> On 11 Jun 2020, at 08:44, Alessandro Ghedini <alessan...@ghedini.me> wrote:
>
> On Mon, Apr 20, 2020 at 11:02:00PM -0400, Ben Schwartz wrote:
>> On Mon, Apr 20, 2020 at 9:25 PM Eric Orth <ericorth=
>> 40google....@dmarc.ietf.org> wrote:
>>
>>>>>> 8. Maybe I'm missing something, but the following sentence in Section
>>>>>> 6....4 seems
>>>>>> wrong:
>>>>>>
>>>>>> When SvcDomainName is ".", server operators SHOULD NOT include these
>>>>>> hints,
>>>>>> because they are unlikely to convey any performance benefit.
>>>>>>
>>>>>> My understanding is that ipv4hint and ipv6hint are the way to solve the
>>>>>> ESNI
>>>>>> multi-CDN problem, so let's say I have "www.example.net" that CNAMEs
>>>>>> to both
>>>>>> "cname.cdn-a.example" and "cname.cdn-b.example". A client queries both
>>>>>> A and
>>>>>> HTTPSVC concurrently for "www.example.net", and receives two answers
>>>>>> (the answer
>>>>>> to the A query points to CDN A, while the answer to HTTPSSVC points to
>>>>>> CDN B):
>>>>>>
>>>>>> www.xample.net 3600 IN CNAME cname.cdn-a.example
>>>>>> cname.cdn-a.example 3600 IN A 192.0.2.1
>>>>>>
>>>>>> and
>>>>>>
>>>>>> www.xample.net 3600 IN CNAME cname.cdn-b.example
>>>>>> cname.cdn-b.example 3600 IN HTTPSSVC 1 . alpn=h3 esniconfig="..."
>>>>>>
>>>>>> My understanding is that in this case the client could end up
>>>>>> connecting to
>>>>>> 192.0.2.1 (CDN A) with CDN B's ESNI config (or e.g. with the wrong
>>>>>> ALPN). So if
>>>>>> the server doesn't provide IP hints there would indeed be impact on
>>>>>> performance
>>>>>> because the client would just straight up fail to connect initially
>>>>>> (e.g. maybe
>>>>>> CDN A doesn't support HTTP/3, but CDN B's HTTPSSVC says the client can
>>>>>> use it,
>>>>>> or just because of the wrong ESNI config).
>>>>>>
>>>>>> Long story short, I don't think the text should discourage setting
>>>>>> ipv4hint and
>>>>>> ipv6hint here. I get that it's SHOULD NOT and not MUST NOT, but it's
>>>>>> pretty
>>>>>> confusing nevertheless.
>>>>>>
>>>>>
>>>>> I don't think the hints are intended for this problem. I think the
>>>>> general design idea is that A/AAAA are the definitive address results for
>>>>> a
>>>>> given name, and clients can just optionally shortcut querying A/AAAA if
>>>>> given hints.
>>>>>
>>>>> In your example, I believe the "." HTTPSSVC entry indicates that the
>>>>> A/AAAA addresses for "cname.cdn-b.example" should be used, so it doesn't
>>>>> seem like there is a multi-CDN problem. The correct addresses for the
>>>>> correct CDN are used.
>>>>>
>>>>> But I think this might point out a potential problem with skipping hints
>>>>> for "." results. If the HTTPSSVC result passes through a CNAME, a
>>>>> non-HTTPSSVC-supporting recurssive will handle the CNAME, but not lookup
>>>>> A/AAAA for the HTTPSSVC.
>>>>>
>>>>
>>>> I don't think this can happen. Any CNAME that affects HTTPSSVC will also
>>>> affect the corresponding A/AAAA queries, which are always issued
>>>> simultaneously and to the same QNAME.
>>>>
>>>
>>> alessandro@'s case was for multiple CNAME's and a recursive with behavior
>>> that could follow those in different directions for the different
>>> requests. Not technically legal, but the more important question here is
>>> whether or not significant instances behave in this non-standard way. If
>>> they do, this will lead to a situation where hints would be beneficial even
>>> for "." records.
>>>
>>
>> Thanks for the explanation. I would prefer to warn against this, rather
>> than encourage more use of hints. When SvcDomainName is ".", I think not
>> including hints is going to perform better on average, even in the case of
>> multiple CNAMEs, because the split-CNAME cases should be very rare (due to
>> caching), but the hints add overhead to every response. They can also
>> impair load balancing if managed poorly.
>
> I had to step away from HTTPSSVC for a bit due to other priorities (hence the
> delay in responding), but I've been thinking about this some more and I see
> another potential case where the A/AAAA and HTTPSSVC records might diverge.
>
> Given the following records:
>
> www.example.net 3600 IN A 192.0.2.1
> www.example.net 3600 IN HTTPSSVC 1 . alpn=h3 echconfig="..."
>
> * At time T, user A queries a resolver for the www.example.net A record, so
> the
> resolver fetches it from the auth server and caches it.
>
> * At time T+5m, user B queries the same resolver for both A and HTTPSSVC
> records. The resolver serves the A record from cache, and fetches HTTPSSVC
> from the auth server (and caches it).
>
> * The administrator of www.example.net now decides to move the zone to a
> different provider (either manually or with some automatic DNS
> load-balancer),
> with the following records:
>
> www.example.net 3600 IN A 192.0.4.1
> www.example.net 3600 IN HTTPSSVC 1 . alpn=h2
>
> * At time T+1h+1s, user C queries the same resolver for both A and HTTPSSVC,
> the cache entry for A expired so the resolver fetches it again (this time
> pointing to the new provider), while HTTPSSVC is still served from cache.
>
> So, unless I'm yet again missing something here, it seems to me that user C
> ends
> up with the A record from the new provider, while HTTPSSVC comes from the old
> provider. And since it has echconfig, the client is not allowed to fallback,
> so
> it will be unable to connect to www.example.net until the HTTPSSVC cache
> expires.
Well firstly if you are going to be using providers, use their domain names in
the HTTPSSVC records. The above configuration is more for self hosting.
Secondly nothing is instantaneous in the DNS as it is a loosely coherent system
and you take that into account when moving providers. i.e. there needs to be
overlap.
> This seems like a more important failure scenario, as it would mean that
> moving
> away from any provider that supports ECH will inevitably lead to downtime for
> at
> least a portion of the zone's traffic until cache entries expire. So, what am
> I
> missing here?
>
> Also, speaking for my original CNAME scenario, I dug out the old discussion on
> ESNI and multi-CDN setups
> https://github.com/tlswg/draft-ietf-tls-esni/issues/35
> which seems to indicate that this is actually a fairly common setup. IIRC this
> is what then prompted the addition of the "Address Set" extension in the ESNI
> DNS record https://github.com/tlswg/draft-ietf-tls-esni/pull/136 which was
> then
> replaced by HTTPSSVC, and at the time I had (mistakenly it seems) assumed that
> the HTTPSSVC IP hints were intended to solve the same problem.
>
> I'd be happy to provide text changes around this btw, though it's probably
> better if we first agree on _what_ needs to be fixed, if anything.
>
> Cheers
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
