Re: [homenet] Status of draft-tldm-simple-homenet-naming CFA

[Toke Høiland-Jørgensen <toke@toke.dk>]

Ted Lemon <mellon@fugue.com> writes:

>> Perhaps it would help if you could explain (a) the details of "the CDN
>> problem" (what mechanism is used to determine answers for a given
>> prefix, and what is the failure mode if the wrong address is used?), and
>> (b) how the client is supposed to actually work with this mechanism
>> (seems to me an unmodified client will probably make a mess of things?).
>
> The idea with CDNs is that you put the content close to the edge and
> give different answers using DNS or HTTP depending on where the client
> is. By doing this, you can balance the load across the right number of
> servers in the right data centers, and avoid transporting the same
> traffic over the backbone many times.

Yeah, I am aware of the basic concept of a CDN. What I am (was?)
confused about is what it has to do with different DNS answers. I have
only ever used Cloudflare, and they use anycast to do their magic (which
also seems to me like the obvious way to do it; why are people messing
with DNS for this?). Anyhow, consider me educated... :)

In any case, the failure mode of getting a it wrong is a sub-optimal
path being chosen; but if ISP A's DNS server takes five seconds to
respond, we'd get a better result from just using the timely answer from
ISP B's and going over the suboptimal path to get to the content (in
many cases, at least).

>> As for an "ideal" resolver behaviour, to me that would be full recursive
>> resolution from the root inside the home, replicating all queries across
>> all upstreams and picking the best reply (best being something like
>> "first reply that passes DNSSEC validation"). With an "advanced
>> configuration" option somewhere that allows the user to override
>> arbitrary names/zones as they see fit.
>
> This is mostly what the MPvD solution does (minus the override option,
> which I think is out of scope). Queries are sent to all upstreams, and
> the good answer that arrives first is used. What MPvD does _in
> addition_ is to make sure that if ISP A's answer is chosen, then ISP
> A's connection is used to connect to the destination.

But only the client can make that coupling (from DNS reply to connection
attempt). So if we're just filtering the result set based on the address
the client uses (which is how I interpret what you put in the draft),
we're degrading the experience for any client that doesn't know how to
repeat the query from another source address. So we'd effectively be
requiring hosts to support MPvD; and we're not supposed to require host
changes, are we?

> For example, if you really, really want to use connection A, then you
> only try connection B if you don't have a successful connection
> established after 30 seconds, but if you don't care, then you try both
> nearly simultaneously and take the first one to succeed to the point
> where you have completed the https handshake (for example) and
> validated the cert using PKI validation.
>
> You may also want to configure things so that you have a primary and a
> backup connection, and your backup connection is never used for
> certain things, or only used for certain things. E.g., if your backup
> is a cell phone backup that costs more per megabyte, or has a lower
> data cap. Or in some cases just the opposite. This is useful for
> situations where you want to be able to have dual-homing for the sake
> of IoT six-sigma reliability, but don't want to use the backup link
> for anything else, because it's expensive.

I can see how these scenarios make sense for a device that know the
types of connection (like a cell phone with cellular and WiFi links).
Less so in the home, where all the client sees are different prefixes;
in this case, either the network has to enforce policy (like the
failover scenario), or we'll have to communicate more information to the
hosts, which goes back to my point above about host changes...

> Now, as for the "mostly" above, the problem with what you've said is
> that it doesn't scale: if every home does full recursion, that's a
> much larger load on authoritative name servers than currently exists.
> There's a reason why that's not how things are done now. If we were to
> specify this behaviour, there would be substantial pushback from
> dnsop, and I would be participating in that pushback. I don't think
> this would get IETF consensus. This is not to say that you are wrong,
> but the point is that this is the wrong working group in which to have
> that argument.

Right, well, I'm not sure I have the energy to go argue with dnsop on
this one... :) But I can probably live with a mechanism where we just
specify that the user needs to have an option to override the default
behaviour (i.e., add their own DNS servers which take precedence over
whatever we end up specifying).

-Toke