTP freshness lifetime need to match the TTL?

Mark Nottingham <mnot@mnot.net> Tue, 08 May 2018 11:54 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1269412D96B for <doh@ietfa.amsl.com>; Tue, 8 May 2018 04:54:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=FJhQZHzA; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=QVRDgryB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id czn-LqDKdYMX for <doh@ietfa.amsl.com>; Tue, 8 May 2018 04:54:39 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26EDA12D962 for <doh@ietf.org>; Tue, 8 May 2018 04:54:39 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 8091920E37; Tue, 8 May 2018 07:54:38 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Tue, 08 May 2018 07:54:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=vz4TofEPGt4K+R5EY1yzc108qfTCd nvIesYE6EWnxVI=; b=FJhQZHzA+CRyficPFZKBs0t8yg0L2PB8/hkPfls9AalJD eNniT3u4fbpT5c/6mX0wpzQRCr7seI+YnmD10dVaWzrz9Oj4xfcr5uvnh+kbSt16 QYFqiXufhiQP/kXwjegv1/DZY0GmL1bULI39SXw8sQVHMw661fMW1P7LXCjNTwR0 sgouxWZcutAZRIbAtHJFxjYw74iP9/17a2jB/A0/2yW1haisoqHZMExTaRkaObJW +kUs0kbXrQuqpUDSLG6oFxyaGyRwbNRDvD8CTY4lWmkaYf8rRK2HvvEmgNpDLPuA /IO9w4W+TLPhJSlt+o57u+lxbO3Skm80PzIVLRiGw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=vz4Tof EPGt4K+R5EY1yzc108qfTCdnvIesYE6EWnxVI=; b=QVRDgryBfww6jPUJ3akRgP o/3sPGMKkX8inJKjkoU5QN3KOd/Mrz05+u5A381HtDuikyl8wQNUWVYMG4tEm/5l 0DzR2kb/F+lweqviA7GZVANbQhDaVovLn2ownCmFomxV7u97J1aWAk35kK3WTxEQ LF7jCZgn6soqaBcXRFmBg8U55kOoKojO6fLgMQzjch6fMRZ595zoRWThKL3iVaTN 1mVt1Kbco/tvDnfIPHJ7g7V3cJpep179isdSqEStFBW3zKAUzPSz4LkkYMifz0EE Noi7GbuLNVijUdGDsCxrIJktZNI/7fzF5XZjxKTtjkNnHweGYoISOeTy/lux9YAg ==
X-ME-Sender: <xms:_o_xWp3sGv76h3a4EB82zIKyxpmYB4EztwTS9rJ7-2lBcfWf_NoMfQ>
Received: from [192.168.1.25] (unknown [144.136.175.28]) by mail.messagingengine.com (Postfix) with ESMTPA id 71C5210453; Tue, 8 May 2018 07:54:36 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAOdDvNoQC=e8GTHU5Bw1KkR0r+dyKhqsVDRXvuyJb+jQSKn8GQ@mail.gmail.com>
Date: Tue, 8 May 2018 21:54:32 +1000
Cc: Paul Hoffman <paul.hoffman@icann.org>, DoH WG <doh@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <058CD4DD-28F3-44FD-B616-2544EBDB7676@mnot.net>
References: <15A1809C-2CA3-4A3B-A5B1-279227C30223@icann.org> <3E34581E-E2DC-48B7-A4AD-6B9FDA418179@icann.org> <31900328-8813-47D3-9F89-0B863CE673B3@mnot.net> <CAOdDvNoQC=e8GTHU5Bw1KkR0r+dyKhqsVDRXvuyJb+jQSKn8GQ@mail.gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/389q5blDGFXEuRAq2BDjYjDQtvo>
Subject: Re: [Doh] [Ext] Does the HTTP freshness lifetime need to match the TTL?
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2018 11:54:42 -0000


> On 8 May 2018, at 9:37 pm, Patrick McManus <pmcmanus@mozilla.com> wrote:
> 
> Thanks Mark,
> 
> This text reads more fluidly, and that is nice. OTOH it doesn't do much to resolve the core tension in https://github.com/dohwg/draft-ietf-doh-dns-over-https/issues/153. The current ID uses normative language for creating http freshness lifetimes from DNS sets.

Well, Paul asked for text...

> Comments from you and Martin (and this text suggestion) support changing this from normative language to advice. The other comments favor the more deterministic behavior we currently have.
> 
> Can you help me understand the argument you are making? Martin primarily suggests having the DNS code check the TTL before use rather than relying on the cache to serve fresh responses - but I think that particular point has met significant pushback largely from the DNS experts in the community.

I'm not hearing pushback to this approach on this thread so far, so I'd like to hear (here) what the issue is.

> fwiw I think I agree with the existing normative requirement - a response ought to be valid at the time of receipt and it is very helpful to harmonize the concepts of DNS and HTTP valid. This doesn't preclude fancy stuff like stale-if-error or insane client max-age headers if a client is motivated.

