Re: [dns-privacy] I-D Action: draft-ietf-dprive-dnsodtls-06.txt
Geoff Huston <gih@apnic.net> Wed, 25 May 2016 16:24 UTC
Return-Path: <gih@apnic.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57E5312B02F for <dns-privacy@ietfa.amsl.com>; Wed, 25 May 2016 09:24:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108.217
X-Spam-Level:
X-Spam-Status: No, score=-108.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=apnic.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4lWVsxT39L3i for <dns-privacy@ietfa.amsl.com>; Wed, 25 May 2016 09:24:07 -0700 (PDT)
Received: from ao-mailgw.apnic.net (ao-mailgw.apnic.net [IPv6:2001:dd8:8:701::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05E3012D835 for <dns-privacy@ietf.org>; Wed, 25 May 2016 09:24:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=R2D2; h=received:received:content-type:mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer:return-path; bh=hEEL57qrU6bZs2pFRU2xUzlAF/pdusEaONQpTcLrcJk=; b=HeAZZUYhSFsBWbdxioY8rVjE1ENZvzZDa0yAV3C2uoxlycEiRgpmTcxFa09EFm42N+0Ve9TdJAMIi Fp7CEhX6bwwGilNIU+mjCU/l6oNOQv2atiQzolU6B9qEuvWS1pk1lMlF6NLY1PaxFBSreEJKF34cEz X4gev9ntCq7vIEUQ=
Received: from iamda3.org.apnic.net (unknown [IPv6:2001:dd8:9:2::101:249]) by ao-mailgw.apnic.net (Halon Mail Gateway) with ESMTPS; Thu, 26 May 2016 02:24:00 +1000 (AEST)
Received: from dhcp-29-75.ripemtg.ripe.net (203.119.101.249) by iamda3.org.apnic.net (203.119.111.31) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 26 May 2016 02:23:54 +1000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <441e3007b75d4145b328000441516253@XCH-RCD-017.cisco.com>
Date: Thu, 26 May 2016 02:24:13 +1000
Content-Transfer-Encoding: 7bit
Message-ID: <740B865B-FAE8-45FF-B875-37EAE5A43AB7@apnic.net>
References: <20160405045114.5783.47505.idtracker@ietfa.amsl.com> <441e3007b75d4145b328000441516253@XCH-RCD-017.cisco.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/72K0IxrosAXOwlGgIYRhZIFdPcQ>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-dnsodtls-06.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 May 2016 16:24:09 -0000
Hi I have been reading this draft and comparing it to the DTLS RFC (RFC6347) RFC6347 says: 4.1.1. Transport Layer Mapping Each DTLS record MUST fit within a single datagram. In order to avoid IP fragmentation, clients of the DTLS record layer SHOULD attempt to size records so that they fit within any PMTU estimates obtained from the record layer. draft-ietf-dprive-dnsodtls-06.txt says: client and server MUST support the EDNS0 option defined in [RFC6891] so that the DNS client can indicate to the DNS server the maximum DNS response size it can handle without IP fragmentation. If the DNS server's response exceeds the EDNS0 value, the DNS server sets the TC (truncated) bit. On receiving a response with the TC bit set, the client establishes a DNS-over-TLS connection to the same server, and sends a new DNS request for the same resource record. These are not precisely consistent. EDNS0 does not specify the maximum unfragmented size, of course. It specifies the maximum size that the querier is willing to reassemble. To quote from RFC6891 The requestor's UDP payload size (encoded in the RR CLASS field) is the number of octets of the largest UDP payload that can be reassembled and delivered in the requestor's network stack. Note that path MTU, with or without fragmentation, could be smaller than this. So at this point I'm confused. If the intent is to prevent IP fragmentation then the server must sit within the local PMTU estimate, or truncate the response to indicate that it could not do so, which means that the text in the draft needs revision to reflect this normative (MUST) constraint imposed by RFC6347. Or are these extenuating circumstances in DNS over DTLS that would allow a fragmented response that sits within an offerred EDNS0 UDP Buffer size? If so, then the draft should clearly document what these circumstances are and why the MUST in RFC6347 is not being applied in this case. thanks, Geoff
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-d… Geoff Huston
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-d… Prashanth Patil (praspati)
- [dns-privacy] I-D Action: draft-ietf-dprive-dnsod… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-d… Tirumaleswar Reddy (tireddy)
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-d… Geoff Huston