Re: Some thoughts/comments on draft-gont-6man-slaac-dns-config-issues-01
Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Fri, 17 April 2015 00:52 UTC
Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A39F1A7009 for <ipv6@ietfa.amsl.com>; Thu, 16 Apr 2015 17:52:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.202
X-Spam-Level: ***
X-Spam-Status: No, score=3.202 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, HK_RANDOM_REPLYTO=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NnWHwHE8Tfii for <ipv6@ietfa.amsl.com>; Thu, 16 Apr 2015 17:52:53 -0700 (PDT)
Received: from nm40-vm4.bullet.mail.bf1.yahoo.com (nm40-vm4.bullet.mail.bf1.yahoo.com [72.30.239.212]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8825A1A700C for <6man@ietf.org>; Thu, 16 Apr 2015 17:52:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s2048; t=1429231972; bh=XMWkvDg/anoDVFhSsOaMJZQJes32pF7eUwRa1/iN8oY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=dxPg8mqYt+lEhKXEotuL36OXfkP2iq4ladayKP9NLsKmTX4elfzAgqUnPpppeZ3Ra50OnWCLAck5CGBEokqsRlaVjbvdJEkWxL2gti3AF8JLGzc2f1w5PCBtvY+bbwUA3XYBvNmlG/SnYv5WAVoY3W7fX5OE1vKi3uwT12Jj8rzjsufslhNnefan9JJwC/IOYLJZWxKuZtCxofnJnH23xY6eiQzRjdbvXPO2OYcSjQnYre2F/ROKoGcT2b50vI+6+47KkMeaAGk0AxebmKlveFKwtbg3Qbm6Vc3qa9djSSwFvZNrInc/LfeqJkgz2mxnhdznZ7A94Zpf1/7Vr8/ENg==
Received: from [98.139.214.32] by nm40.bullet.mail.bf1.yahoo.com with NNFMP; 17 Apr 2015 00:52:52 -0000
Received: from [98.139.215.251] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 17 Apr 2015 00:52:52 -0000
Received: from [127.0.0.1] by omp1064.mail.bf1.yahoo.com with NNFMP; 17 Apr 2015 00:52:52 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 743535.25283.bm@omp1064.mail.bf1.yahoo.com
X-YMail-OSG: 3otH1I8VM1nrFoMoA_OhniwQOOnxuNXkEH9Rf4YeXllj8wGb8m9nrBUJgdQZrPS 7v1Pax8umyaD4ITAD62bDgbsv.rzGxzGYA5d_LpW_yqjhzPfIjOa3hPJ4NOiQeGbNkHEEeVcChYu 7PwjDESzrVE1bdywCV667BA8V._Kc13hfPWW43eWoeD2lP0BB4WG9rpdDgPDr2MhYIhCyfEDTfsO MSXsfLVY5I4qqJL9zA_GJ.fTwyaYYwTvSWc1dV6fJ2AJypOZSxvyyUOvz9VP6md39EkcptmD0Vn_ hH5fiNppgGRHGezx2Kd11YpArfEehzj16ahMVVCJggcTCibLYLzVkwj4bEmLRaDPNzSIHxCFVNnk GVWHm5U9RBqh58s2af9pMXmq4Hx6OkCS7Qk5.9kMOYAJOeu7xWUGMWkPh_qmxw.0JYkzrsmrvyUL ZlGb.8O6o_8JeEvtclCz_69agnn31qIrlDllAHoqXvW2tGUmLb.3.pww9750RrEuRnezn6mISrXB K0YV99koSvxFYOIQvv6apQmYwM025ZwmUUWpYrwkF5mY-
Received: by 76.13.27.69; Fri, 17 Apr 2015 00:52:52 +0000
Date: Fri, 17 Apr 2015 00:52:51 +0000
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
To: "fgont@si6networks.com" <fgont@si6networks.com>, "pavlix@pavlix.net" <pavlix@pavlix.net>, "liushucheng@huawei.com" <liushucheng@huawei.com>
Message-ID: <922402387.5845419.1429231971293.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <1059223520.4994623.1429165351434.JavaMail.yahoo@mail.yahoo.com>
References: <1059223520.4994623.1429165351434.JavaMail.yahoo@mail.yahoo.com>
Subject: Re: Some thoughts/comments on draft-gont-6man-slaac-dns-config-issues-01
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_5845418_1122128710.1429231971286"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/pSBFziWKVKxjcpAXW413s7MIKnY>
Cc: "6man@ietf.org" <6man@ietf.org>, "marka@isc.org" <marka@isc.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2015 00:52:58 -0000
Fernando suggested I should have also CC'd 6man for further discussion/comments.
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
To: "fgont@si6networks.com" <fgont@si6networks.com>; "pavlix@pavlix.net" <pavlix@pavlix.net>; "liushucheng@huawei.com" <liushucheng@huawei.com>
Cc: "marka@isc.org" <marka@isc.org>
Sent: Thursday, 16 April 2015, 16:22
Subject: Some thoughts/comments on draft-gont-6man-slaac-dns-config-issues-01
Hi,
CC'ing Mark Andrews, because he is one of the DNS experts I'm aware of, so it would be good to get his input.
I'm having a read though, here are some thoughts/comments I have on it. Pay attention to or disregard at will!
1. Introduction~~~~~~~~~~~~~~~
Regarding this discussion:
"The recommended bounds (MaxRtrAdvInterval <=
Lifetime <= 2*MaxRtrAdvInterval) have been found to be too short for
scenarios in which some Router Advertisement messages may be lost.