HTTP caches can and do serve stale content even without those "fancy" things (e.g., when the origin server is disconnected). If you're using HTTP and caching has taken place, you fundamentally need to understand how old the response you're using is if it's time-sensitive -- which this is. That means checking the Age.

> The existing draft seems to have caused a little bit of confusion by saying SHOULD match rather than MUST match.. The intent for that was to allow for http lifetimes less than DNS lifetimes (particularly max-age:0 if you cannot figure out the DNS lifetime from your HTTP server code). The subsequent sentence enforced the >= property.
> 
> Is there another aspect to the question I'm missing?

It looks like you're using RFC2119 requirements to bring attention to important parts of the specification ("we really mean that this could trip you up"), rather than stating actual requirements for interoperability. These MUSTs aren't testable, and they may be too confining in some deployments. This stuff really is advice, of the "if it hurts, don't do that" sort -- not requirements.


> 
> 
> 
> 
> 
> On Tue, May 8, 2018 at 2:10 AM, Mark Nottingham <mnot@mnot.net> wrote:
> On 3 May 2018, at 8:23 am, Paul Hoffman <paul.hoffman@icann.org> wrote:
> > 
> > I'm going to re-up this here on the list. Please see the discussion on
> >   https://github.com/dohwg/draft-ietf-doh-dns-over-https/issues/153
> > 
> > It would be handy if people who disagree with each other offer text *on the list*, not pull requests, specifying what they want the text in the draft to say. Then, people to try to come to consensus on this. (Yes, some people are more comfortable with editing pull requests; I feel that this issue is too important to not have the discussion here on the list.)
> 
> Proposal:
> 
> Cache Interaction {#caching}
> 
> A DNS API request can pass through a hierarchy of caches that include both HTTP and DNS specific caches. HTTP caches are by design generic; that is, they do not understand this protocol. Even if a DNS API client has modified its cache implementation to be aware of DOH semantics, it does not follow that all upstream caches (for example, in proxies, server-side gateways and Content Delivery Networks) will be.
> 
> As a result, DNS API servers need to carefully consider the HTTP caching metadata they send in response to GET requests (POST requests are not cacheable unless specific response headers are sent; this is not widely implemented, and not advised for DOH). 
> 
> In particular, they are encouraged to assign an explicit freshness lifetime (Section 4.2 of {{RFC7234}}), since HTTP caches can assign heuristic freshness otherwise (Section x.x of {{RFC7234}}), thereby taking control out of the hands of the DNS API server.
> 
> Typically, the assigned freshness lifetime of a given DOH HTTP response will use the smallest TTL in the Answer section of the DNS response as a maximum. For example, if a HTTP response carries three RRsets with TTLs of 30, 600 and 300, the HTTP freshness lifetime usually ought to be no more than 30 seconds (e.g., "Cache-Control: max-age=30"), so that the RRset with the smallest TTL is not stale when retrieved from cache.
> 
> This assures that none of the RRsets contained within are served stale from an HTTP cache.
> 
> If the DNS response has no records in the Answer section, and the DNS response has an SOA record in the Authority section, the response freshness lifetime typically ought not be greater than the MINIMUM field from that SOA record (see {{RFC2308}}).
> 
> The stale-while-revalidate and stale-if-error Cache-Control directives ({{?RFC5861}}) could be well suited to a DOH implementation when allowed by server policy. Those mechanisms allow a client, at the server's discretion, to reuse a cache entry that is no longer fresh.
> 
> DNS API servers also need to consider caching when generating responses that are not globally valid. For instance, if a DNS API server customizes a response based on the client's identity, it would not want to allow global reuse of that response. This could be accomplished through a variety of HTTP techniques such as a Cache-Control max-age of 0, or by using the Vary response header ({{RFC7231}}, Section 7.1.4) to establish a secondary cache key ({{RFC7234}}, Section 4.1).
> 
> DNS API clients MUST account for the Age response header's value ({{RFC7234}}) when calculating the DNS TTL of a response. For example, if a RRset is received with a DNS TTL of 600, but the Age header indicates that the response has been cached for 250 seconds, the remaining lifetime of the RRset is 350 seconds. 
> 
> DNS API clients that encounter stale responses (either because the HTTP freshness lifetime has passed, or because one or more RRset's lifetime has passed) can request a fresh copy by using the "no-cache" request cache control directive ({{RFC7234}}, Section 5.2.1.4) and similar controls. Note that some caches might not honour these directives, depending upon their configuration.
> 
> HTTP conditional requests ({{RFC7232}}) may be of limited value to DOH, as revalidation provides only a bandwidth benefit and DNS transactions are normally latency bound. Furthermore, the HTTP response headers that enable revalidation (such as "Last-Modified" and "Etag") are often fairly large when compared to the overall DNS response size, and have a variable nature that creates constant pressure on the HTTP/2 compression dictionary {{RFC7541}}. Other types of DNS data, such as zone transfers, may be larger and benefit more from revalidation.
> 
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
> 

--
Mark Nottingham   https://www.mnot.net/