RE: [DNSOP] Solicit feedback on the problems of DNS for Cloud Resources described by the draft-ietf-rtgwg-net2cloud-problem-statement
Linda Dunbar <linda.dunbar@futurewei.com> Wed, 12 February 2020 22:43 UTC
Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDDF012001E; Wed, 12 Feb 2020 14:43:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b-3C1T32qDPV; Wed, 12 Feb 2020 14:43:36 -0800 (PST)
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-eopbgr700124.outbound.protection.outlook.com [40.107.70.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21D0112001B; Wed, 12 Feb 2020 14:43:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ld8uu3pNKJjTbPuXm9r/lmpLTftYkBiKjKvQcxIPHeLqte0Eycwlv6fqbPXpy84neo5PX6hEG7MlNS3N443Tq3Mni6HXtm8j8IQbNbq6wm+3nzmeEVGA8H/zR60FPwqXGugXxl8qV3I6sRuSYaj+cry+dsKEHIzyF4MNpWbo3QVrlODos3N3dvqEMfwYrfHDQQH0kDqxfF6XPEKPvS4qmmtai6ByMD0QE91MKzz5FkcaszM9rpSo/lZJ+eMtiB4xrf8WbiC3UzJTvJO/ZZcoGMnpmUegtPr+3epYkKY47HfudqCquE5/qKQoKfD3VClso6ij2Twep8AjEAhE06cc1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3B/V0C8r3YyKSELPijp5eRAQmOR+5HJ2IZb3LetLhOI=; b=JaBmrAz7WF09RZEgpZQrIubiy22ltbdjty74WHunEIZ2hV5bpzpxc/9bbBhcbBFrG3AeaCfAL+ebWR5FXvCc4/VcESsYJVZnoujzXC/3WX5Pu0cNrxvgMqpFFhgo/uRo1L14MT/nWDhQf1nB2UshoxkZ2rC/UhSk+O/68AkY2uvP9ZFs392MHjCmsPVOULg35Q2vS0OFX1H348j19NCCg3CheIDFAJo2s4PjeY3DfGgbsl2aZ46kK0ISlL8MpZaUwbhn0rCMl8EkBi70hSJYR+06U6CePx12k7kVCT6pbwSSW5dgdAvCiYA13hLdlrSCBLDVD2hI56XPt5wTPiRqQA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3B/V0C8r3YyKSELPijp5eRAQmOR+5HJ2IZb3LetLhOI=; b=kg24SS/1ILpv5kB7Y+jbTDWs2wSSeMRwR0MCcXZspLXPM8s+HiiuvmLdDa8b2VQffO4w91tqIefL19uolCSfQhQkmnhSUUzjlxxY6RJIWS0qU8F9C5jocRKMnogd7qs74hzltf5DSFCybK/utL0t1pyXOq6Elw+QGXeK4bqotSE=
Received: from MWHPR1301MB2096.namprd13.prod.outlook.com (10.174.170.35) by MWHPR1301MB1950.namprd13.prod.outlook.com (10.174.171.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.19; Wed, 12 Feb 2020 22:43:07 +0000
Received: from MWHPR1301MB2096.namprd13.prod.outlook.com ([fe80::e893:a912:1d3a:5a33]) by MWHPR1301MB2096.namprd13.prod.outlook.com ([fe80::e893:a912:1d3a:5a33%6]) with mapi id 15.20.2729.021; Wed, 12 Feb 2020 22:43:07 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Paul Vixie <paul@redbarn.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Paul Ebersman <ebersman-ietf@dragon.net>
CC: RTGWG <rtgwg@ietf.org>
Subject: RE: [DNSOP] Solicit feedback on the problems of DNS for Cloud Resources described by the draft-ietf-rtgwg-net2cloud-problem-statement
Thread-Topic: [DNSOP] Solicit feedback on the problems of DNS for Cloud Resources described by the draft-ietf-rtgwg-net2cloud-problem-statement
Thread-Index: AdXhDgZ3FNT4wyuhTVyPeuEWPmJf/gAGVoPAAApVdIAAJ8eB8A==
Date: Wed, 12 Feb 2020 22:43:07 +0000
Message-ID: <MWHPR1301MB2096353670EF6BE8F2629F2D851B0@MWHPR1301MB2096.namprd13.prod.outlook.com>
References: <BN6PR1301MB2083B6F88FDE9A0A4EA2384985180@BN6PR1301MB2083.namprd13.prod.outlook.com> <BN6PR1301MB20839C511BDF230D79658BF485180@BN6PR1301MB2083.namprd13.prod.outlook.com> <1698737.Wqn7rEUb4T@linux-9daj>
In-Reply-To: <1698737.Wqn7rEUb4T@linux-9daj>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=linda.dunbar@futurewei.com;
x-originating-ip: [199.187.220.18]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 861571b6-e917-4785-4ddd-08d7b00cede3
x-ms-traffictypediagnostic: MWHPR1301MB1950:
