Re: [Resolverless-dns] Load-balancing concerns

Dave Lawrence <> Thu, 08 November 2018 06:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0FD7A130DE2 for <>; Wed, 7 Nov 2018 22:33:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QoSpq07W6DlZ for <>; Wed, 7 Nov 2018 22:33:47 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 337A012D4ED for <>; Wed, 7 Nov 2018 22:33:47 -0800 (PST)
Received: by (Postfix, from userid 102) id 87FB332894; Thu, 8 Nov 2018 01:33:45 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <>
Date: Thu, 8 Nov 2018 01:33:45 -0500
From: Dave Lawrence <>
In-Reply-To: <>
References: <>
Archived-At: <>
Subject: Re: [Resolverless-dns] Load-balancing concerns
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Nov 2018 06:33:49 -0000

Justin Henck writes:
> Some people mentioned load-balancing concerns during the meeting.
> Ben Schwartz pointed out to me that if a potential solution included
> DNSSEC, then the server would have to push an entire RRSET.  If we
> combine that with random IP selection by clients and AltSvc to solve
> geographical misdirection, would that alleviate load balancing concerns?

I'm afraid I don't understand the connection you're making.  What does
the setup, "would have to push an entire RRSET", have to do with the
rest of "If we combine that..."?  I'm not clear on how DNSSEC makes
any difference at all in this particular problem.

My guess is that you are imagining a situation where all possible
addresses that clients could receive are put into one A or AAAA
RRset.  This isn't the way most such systems work though.

For example, one CDN puts only the addresses it wants a particular
client to use into the answer, with the appropriate signature.  If you
then learned addresses for another client, with its own signature for
the RRSet, there's no way to combine those different answer sets into
one and still have it validate.  

Even if you could combine them, random selection would then largely
defeat the way the CDN is trying to direct traffic, but for the
occasions where the random guess was right.

Of course, a DoH server which has used EDNS Client Subnet (or some
other internal mechanism) to know appropriate client-based answers can
just use the appropriate RRset and signature and be as true to the
load-balancing and geo-redirection intents as if the client had just
asked through conventional DNS.  If the DoH server can't do ECS or
otherwise have mapping information from the authority, any customized
answers it gets will be resolver-mapped just like a client talking to
any traditional non-ECS resolver. It's really hard to imagine how it
could be otherwise without even more significant changes to the way
things are done now, far beyond random IP selection.