Re: [Doh] [Ext] Does the HTTP freshness lifetime need to match the TTL?
Patrick McManus <pmcmanus@mozilla.com> Tue, 08 May 2018 16:25 UTC
Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1FF312E891 for <doh@ietfa.amsl.com>; Tue, 8 May 2018 09:25:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rVgvfm2-sppA for <doh@ietfa.amsl.com>; Tue, 8 May 2018 09:25:21 -0700 (PDT)
Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id 5A7ED12E9D9 for <doh@ietf.org>; Tue, 8 May 2018 09:25:21 -0700 (PDT)
Received: from mail-oi0-f46.google.com (mail-oi0-f46.google.com [209.85.218.46]) by linode64.ducksong.com (Postfix) with ESMTPSA id E39423A026 for <doh@ietf.org>; Tue, 8 May 2018 12:25:20 -0400 (EDT)
Received: by mail-oi0-f46.google.com with SMTP id t27-v6so28856562oij.9 for <doh@ietf.org>; Tue, 08 May 2018 09:25:20 -0700 (PDT)
X-Gm-Message-State: ALQs6tAd9+MCb7jRso+LOp43oJT6m8OoObNoXwFyHAls85O/ypKfGXgq Tdy8mPpAN6HccSNsoWVzNanCtMqboraCA1QFtIE=
X-Google-Smtp-Source: AB8JxZpgp0OxxM3hx0/vBZLO5f1lNtoQauaMbCwoj2Tcewkro8hhkgHWZLAq54bhhJ2rwUZ/O4SSfiVfSIBf64WZpfI=
X-Received: by 2002:aca:f388:: with SMTP id r130-v6mr25388281oih.17.1525796720621; Tue, 08 May 2018 09:25:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.138.36 with HTTP; Tue, 8 May 2018 09:25:20 -0700 (PDT)
In-Reply-To: <058CD4DD-28F3-44FD-B616-2544EBDB7676@mnot.net>
References: <15A1809C-2CA3-4A3B-A5B1-279227C30223@icann.org> <3E34581E-E2DC-48B7-A4AD-6B9FDA418179@icann.org> <31900328-8813-47D3-9F89-0B863CE673B3@mnot.net> <CAOdDvNoQC=e8GTHU5Bw1KkR0r+dyKhqsVDRXvuyJb+jQSKn8GQ@mail.gmail.com> <058CD4DD-28F3-44FD-B616-2544EBDB7676@mnot.net>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Tue, 08 May 2018 18:25:20 +0200
X-Gmail-Original-Message-ID: <CAOdDvNqQmxmj-Akx3VjoGt_r=Q-GRfi+WEz3=vo0AXj6fKTFHg@mail.gmail.com>
Message-ID: <CAOdDvNqQmxmj-Akx3VjoGt_r=Q-GRfi+WEz3=vo0AXj6fKTFHg@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Patrick McManus <pmcmanus@mozilla.com>, Paul Hoffman <paul.hoffman@icann.org>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000883e87056bb43b80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/73LXDuDPRUQf5frVNJiceUAdslc>
Subject: Re: [Doh] [Ext] Does the HTTP freshness lifetime need to match the TTL?
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2018 16:25:24 -0000
On Tue, May 8, 2018 at 1:54 PM, Mark Nottingham <mnot@mnot.net> wrote: > > > This text reads more fluidly, and that is nice. OTOH it doesn't do much > to resolve the core tension in https://github.com/dohwg/draft > -ietf-doh-dns-over-https/issues/153. The current ID uses normative > language for creating http freshness lifetimes from DNS sets. > > Well, Paul asked for text... > > I forgot to say thank you for the text - I just was trying to communicate that I think the rationale is more of the blocker for this issue than the text. So that's what I'm trying to drill down on here.. > > Comments from you and Martin (and this text suggestion) support changing > this from normative language to advice. The other comments favor the more > deterministic behavior we currently have. > > > > Can you help me understand the argument you are making? Martin primarily > suggests having the DNS code check the TTL before use rather than relying > on the cache to serve fresh responses - but I think that particular point > has met significant pushback largely from the DNS experts in the community. > > I'm not hearing pushback to this approach on this thread so far, so I'd > like to hear (here) what the issue is. > Ben and Dave pushed back in the github - it would be helpful to hear them here as well, I agree. > > HTTP caches can and do serve stale content even without those "fancy" > things (e.g., when the origin server is disconnected). If you're using HTTP > and caching has taken place, you fundamentally need to understand how old > the response you're using is if it's time-sensitive -- which this is. That > means checking the Age. > > This text doesn't prevent you from serving anything - it just defines how you set the freshness lifetime so that an Age calculation at the HTTP level actually reflects the fresh/stale status of the DNS content in a conservative fashion. A client very concerned about that could make the calculation or it can assume that the server did the best it could do (i.e. its either fresh, or stale in extremis so use it anyhow) and use it once for record types like A. > The existing draft seems to have caused a little bit of confusion by > saying SHOULD match rather than MUST match.. The intent for that was to > allow for http lifetimes less than DNS lifetimes (particularly max-age:0 if > you cannot figure out the DNS lifetime from your HTTP server code). The > subsequent sentence enforced the >= property. > > > > Is there another aspect to the question I'm missing? > > It looks like you're using RFC2119 requirements to bring attention to > important parts of the specification ("we really mean that this could trip > you up"), rather than stating actual requirements for interoperability. > These MUSTs aren't testable, and they may be too confining in some > deployments. This stuff really is advice, of the "if it hurts, don't do > that" sort -- not requirements. > > I must be misunderstanding what you mean by not testable - the alignment of expiration information seems pretty observable. And there is an operational impact to terminal clients without caches (either DNS or HTTP) which simply want to lookup a record and use it having to retry to get non-expired info (and the rather large risk of them not trying and using old data instead). So I guess you can argue that without 2119 language the DOH client and server can communicate, but without normative provisions constraining the server you can't interop well with the Internet.. seems 2119 in scope to me.
- [Doh] Does the HTTP freshness lifetime need to ma… Paul Hoffman
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Paul Hoffman
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Mark Nottingham
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Miek Gieben
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Tony Finch
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Patrick McManus
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Mark Nottingham
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Patrick McManus
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Ben Schwartz
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Ted Hardie
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Martin Thomson
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Paul Hoffman
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Paul Hoffman
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Paul Hoffman
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Mark Nottingham
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Tony Finch
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Paul Hoffman
- Re: [Doh] [Ext] Does the HTTP freshness lifetime … Tony Finch