x-microsoft-antispam-prvs: <MWHPR1301MB19501CCFE1F105A57C558655851B0@MWHPR1301MB1950.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0311124FA9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(39850400004)(366004)(376002)(346002)(396003)(136003)(199004)(189003)(4326008)(52536014)(26005)(186003)(55016002)(2906002)(9686003)(7696005)(6506007)(33656002)(8936002)(64756008)(66556008)(966005)(316002)(30864003)(110136005)(8676002)(5660300002)(44832011)(86362001)(478600001)(76116006)(81166006)(66476007)(81156014)(45080400002)(71200400001)(66446008)(66946007)(71440200001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR1301MB1950; H:MWHPR1301MB2096.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vg1CUjGwdOPbtZnUT8IVMJtu83LEcLUs0hEfsSq9rgV2eXH7NWV5yW87py5qVGSNuEVP9cCxLuudoBSOOYkfCxRfFCxLakxqS+KqQyulT3LrgMk3v6yUVtMgqF7m0vVrgXq7hrw6JIahTUeU9deLWYEtsEam+LUj++6Kv6+Q/mt8IhQp57lawwbTpsl8ELc14yw+sNF90R684FYM/gMHYzRODRX+U4OMUmuj2QAXSUnUdt/aGQO9HeuPBo/ESbhaU+KrEuZptVFtewD7oUtD5A9//eVDG3VNu7w/e9EuCkQKsrhcogDdrjuTASTV9j8GmMW1L20FhW9VW7Ll0yI5Qu1AMy+OrcezgAKnUhnzEiinpFxvvFP/toKaJPK1YZBUqQaxvLkpmfqioT8rKLRN4BZIoN32ofDS0Hhackmb5DkXnpFzGmmz9nRYQz1Q/K293q2b8i2A5CW4WBN97aa6ZPlQain2jf0ez89dvYiotkW1r3wTPjAoo6dsQBRiGt3a
x-ms-exchange-antispam-messagedata: +jMWrApUjHpx7M7i54Y+u2jE+OOtFlZ5MJtw15Gwq/zJCLlmWNZzb/Llf803lm8mZbIP7c5tm6Obd4f04Z18r72ou0E5GRMWEdY7hndA7xNNTGTSh/iGo0OVGPcFfk80VBmnjNkddHvCI7ss3w00MQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MWHPR1301MB2096353670EF6BE8F2629F2D851B0MWHPR1301MB2096_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 861571b6-e917-4785-4ddd-08d7b00cede3
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2020 22:43:07.2637 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hvHArhJdv1cBPYU299+Dj5HDeufVkyqwk4hpha1DLOrCBCYjEzHnjCgJLvm++/4m+eUWOLYmI4n1FkBOHdNIUA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1301MB1950
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/HfdL-j5Yv9WY-reOWKAdx3GNgoI>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2020 22:43:39 -0000
Paul,
Thank you very much for pointing out the potential collision and conflicts when globally unique names are not used for cloud resources. I am copying to RTGwg@ietf.org<mailto:RTGwg@ietf.org> so that the WG is aware of those issues. By the way, your email to RTGwg@ietf.org<mailto:RTGwg@ietf.org> will be posted after the RTGwg manually permit the post. So you don't need to remove the email in your reply.
As for why not use globally unique names: Most Cloud resources are internal to the Cloud DC, therefore, they often use private addresses and private names.
This document is meant to describe potential problems of utilizing Cloud Resources. It is a good idea to document the potential collisions and conflicts and recommend Globally unique names. How about adding the following sentences to the section?
------
However, even with carefully managed policies and configurations, collisions can still occur. If you use an internal name like .cloud and then want your services to be available via or within some other cloud provider which also uses .cloud, then it can't work. Therefore, it is better to use the global domain name even when an organization does not make all its namespace globally resolvable. An organization's globally unique DNS can include subdomains that cannot be resolved at all outside certain restricted paths, zones that resolve differently based on the origin of the query and zones that resolve the same globally for all queries from any source.
Globally unique names do not equate to globally resolvable names or even global names that resolve the same way from every perspective. Globally unique names do prevent any possibility of collision at the present or in the future and they make DNSSEC trust manageable. It's not as if there is or even could be some sort of shortage in available names that can be used, especially subdomains and the ability to delegate administrative boundaries are considered.
Thank you very much.
Linda Dunbar
-----Original Message-----
From: Paul Vixie <paul@redbarn.org>
Sent: Tuesday, February 11, 2020 9:01 PM
To: dnsop@ietf.org; Paul Ebersman <ebersman-ietf@dragon.net>
Cc: Linda Dunbar <linda.dunbar@futurewei.com>
Subject: Re: [DNSOP] Solicit feedback on the problems of DNS for Cloud Resources described by the draft-ietf-rtgwg-net2cloud-problem-statement
On Tuesday, 11 February 2020 22:21:05 UTC Linda Dunbar wrote:
> ...