In such scenarios, hosts may fail to receive unsolicited Router
Advertisements and therefore fail to refresh the expiration time of
the DNS-related information previously learned through the RDNSS and
DNSSL options), thus eventually discarding the aforementioned DNS-
related information prematurely."
I think the more important thing to point out is that, as per RFC4861, Router Lifetime,
"The Router Lifetime applies only to
the router's usefulness as a default router; it
does not apply to information contained in other
message fields or options."
and,
"Options that need time limits for their information include their own
lifetime fields."
which means that option lifetime values are or should be independent of the Router Lifetime value and its upper or lower value constants (e.g MaxRtrAdvInterval)
In other words, state that the RDNSS and DNSSL lifetimes should have never been derived or limited to the RAs Router Lifetime value, and also observe that what has been specified in RFC6106 has caused the issues mentioned.
2. Changing the Semantics of the 'Lifetime' field of RDNSS and DNSSL options
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'd suggest adding (enclosed in **s)
"o The 'Lifetime' field indicates the amount of time during which the
aforementioned DNS-related information is expected to be stable.
A node is NOT required to discard the DNS-related information once
the Lifetime expires. ** The RDNSS and DNSSL Lifetime field values are now completely independent of the RA's Router Lifetime field value. ***"
to make this independence very clear.
I think it would also be worth pointing out, perhaps as a second paragraph to this point, that the DNS resolver in the client will take actions to deal with unreachable DNS servers, in the case where the DNS information hasn't been discarded despite the RDNSS option lifetime having expired. In other words, the RDNSS lifetime value is not the absolute indication of whether a DNS server is useful or not, and the resolver will determine that by actively attempting to use the DNS server. Perhaps that means that the text should be changed to
"A node is SHOULD NOT discard the DNS-related information once the Lifetime expires."? (which I suppose almost makes the RDNSS option lifetime value redundant?!)
"o If a host has already gathered a sufficient number of RDNSS
addresses (or DNS search domain names), and additional data is
received while the existing entries have not yet expired, the
received RDNSS addresses (or DNS search domain names) SHOULD be
ignored."
I don't think the same rule for RDNSS can be also applied to the DNSSL options.
In the case of RDNSS, the assumption would be that all of the DNS servers supplied in the RDNSS option can provide equivalent DNS resolution service. For example, ignoring 2 out of 5 should not cause any issues, because the remaining 3 should provide equivalent service to the ignored 2.
However, for DNSSL, I think ignoring some of them might cause failures, because the options are not providing equivalent values. For example, say DNSSL:example.com and DNSSL:example.org were accepted, but DNSSL:example.net was ignored. If 'www' was looked up, and 'www.example.net' was the only entry that should have matched, ignoring DNSSL:example.net would cause a lookup of 'www' to fail to match on 'www.example.net'. I think the resolver would then do a root lookup of 'www.' and that would either fail too or return something not intended.
"o If a host receives new RDNSS addresses (or DNS search domain
names), and some of the existing entries have expired, the newly-
learned information SHOULD be used to replace the expired entries."
I think similar to above applies, different newer DNSSL option values aren't replacements for older, expired DNSSL option values. Expired DNSSL options should probably be thrown away when they expire.
"o A host SHOULD flush configured DNS-related information when it has
any reason to believe that its network connectivity has changed in
some relevant way (e.g., there has been a "link change event").
When that happens, the host MAY send a Router Solicitation message
to re-learn the corresponding DNS-related information."
Perhaps another signal to trigger this could be repeated failed attempts by the DNS resolver to use the majority or probably all of the existing DNS server IPv6 addresses?
3. Changing the Default Values of the 'Lifetime' field of RDNSS and DNSSL options
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Firstly, this is probably also a section where pointing out that the DNS resolver will make its own liveness tests/attempts to overcome the sorts of packet loss mentioned.
Regarding this,
"
[RFC6106] is hereby updated as follows:
The default value of AdvRDNSSLifetime and AdvDNSSLLifetime MUST be
at least 10*MaxRtrAdvInterval so that the probability of hosts
receiving unsolicited Router Advertisements is increased."
I'm in two minds. On the one hand, I like the idea of having an automated default that is relative to the perceived level of packet loss that might occur. On the other hand, as before, Router Lifetime and its upper and lower limits are not general "whole of RA" lifetime constraints or RA robustness parameters.
Perhaps the middle ground would be to define a specific constant and then note that it is the 10 times the value of MaxRtrAdvInterval, specified in RFC4861. This would allow the specific constant to be changed at a later time if necessary, or allow the operator to change the value, without being constrained to it being 10*MaxRtrAdvInterval (that is, if it is defined as a formula, then in code it probably wouldn't be made an independently settable parameter, it'd just be calculated based on the current value of MaxRtrAdvInterval).
4. Use of Router Solicitations for active Probing~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I don't think the RDNSS and DNSSL RFC should have said anything about this, as more generally, the problem is one of RA robustness, independent of what particular options are in the RA. Theoretically, different RA options could define their own RA robustness methods that could end up being incompatible with each other.
So perhaps it might be better to say that RA robustness is not specific to RDNSS and DNSSL options, and refer to a more general mechanism, if it exists (?), regarding triggering RSes to seek new option values (hmm, I don't remember reading anything specific about it, but perhaps that means that RA option lifetimes are always greater than the unsolicited RA interval to ensure option lifetimes are always refreshed before they expire?)
5. Sanitize the received RDNSS/DNSSL 'Lifetime' Values~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As per above and other RA options, a constant upper limit would be better.
Regards,
Mark.
- Re: Some thoughts/comments on draft-gont-6man-sla… Mark ZZZ Smith
- Re: Some thoughts/comments on draft-gont-6man-sla… Mark Andrews