rrset-roundrobin

George_Yorgos_Thessa · April 9, 2020, 11:27am

Hi all,

We recently got a feature request
(https://github.com/NLnetLabs/unbound/issues/215) to change the default
value of 'rrset-roundrobin' from no to yes.
Given that we don't have strong feelings either way I am reaching out to
you in case you feel opposed to the change.

Please let this not be derailed (too much) to a discussion about the
effectiveness of the feature in different scenarios.

Best regards,
-- George

Tuomo_Soini · April 9, 2020, 3:03pm

Please, change the default to yes.

Paul_Vixie · April 9, 2020, 8:06pm

Hi all,

We recently got a feature request
(https://github.com/NLnetLabs/unbound/issues/215) to change the default
value of 'rrset-roundrobin' from no to yes.

i like this idea.

Given that we don't have strong feelings either way I am reaching out to
you in case you feel opposed to the change.

Please let this not be derailed (too much) to a discussion about the
effectiveness of the feature in different scenarios.

order is not supposed to be relied upon, but if order is preserved, then
hidden reliance can creep into the system. the sooner these RRsets are
randomized, the better adapted the whole system will be to lack of order
preservation.

(when i made round-robin the default in BIND4, there was heck to pay, and i
wished it had been done years earlier.)

PaulWouters · April 9, 2020, 9:45pm

We recently got a feature request
(https://github.com/NLnetLabs/unbound/issues/215) to change the default
value of 'rrset-roundrobin' from no to yes.

i like this idea.

Me too.

order is not supposed to be relied upon, but if order is preserved, then
hidden reliance can creep into the system.

Funny, I want it mostly because people have a hidden reliance on it
giving a better load balancing for them, when "dumb" DNS consumers will
only pick the first entry of a response.

So I guess my reason to agree with you, does not agree with you

Paul

PaulWouters · April 9, 2020, 11:08pm

Maybe not send this to mailing lists?
You can select to not auto reply to Precedence: bulk email to implement that

Shumon_Huque · April 10, 2020, 5:04am

By roundrobin, do you mean rotating the RRset order (by a fixed degree)?
Or randomizing the order? The latter would be better. It has been observed
on the IETF dnsop list in the past, that rotating schemes are a side channel
that could be used to leak information when using encrypted transports. So,
if we want side channel resistance, randomizing is always better.

Shumon Huque.

Tarko_Tikan · April 10, 2020, 5:43am

hey,

We recently got a feature request
("rrset-roundrobin" option to 'Yes' by default · Issue #215 · NLnetLabs/unbound · GitHub) to change the default
value of 'rrset-roundrobin' from no to yes.
Given that we don't have strong feelings either way I am reaching out to
you in case you feel opposed to the change.

Yes please

A_Schulze · April 11, 2020, 9:40am

I operate instances with "rrset-roundrobin: yes" since 8 years.
-> yes from here

Andreas

yvoinov · April 11, 2020, 2:29pm

Same

11.04.2020 15:40, A. Schulze via Unbound-users пишет:

Gavin_McCullagh · April 13, 2020, 4:50am

Hi,

I think this is a move toward a better default behavior. These are “sets” (unordered) after all and most people in my experience prefer load to be spread across them as evenly as possible. So having the major resolvers do this out of the box sounds like a good thing.

That said, I would caution that this will likely will be a breaking change for some of your customers. Whatever behavior you have today, some people will be reliant on it and surprised when it changes. At my place of work, I have spoken to at least one customer who had an off-the-shelf GSLB setup which returned multi-record answers sorted based on “nearest location first”. In other words, these GSLBs seem to be set up on the assumption the resolver doesn’t alter the order of the rrsets. So, you may surprise some people when the Unbound behavior changes.

I don’t know NLNet’s philosophy on breaking changes, but if you go ahead I’d suggest you publicize this behavior change as visibly as you can. Those who package Unbound for Linux distros etc. might want to think about whether they would prompt upgrading users with a question (like “do you want me to a. alter your config to preserve previous behavior or b. accept the changing default?”).

Gavin

George_Yorgos_Thessa · April 21, 2020, 10:50am

Hi all,

I want to thank you for the input.
It seems that the consensus is to change the default to yes and thus
enforcing the rrset definition of an unordered set.

@Shumon Huque:
Nice suggestion. The dnsop thread from a couple of years ago
[https://mailarchive.ietf.org/arch/msg/dnsop/_diK61t7YmZu_DJvRvUAhvKVSh4/\]
was an interesting read.
On your concern about side channel attacks, it is a rotation scheme but
unbound rotates the rrset randomly by using client data (query ID) and
not state on the resolver side; also mentioned in that thread.

@Gavin McCullagh:
All changes per release are communicated to users(this list), package
maintainers (another list), a news item on our website and tweets
linking to said news article. It is then up to the users/maintainers how
to proceed with the changes.

Best regards,
-- George