Re: [dns-privacy] I-D Action: draft-ietf-dprive-dnsodtls-06.txt
Geoff Huston <gih@apnic.net> Fri, 08 July 2016 00:51 UTC
Return-Path: <gih@apnic.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94F4C12D7AB for <dns-privacy@ietfa.amsl.com>; Thu, 7 Jul 2016 17:51:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108.327
X-Spam-Level:
X-Spam-Status: No, score=-108.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DKb4nh4hD0xr for <dns-privacy@ietfa.amsl.com>; Thu, 7 Jul 2016 17:51:00 -0700 (PDT)
Received: from ao-mailgw.apnic.net (ao-mailgw.apnic.net [IPv6:2001:dd8:8:701::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2084712B03E for <dns-privacy@ietf.org>; Thu, 7 Jul 2016 17:50:59 -0700 (PDT)
Received: from NXMDA2.org.apnic.net (unknown [IPv6:2001:dd8:9:2::101:249]) by ao-mailgw.apnic.net (Halon Mail Gateway) with ESMTPS; Fri, 8 Jul 2016 10:50:50 +1000 (AEST)
Received: from [202.158.221.23] (203.119.101.249) by NXMDA2.org.apnic.net (203.119.107.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Fri, 8 Jul 2016 10:50:48 +1000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <D3A25A77.127C8B%praspati@cisco.com>
Date: Fri, 08 Jul 2016 10:50:53 +1000
Content-Transfer-Encoding: quoted-printable
Message-ID: <3194B599-DE16-4EAB-A772-113A54148499@apnic.net>
References: <20160405045114.5783.47505.idtracker@ietfa.amsl.com> <441e3007b75d4145b328000441516253@XCH-RCD-017.cisco.com> <740B865B-FAE8-45FF-B875-37EAE5A43AB7@apnic.net> <D3A25A77.127C8B%praspati@cisco.com>
To: "Prashanth Patil (praspati)" <praspati@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/16K7dzExQYZSl-gnjWLz_HjMQRs>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-dnsodtls-06.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2016 00:51:02 -0000
Might I suggest the following single additional sentence to section 4?
Where it says: "The DNS server must ensure that the DNS response size does not exceed the Path MTU”
you may want to say:
"The DNS server must ensure that the DNS response size does not exceed the Path MTU, i.e.: Each DTLS record MUST fit within a single datagram, as required by [RFC6347].”
(explicitly reference RFC6347 as the source of this constraint on response sizes)
thanks,
Geoff
> On 6 Jul 2016, at 11:54 PM, Prashanth Patil (praspati) <praspati@cisco.com> wrote:
>
> Hi Geoff,
> We¹ve submitted a revision that should address the concern you¹ve rightly
> pointed out below.
>
> -Prashanth
>
> On 5/25/16, 9:24 AM, "dns-privacy on behalf of Geoff Huston"
> <dns-privacy-bounces@ietf.org on behalf of gih@apnic.net> wrote:
>
>> Hi
>>
>> I have been reading this draft and comparing it to the DTLS RFC (RFC6347)
>>
>> RFC6347 says:
>>
>> 4.1.1. Transport Layer Mapping
>>
>> Each DTLS record MUST fit within a single datagram. In order to
>> avoid IP fragmentation, clients of the DTLS record layer SHOULD
>> attempt to size records so that they fit within any PMTU estimates
>> obtained from the record layer.
>>
>>
>>
>>
>> draft-ietf-dprive-dnsodtls-06.txt says:
>>
>> client and server MUST support the EDNS0 option defined in [RFC6891]
>> so that the DNS client can indicate to the DNS server the maximum DNS
>> response size it can handle without IP fragmentation. If the DNS
>> server's response exceeds the EDNS0 value, the DNS server sets the TC
>> (truncated) bit. On receiving a response with the TC bit set, the
>> client establishes a DNS-over-TLS connection to the same server, and
>> sends a new DNS request for the same resource record.
>>
>> These are not precisely consistent. EDNS0 does not specify the maximum
>> unfragmented size, of course. It specifies the maximum size that the
>> querier is willing to reassemble.
>>
>> To quote from RFC6891
>>
>> The requestor's UDP payload size (encoded in the RR CLASS field) is the
>> number of octets of the largest UDP payload that can be reassembled and
>> delivered in the requestor's network stack. Note that path MTU, with
>> or without fragmentation, could be smaller than this.
>>
>> So at this point I'm confused. If the intent is to prevent IP
>> fragmentation then the server must sit within the local PMTU estimate, or
>> truncate the response to indicate that it could not do so, which means
>> that the text in the draft needs revision to reflect this normative
>> (MUST) constraint imposed by RFC6347.
>>
>> Or are these extenuating circumstances in DNS over DTLS that would allow a
>> fragmented response that sits within an offerred EDNS0 UDP Buffer size?
>> If so, then the draft should clearly document what these circumstances are
>> and why the MUST in RFC6347 is not being applied in this case.
>>
>> thanks,
>>
>> Geoff
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> dns-privacy mailing list
>> dns-privacy@ietf.org
>> https://www.ietf.org/mailman/listinfo/dns-privacy
>
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-d… Geoff Huston
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-d… Prashanth Patil (praspati)
- [dns-privacy] I-D Action: draft-ietf-dprive-dnsod… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-d… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-d… Geoff Huston