Re: [apps-discuss] APPS-Dir review of draft-ietf-dnsop-edns-chain-query-05
Paul Wouters <pwouters@redhat.com> Mon, 11 January 2016 19:43 UTC
Return-Path: <pwouters@redhat.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3835A1A893C; Mon, 11 Jan 2016 11:43:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HQgSXYuoseb8; Mon, 11 Jan 2016 11:43:23 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C3C31A8940; Mon, 11 Jan 2016 11:43:23 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 08C9DABBAD; Mon, 11 Jan 2016 19:43:23 +0000 (UTC)
Received: from bofh.nohats.ca (vpn-225-181.phx2.redhat.com [10.3.225.181]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0BJhMMQ006615; Mon, 11 Jan 2016 14:43:22 -0500
To: Ted Hardie <ted.ietf@gmail.com>
References: <CA+9kkMDaFbhNBjezBp40OaJoTTaUcvmJoO8Dv0bLmeqoAhO_kg@mail.gmail.com> <5693396D.7080900@redhat.com> <CA+9kkMCLRP0EtuUR7cb09n_XZthKEc4zYO58N8i__9LPqMaHjw@mail.gmail.com>
From: Paul Wouters <pwouters@redhat.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <569405DA.7000403@redhat.com>
Date: Mon, 11 Jan 2016 14:43:22 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CA+9kkMCLRP0EtuUR7cb09n_XZthKEc4zYO58N8i__9LPqMaHjw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: <http://mailarchive.ietf.org/arch/msg/apps-discuss/MA7-u18e_gOsfr9sJH4bLzZkLI4>
X-Mailman-Approved-At: Mon, 11 Jan 2016 20:07:05 -0800
Cc: dnsop@ietf.org, draft-ietf-dnsop-edns-chain-query.all@ietf.org, IESG <iesg@ietf.org>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] APPS-Dir review of draft-ietf-dnsop-edns-chain-query-05
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/apps-discuss/>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2016 19:43:25 -0000
On 01/11/2016 02:05 PM, Ted Hardie wrote: >> I'm a little confused. Do you mean the justification of the COOKIE >> requirement needs more justification, or >> the edns-query-chain option itself needs more justification. I would hope >> the latter is clear - it reduces the >> need for either multiple latency bound round trips or many parallel >> queries and their callbacks. >> >> > Sorry that I wasn't clear enough here. I'm not asking for a justification > of the COOKIE, I'm wondering how often this will work over UDP. Since the > basic issue is that response sizes needed for validation may be large, and > the cookie will add between 15-40 bytes, it's not clear to me what range of > UDP payload sizes would actually allow you to use this mechanism over UDP. Oh I see. I would expect most chains to be only 1-2 segments long, so I think those will fit in a UDP packet, but I have not yet done any careful calculations of that. Obviously, this option fits much better with edns-tcp-keepalive based (long lived) connections, but I think a lot of the time UDP will work fine, even with the COOKIE. > If I understand your answer correctly, you are saying that the small number > of bytes here doesn't change distribution of responses that fit into UDP > significantly. ("The additional size of the COOKIE is not really a problem > here. Those would be very few bytes compared to an abusive long chain that > an attacker could be asking for.") If the working group believes that's > the case, that's fine. It might be useful to include a bit of text in the > introduction indicating that this is the expectation, but that sort of text > in archival documents is definitely a matter of taste. That answer was more in reply to amplification abuse, and not so much in response to regular operation. > > >>> Is there a >> >> reason for limiting partial answers to the top-most hierarchical >>> responses? If so, could the document include it? >> >> The reason for limiting the answer from the top down is that it enables >> the querying >> client to extend its own chain further down, and send a new query for the >> same data >> with the updated Closest Trust Point further down. This method guarantees >> that the >> DNS client can work its way to the answer. >> >> If the server decides to send other parts of the chain, the client has to >> modify its >> query target in an attempt to get the top part of the chain it did not >> get. And it has >> no guarantee that the next query will give it another useful hunk of the >> chain. >> >> Additionally, assuming the DNS client to DNS server connection is of high >> latency, and >> the DNS server itself has a low latency uplink, it might actually do the >> DNS client a >> disservice giving it part of the chain instead of querying to create the >> full chain. It >> would also be guessing as to whether the full chain is likely to fit or >> not. >> >> To me, such strategies seem overly complicated, and require more code on >> the DNS client >> implementing handling unexpected partial answers. The top down cut-off >> seems much simpler >> to me. But let's ask the working group as well what they think. >> >> > I think a short statement like "This strategy somewhat limits the > opportunity to > use cached data but results in lower code complexity for clients by > allowing them > to retain a common query target after a partial answer" would cover this and > might be useful. Are there any others that would think this paragraph would be useful to add? I have no objection to it, but also don't really see the need to write this out. >>> To resolve this, the client would have to be able to detect when the >> ENDS0 >>> option is suppressed by the path, versus not offered by a Recursive >>> Resolver. Some further text on how this is discerned would be useful; >>> absent a method, I believe the text in 5.3 is sufficient and 6.5 not >> useful >>> beyond the points made in RFC 6891. >> >> How about removing section 6.5, but moving the one sentence in there: >> >> A fallback strategy similar to that described in [RFC6891] section >> 6.2.2 SHOULD be employed to avoid persistent interference due to non- >> clean paths. >> >> to the end of section 5.3? Would that resolve your issue? >> >> Yes, that seems to work. Great, done in my draft. (Still waiting on Tim or Joel to tell me if I should wait or push a new version now we are in the middle of the LC) > > >>> >>> Nits: >>> >>> The abstract uses the term "security aware validating Resolver". This >> use >>> of "security aware" appears to be the term of art used in RFC 4033, but >>> that may not be obvious; perhaps "DNSSEC validating resolver" would be >> more >>> clear for an abstract? >> >> RFC-7719 DNS Terminology marks all of these terms as "have caused >> confusion". I am fine with DNSSEC validating resolver", but I would like to >> punt this question >> to the authors of RFC-7719. I'll ping them offlist if they miss this >> message on the dnsop list. >> >> > Fair enough; I'm happy to go along with their advice, whatever it may be. Ok, I have this item pending hearing from some more people. >>> In section 6.3, the document says: >>> >>> In the event that there is greater demand for Chain Queries than can >>> be accommodated, DNS servers may stop advertising the CHAIN option in >>> successive DNS messages. This allows, for example, clients with >>> other candidate servers to query to establish new sessions with >>> different servers in expectation that those servers might still allow >>> Chain Queries. >>> >>> Given that this would also apply to UDP CHAIN queries, it is not clear >> why >>> this is in the TCP Session Management section. >> >> Correct. How about renaming section 6.3 from "TCP session management" to >> "session management" ? >> >> > Sounds good. Done on my copy as well. Thanks for the prompt reply! Paul
- [apps-discuss] APPS-Dir review of draft-ietf-dnso… Ted Hardie
- Re: [apps-discuss] APPS-Dir review of draft-ietf-… Ted Hardie
- Re: [apps-discuss] APPS-Dir review of draft-ietf-… Paul Wouters
- Re: [apps-discuss] APPS-Dir review of draft-ietf-… Paul Wouters