Re: [Doh] [Ext] Does the HTTP freshness lifetime need to match the TTL?

Ted Hardie <> Wed, 09 May 2018 00:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6677D12D7F2 for <>; Tue, 8 May 2018 17:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pvR30VOoa4g1 for <>; Tue, 8 May 2018 17:01:50 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D587312D7F1 for <>; Tue, 8 May 2018 17:01:49 -0700 (PDT)
Received: by with SMTP id 11-v6so29952384ois.8 for <>; Tue, 08 May 2018 17:01:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=a6DBfjaneJkK0ckh7J2cXOCg4L908SGVNOpDW2X+jqk=; b=IfaeFqBfgA9bhlG50UTXzYHvxDU9Ifre/6GqU/8YKJLa/XT9pQly1HvulTUdEgsIZ7 HKXRGpdOq1SLmJ7HsZfBIWLey29rVPjtEuV35GTty5lPugw32DvCqxxY454d/fuUxZgo cGb1pKdn+mDS+mhNXpxt7W7W002Hk46kJPtkQWsov3OF4BwufD1hAiJxY3FUYvW9p+Eq Ij1WcQqPKstI8yp30Kid/obpNp2Tp824Ay+QnCdni3uCjuoKQ87JVf133PfICXQV8Y/3 ifjhgi3/HSsd/uMyJ5A0jD4AeRLAH4aACiwnIvUOqnvvsTnkzbN4mUguIEn7f+nnFcqp oLiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=a6DBfjaneJkK0ckh7J2cXOCg4L908SGVNOpDW2X+jqk=; b=Vd9sebdirobFPgsRQgArtKUkfJJ/SfD8OrZixfHamgd1ZqXIEJcTrr4sP/Jo2VcaBH 2qj00AkqxVZKYL4Wtv1Lx+M8tIX+lUqeLTOkAqAiH4he7LqRWiLCN1uOU/klhopA4HUR /RJKdyC04rBczL0n/RNTozoY+GBDOKoOiOS1AFKEAkIHSYRsL0dwPfTeECHosTyu8Gy6 z7YdCYrwCJeCbotvsSUvd4DtIgL1Yg5xKu8bkRRjykYSy0Ul/ibaNf1YaF57vTbQS/ZF yxA5J83+kuEBYuJYLBlIUh9D5z3V/AlfSedUaksrWjvbJVvGOhVVjAbW7iC9cBllxvD2 hFag==
X-Gm-Message-State: ALQs6tBm7jHCjmfOykY8/NjNjRsxYSApSsuyzdQgaDXQuqIID31+w9Is xSq3UVbAgDFqB42zA5+D8b3idEnSRbLXmtEv8jU=
X-Google-Smtp-Source: AB8JxZrVFLR63C6sCoEOkMtk7vA+/awxcmyvBcbRFuGJS8QscoUIcNmb3JW+HcKrlANdliGByqvFd1WVO+bMjkPEbLs=
X-Received: by 2002:aca:62c1:: with SMTP id w184-v6mr22141198oib.122.1525824109014; Tue, 08 May 2018 17:01:49 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 8 May 2018 17:01:18 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Ted Hardie <>
Date: Tue, 8 May 2018 17:01:18 -0700
Message-ID: <>
To: Mark Nottingham <>
Cc: Paul Hoffman <>, DoH WG <>
Content-Type: multipart/alternative; boundary="00000000000001f2aa056bba9cac"
Archived-At: <>
Subject: Re: [Doh] [Ext] Does the HTTP freshness lifetime need to match the TTL?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 May 2018 00:01:53 -0000


Some comments in-line, thanks for the text.

On Mon, May 7, 2018 at 5:10 PM, Mark Nottingham <> wrote:

> On 3 May 2018, at 8:23 am, Paul Hoffman <> wrote:
> >
> > I'm going to re-up this here on the list. Please see the discussion on
> >
> >
> > It would be handy if people who disagree with each other offer text *on
> the list*, not pull requests, specifying what they want the text in the
> draft to say. Then, people to try to come to consensus on this. (Yes, some
> people are more comfortable with editing pull requests; I feel that this
> issue is too important to not have the discussion here on the list.)
> Proposal:
> Cache Interaction {#caching}
> A DNS API request can pass through a hierarchy of caches that include both
> HTTP and DNS specific caches. HTTP caches are by design generic; that is,
> they do not understand this protocol. Even if a DNS API client has modified
> its cache implementation to be aware of DOH semantics, it does not follow
> that all upstream caches (for example, in proxies, server-side gateways and
> Content Delivery Networks) will be.
> I think it would be useful to specify whether we are talking only about
the upstream network caches or the local caches when using phrases like
"pass through" (the use of a local HTTP cache here by a DNS API service to
furnish data to a DNS client should either be explicitly in or out of
scope, in other words).