>
> https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdata
> tracker.ietf.org%2Fdoc%2Fdraft-ietf-rtgwg-net2cloud-problem-statement%
> 2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cea9257cce73245145
> 05a08d7af67db4b%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C1%7C637170732
> 927513090&sdata=xvnMh3OYhHfS1G7%2BEU3ERvK6OmHAsoBvsel6YzZl81c%3D&a
> mp;reserved=0
>
> During IETF 106, we received comments that the document should cover
> the problems associated with DNS service by different Cloud Operators
> for Enterprise to utilize Cloud Resources even though DNS is not
> within the scope of IETF routing area. We greatly appreciate DNS
> experts to provide comments to our description.
you've addressed this e-mail to two mailing lists (dnsop@ and rtgwg@) which you are a member of, and both will accept and publish your e-mail. however, some of us here are members of only one of those mailing lists (me, dnsop@), and won't be able to participate in whatever threads may occur on the other mailing list (me, rtgwg@). so, i am removing rtgwg@ from my reply here.
> 3.4 DNS for Cloud Resources
> DNS name resolution is essential for on-premises and cloud-based resources.
> For customers with hybrid workloads, which include on-premises and
> cloud-based resources, extra steps are necessary to configure DNS to
> work seamlessly across both environments. ...
you may not realize it, but that is an astonishing statement. i'll explain below.
> ... Cloud operators have their own DNS to resolve resources within
> their Cloud DCs and to well-known public domains.
> Cloud's DNS can be configured to forward queries to customer managed
> authoritative DNS servers hosted on-premises, and to respond to DNS
> queries forwarded by on-premises DNS servers. ...
while this is an obvious approach for each and every cloud service operator, it depends on lock-in, is not multi-cloud ready, and cannot be made so within the DNS paradigm or using any of the common layers added to that paradigm.
DNS is currently viral, if you can look up anything at all global, then you can look up everything global. cutouts for non-global names are quite common especially when accompanied by NAT. however, collisions cannot be managed this way. you can have some names (like .cloud or .corp or .internal) visible within your network as long as they aren't also used globally, because there is no way to discriminate which collision-name is wanted, other than by client-ip address and even that is nonstandard, relying on DNS vendor extensions.
similarly, if you use an internal name like .cloud and then want your services to be available via or within some other cloud provider which also uses .cloud, then there can be no discriminator, and so it can't work. this is why most names are global -- there can be no collisions that way. even with large NAT buildouts, it's become common to use the global domain name both internally and externally, and to simply provide different views of that global domain name internally vs. externally.
this was explored 25 years ago: https://nam03.safelinks.protection.outlook.com/?url=http:%2F%2Ffamily.redbarn.org%2F~vixie%2Fproxynet.pdf&data=02%7C01%7Clinda.dunbar%40futurewei.com%7Cea9257cce7324514505a08d7af67db4b%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C1%7C637170732927513090&sdata=%2FzrBVSfi5L13cbWGdv4bcKgBPE2vSioKdrSLymRFsq4%3D&reserved=0
can you explain why the simple answer (use unique global names for each cloud
resource) isn't reachable by your proposal?
> ... For enterprises utilizing Cloud
> services by different cloud operators, it is necessary to establish
> policies and rules on how/where to forward DNS queries to. ...
if the names are local, and never collide, this has been possible in one vendor's DNS implementation for about 20 years, and is variously possible in others. however, this became much more difficult in the DNSSEC era.
if the names are local and may collide, no coherent set of policies or rules about how/where to forward DNS queries will be possible.
if the names are global then they will be unique and DNS itself will handle the decision of how to route questions to the right authority servers.
> ... When
> applications in one Cloud need to communication with applications
> hosted in another Cloud, there could be DNS queries from one Cloud DC
> being forwarded to the enterprise's on premise DNS, which in turn be
> forwarded to the DNS service in another Cloud. Needless to say,
> configuration can be complex depending on the application communication patterns.
it is that complexity that prohibits scale. are you suggesting that the DNS paradigm be expanded to include automated context-dependent naming? i imagine it would look something like BGP4, but for names rather than addresses. but first i hope you can explain why the simpler and existing viral DNS paradigm (all names are global and unique) is unacceptable for your purpose.
thanks for bringing your question here, and thanks to otherpaul and suz for what appears to have been vital outreach.
--
Paul
- Solicit feedback on the problems of DNS for Cloud… Linda Dunbar
- Re: [dnssd] Solicit feedback on the problems of D… David Schinazi
- Solicit feedback on the problems of DNS for Cloud… Linda Dunbar
- RE: [DNSOP] Solicit feedback on the problems of D… Linda Dunbar
- RE: [DNSOP] Solicit feedback on the problems of D… Linda Dunbar
- Re: [DNSOP] Solicit feedback on the problems of D… Paul Vixie
- RE: [DNSOP] Solicit feedback on the problems of D… Morizot Timothy S
- RE: [DNSOP] Solicit feedback on the problems of D… Linda Dunbar
- Re: [DNSOP] Solicit feedback on the problems of D… Scott Morizot
- RE: [DNSOP] Solicit feedback on the problems of D… Linda Dunbar