[prev in list] [next in list] [prev in thread] [next in thread]
List: unbound-users
Subject: Trusted upstream resolver
From: "Woodworth, John R via Unbound-users" <unbound-users () unbound ! net>
Date: 2015-10-29 16:29:06
Message-ID: A05B583C828C614EBAD1DA920D92866BA5DEFF2F () PODCWMBXEX501 ! ctl ! intranet
[Download RAW message or body]
Hello,
I am involved in a scenario where a satellite link is being used to serve an office \
and latency is of great concern.
The problem at hand is CNAME resolution which is followed by validation of provided A \
records. I understand that under normal conditions the A records provided with the \
initial CNAME response can lead to cache poisoning so they are validated from an \
authority. However, this leads to doubling the lookup time which typically exceeds \
1.5 seconds. Although the difference may seem trivial the additional ~650ms becomes \
very noticeable by the end users. I've provided a short example below.
0.001 [Client]->[Resolver]->A?www.example.com
0.002 [Resolver]->X[Auth]->A?www.example.com
0.758 [Auth]->X[Resolver]->CNAME:www2.example.com+1.2.3.4
0.761 [Resolver]->X[Auth]->A?www2.example.com
1.622 [Auth]->X[Resolver]->A:1.2.3.4
1.625 [Resolver]->[Client]->A:1.2.3.4
NOTE: X == Satellite Link
My thought is to use another nameserver at the other end of the link which can \
provide this validation feature but is "trusted" by the near-end nameserver server \
reducing the RTT for local clients. As an aside, the far-end nameserver already \
exists for other purposes. I've provided a short example of this idea below.
0.001 [Client]->[Resolver]->A?www.example.com
0.002 [Resolver]->X[Resolver2]->A?www.example.com
0.288 [Resolver2]->[Auth]->A?www.example.com
0.290 [Auth]->[Resolver2]->CNAME:www2.example.com+1.2.3.4
0.292 [Resolver2]->[Auth]->A?www2.example.com
0.301 [Auth]->[Resolver2]->A:1.2.3.4
0.655 [Resolver2]->X[Resolver]->A:1.2.3.4
0.659 [Resolver]->[Client]->A:1.2.3.4
NOTE: X == Satellite Link
Is there a configuration option I am overlooking to disable these A record \
validations (from Resolver to Resolver2)?
Thanks,
John
--
John Woodworth CenturyLink, Inc.
Q. Can BULK DNS Handle 18 Quintillion PTR Records??
A. BULK CAN (18,446,744,073,709,551,616 +)
[ http://tools.ietf.org/html/draft-woodworth-bulk-rr-00 ]
This communication is the property of CenturyLink and may contain confidential or \
privileged information. Unauthorized use of this communication is strictly prohibited \
and may be unlawful. If you have received this communication in error, please \
immediately notify the sender by reply e-mail and destroy all copies of the \
communication and any attachments.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am involved in a scenario where a satellite link is being used \
to serve an office and latency is of great concern.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">The problem at hand is \
CNAME resolution which is followed by validation of provided A records. I \
understand that under normal conditions the A records provided with the initial CNAME \
response can lead to cache poisoning so they are validated from an authority. \
However, this leads to doubling the lookup time which typically exceeds 1.5 \
seconds. Although the difference may seem trivial the additional ~650ms becomes \
very noticeable by the end users. I’ve provided a short example \
below.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">0.001 \
[Client]->[Resolver]->A?www.example.com<o:p></o:p></p> <p \
class="MsoNormal">0.002 \
[Resolver]->X[Auth]->A?www.example.com<o:p></o:p></p> <p \
class="MsoNormal">0.758 \
[Auth]->X[Resolver]->CNAME:www2.example.com+1.2.3.4<o:p></o:p></p> <p \
class="MsoNormal">0.761 \
[Resolver]->X[Auth]->A?www2.example.com<o:p></o:p></p> <p \
class="MsoNormal">1.622 \
[Auth]->X[Resolver]->A:1.2.3.4<o:p></o:p></p> <p class="MsoNormal">1.625 \
[Resolver]->[Client]->A:1.2.3.4<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">NOTE: X == Satellite \
Link<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My thought is to use another nameserver at the other end of the \
link which can provide this validation feature but is “trusted” by the \
near-end nameserver server reducing the RTT for local clients. As an aside, the \
far-end nameserver already exists for other purposes. I’ve provided a \
short example of this idea below.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">0.001 \
[Client]->[Resolver]->A?www.example.com<o:p></o:p></p> <p \
class="MsoNormal">0.002 \
[Resolver]->X[Resolver2]->A?www.example.com<o:p></o:p></p> <p \
class="MsoNormal">0.288 \
[Resolver2]->[Auth]->A?www.example.com<o:p></o:p></p>
<p class="MsoNormal">0.290 \
[Auth]->[Resolver2]->CNAME:www2.example.com+1.2.3.4<o:p></o:p></p>
<p class="MsoNormal">0.292 \
[Resolver2]->[Auth]->A?www2.example.com<o:p></o:p></p>
<p class="MsoNormal">0.301 \
[Auth]->[Resolver2]->A:1.2.3.4<o:p></o:p></p>
<p class="MsoNormal">0.655 \
[Resolver2]->X[Resolver]->A:1.2.3.4<o:p></o:p></p> <p \
class="MsoNormal">0.659 [Resolver]->[Client]->A:1.2.3.4<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">NOTE: X == Satellite \
Link<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Is there a configuration option I am overlooking to disable \
these A record validations (from Resolver to Resolver2)? <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">John<o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Courier \
New";color:#0F243E">--<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:"Courier New";color:#0F243E">John \
Woodworth \
CenturyLink, Inc.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:"Courier New";color:#0F243E"> Q. Can BULK DNS \
Handle 18 Quintillion PTR Records??<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:"Courier New";color:#0F243E"> A. BULK \
CAN \
(18,446,744,073,709,551,616 +)<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:"Courier New";color:#0F243E">[ <a \
href="http://tools.ietf.org/html/draft-woodworth-bulk-rr-00"> <span \
style="color:#0F243E">http://tools.ietf.org/html/draft-woodworth-bulk-rr-00</span></a> \
]<o:p></o:p></span></p> <p class="MsoNormal"><o:p> </o:p></p>
</div>
<center>This communication is the property of CenturyLink and may contain \
confidential or privileged information. Unauthorized use of this communication is \
strictly prohibited and may be unlawful. If you have received this communication in \
error, please immediately notify the sender by reply e-mail and destroy all copies \
of the communication and any attachments.</center> </body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic