
DNS Push Notifications - fauria
http://www.rfc-editor.org/rfc/rfc8765.txt
======
twic
> The DNS Long-Lived Queries (LLQ) mechanism [RFC8764] is an existing deployed
> solution to provide asynchronous change notifications; it was used by
> Apple's Back to My Mac [RFC6281] service introduced in Mac OS X 10.5 Leopard
> in 2007. Back to My Mac was designed in an era when the data center
> operations staff asserted that it was impossible for a server to handle
> large numbers of TCP connections, even if those connections carried very
> little traffic and spent most of their time idle. Consequently, LLQ was
> defined as a UDP-based protocol, effectively replicating much of TCP's
> connection state management logic in user space and creating its own
> imitation of existing TCP features like flow control, reliability, and the
> three-way handshake.

I can't help but hear the skepticism in "asserted"!

Also, fun that Apple want to move a service from UDP to TCP at a time when
Google are trying to move another service from TCP to UDP.

~~~
jeffbee
It’s still tricky to handle more than, say, a million or so TCP connections
per box, but moving the connections to UDP with TCP-like state machine in
user-space solves none of the issues.

~~~
VWWHFSfQ
yeah really, aren't you just moving the buffers that track the TCP connection
states from the kernel to some program in user space? how does that solve
anything

~~~
YarickR2
memory management techniques in userspace are much more diverse, you can reuse
RAM efficiently.

------
linsomniac
Does anyone know what mechanism is used between Route 53 and Google DNS? When
I update a record in Route 53, there seems to be 0 delay in the updated
records being present in 8.8.8.8, even if I've recently request the old value.
I've been imagining that they had set up some sort of "cache invalidate"
message that AWS could send Google, but I haven't done any investigation.

~~~
jasonjayr
8.8.8.8 is a bunch of servers, and you may be getting different server to
service your request than the one that cached your recently requested old
value. Make several requests, and observe the TTL -- you may notice that it
jumps around as you get different servers, especially if you space your
requests apart a few seconds.

~~~
runjake
Specifically, 8.8.8.8 is an AnyCast address.

[https://en.wikipedia.org/wiki/Anycast](https://en.wikipedia.org/wiki/Anycast)

------
oefrha
HTML version with a TOC sidebar for easier navigation: [https://www.rfc-
editor.org/rfc/rfc8765.html](https://www.rfc-editor.org/rfc/rfc8765.html)

------
kissgyorgy
I can instantly think of a gazzillion ways how this can be abused :D

~~~
dpcan
Go on....

~~~
LunaSea
DNS rebinding attacks is probably one of them.

~~~
belorn
Browsers will need to update their same-origin policy so that a change in IP
address will block same requesting a different site under a different name.

~~~
philsnow
This would mean that long-lived single page web apps would need to be hard-
refreshed every once in a while when, through no fault of the app developer,
all the IP addresses that their domain name resolves to have rotated.

------
m3047
The DNS already supports NOTIFY, which is a push notification for updates to a
zone (this is something set up by the operators of the auth servers, typically
for mirrors/secondaries so that they know when to request a zone transfer);
the alternative, polling, requests the SOA RR for a zone and compares serial
numbers.

Didn't give it a detailed read, but this looks like a more granular proposal,
an example given being printer discovery.

------
osrec
A question for anyone with more knowledge: does this circumvent the need for a
TTL on DNS records?

~~~
reiketsuu
Then does anyone understand what are differences between push notifications
and using a record until the TTL expires? Thanks!

~~~
rhizome
TTL tells servers and clients in the wild how long to hold on to a query
result. You'll want to set this very high if you expect a nuclear war soon.
There is no push notification for this.

Push notifications occur when the primary is HUP'd or restarted, telling the
secondaries to pull fresh zones so that everybody's is known to have the same
serial. After this the secondaries poll the primary every 'refesh' seconds to
check for a newer copy of the zone.

------
fanf2
I would be interested to of any implementation of these protocol extensions
outside Apple.

------
mrpippy
This getting released during WWDC does not feel like a coincidence. I wonder
what Apple will be using it for, it’ll probably be mentioned in a session
sometime this week.

~~~
derhuerst
Just speculating here, but they still have a Back-to-my-Mac-like feature: The
HomePod allows for remote access to things in your home WiFi, e.g. IoT
devices.

As IP addresses of home routers change often enough, this might be a use case
for DNS push. Access has to work across work across carrier-grade NAT though,
so they might still need more than DNS.

------
yingw787
What’s the difference between this and server sent events in http2? You don’t
need a live persistent connection to issue events?

~~~
underdeserver
Well, you can listen on UDP (which DNS uses anyway).

~~~
yingw787
The more I think about this the less it makes sense to me.

My understanding of UDP is it's supposed to be for heavy, lossy traffic where
late traffic is pointless or harmful (like video streaming frames, if your
frame is late better toss it out than keep it). But I kind of want my
notifications even if they're late. I think I'm missing something in my
understanding. I was thinking if you can _stream_ using DNS, and cut out
something like Kafka, that might be a big deal, but on second thought it
doesn't make sense because DNS is more about service discovery than it is
about piping load; you want an alias to a server that does the heavy lifting.

Brain messy today.

------
simonjgreen
Love that this is now in rfc. The benefits of caching with the benefits of
zero caching.

------
bottled_poe
Haven’t read the whole proposal, but some concerns that stand out to me are: 1
- impact on DNS system performance; and 2 - what infrastructure does this
proposal rely upon?

------
skissane
I see this is defined in terms of DNS over TLS over TCP.

I don't see any mention of DNS over HTTPS or DNS over QUIC.

Could this work with either of those?

------
Mojah
Does this RFC just sherlock DNS Spy?

------
joshspankit
As a methodology, push is _always_ better than polling.

Change my mind.

~~~
ubertaco
I _mostly_ agree with you, but having spent a good part of my career dealing
with data integration patterns, I'm all too familiar with the problem of
missed messages from the consumer (or failed-to-send messages from the
producer) that results in something downstream being in an incoherent state.
The simplest fix for that incoherent state is often to _also_ poll
periodically, or something similar.

~~~
joshspankit
Sounds like it would share solutions with the “two generals problem”.