> As a result, DNS API servers need to carefully consider the HTTP caching
> metadata they send in response to GET requests (POST requests are not
> cacheable unless specific response headers are sent; this is not widely
> implemented, and not advised for DOH).
> In particular, they are encouraged to assign an explicit freshness
> lifetime (Section 4.2 of {{RFC7234}}), since HTTP caches can assign
> heuristic freshness otherwise (Section x.x of {{RFC7234}}), thereby taking
> control out of the hands of the DNS API server.
> I agree with other that the use of RFC 2119 language like SHOULD is
appropriate here.  We may want to allow for some variance, but a very clear
expectation will help more than "encouraged" will, at least in my opinion.

> Typically, the assigned freshness lifetime of a given DOH HTTP response
> will use the smallest TTL in the Answer section of the DNS response as a
> maximum. For example, if a HTTP response carries three RRsets with TTLs of
> 30, 600 and 300, the HTTP freshness lifetime usually ought to be no more
> than 30 seconds (e.g., "Cache-Control: max-age=30"), so that the RRset with
> the smallest TTL is not stale when retrieved from cache.
> Again, I think "Typically...will" should transition to an RFC 2119
requirement.  This may mean making it explicit that when the HTTP responder
cannot calculate the smallest TTL it should use cache-control methods to
limit caching.

> This assures that none of the RRsets contained within are served stale
> from an HTTP cache.
> If the DNS response has no records in the Answer section, and the DNS
> response has an SOA record in the Authority section, the response freshness
> lifetime typically ought not be greater than the MINIMUM field from that
> SOA record (see {{RFC2308}}).
> The stale-while-revalidate and stale-if-error Cache-Control directives
> ({{?RFC5861}}) could be well suited to a DOH implementation when allowed by
> server policy. Those mechanisms allow a client, at the server's discretion,
> to reuse a cache entry that is no longer fresh.

I'm concerned about the use of these with responses that contain multiple
records.  If this text is retained, I think it will have to specify how to
manage the multiple record case.

> DNS API servers also need to consider caching when generating responses
> that are not globally valid. For instance, if a DNS API server customizes a
> response based on the client's identity, it would not want to allow global
> reuse of that response. This could be accomplished through a variety of
> HTTP techniques such as a Cache-Control max-age of 0, or by using the Vary
> response header ({{RFC7231}}, Section 7.1.4) to establish a secondary cache
> key ({{RFC7234}}, Section 4.1).
> DNS API clients MUST account for the Age response header's value
> ({{RFC7234}}) when calculating the DNS TTL of a response. For example, if a
> RRset is received with a DNS TTL of 600, but the Age header indicates that
> the response has been cached for 250 seconds, the remaining lifetime of the
> RRset is 350 seconds.
> DNS API clients that encounter stale responses (either because the HTTP
> freshness lifetime has passed, or because one or more RRset's lifetime has
> passed) can request a fresh copy by using the "no-cache" request cache
> control directive ({{RFC7234}}, Section and similar controls. Note
> that some caches might not honour these directives, depending upon their
> configuration.
Should a DNS API client consider such a response as equivalent to SERVFAIL?

> HTTP conditional requests ({{RFC7232}}) may be of limited value to DOH, as
> revalidation provides only a bandwidth benefit and DNS transactions are
> normally latency bound. Furthermore, the HTTP response headers that enable
> revalidation (such as "Last-Modified" and "Etag") are often fairly large
> when compared to the overall DNS response size, and have a variable nature
> that creates constant pressure on the HTTP/2 compression dictionary
> {{RFC7541}}. Other types of DNS data, such as zone transfers, may be larger
> and benefit more from revalidation.
> I would have, perhaps naively, expected zone transfers to be the result of
POSTs rather than GETs.  Which types of results can be be retrieved by each
might be useful to lay out somewhere, just to forestall confusion like mine.



> --
> Mark Nottingham
> _______________________________________________
> Doh mailing list