IETF Logo Mail Archive

Re: [dns-privacy] Multiple DNS requests per packet, multiple packet responses

Tim Wicinski <tjw.ietf@gmail.com> Fri, 21 March 2014 04:33 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE0331A091F for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 21:33:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5AAxvXB_gjLC for <dns-privacy@ietfa.amsl.com>; Thu, 20 Mar 2014 21:33:16 -0700 (PDT)
Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 7062B1A046C for <dns-privacy@ietf.org>; Thu, 20 Mar 2014 21:33:16 -0700 (PDT)
Received: by mail-ob0-f171.google.com with SMTP id wn1so1977953obc.30 for <dns-privacy@ietf.org>; Thu, 20 Mar 2014 21:33:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=pdzItg/4ClwYBCaEEy+OFuwSXDxMk+RbpBcJlDxl+gI=; b=ae6S48IYsmeAhScdvJwFAFXREFEoQs61mcvqd1eLgbC5cj/vAxuU8zr7EFxCciuZm2 XrUmYGRJJkYhZ/cZMVP/+1rolwc3gcNz+A20wFJtkG5UaGHsBDH3OlSbTQxgqNpuf5ws zpPPNtlRK6P+zI7X4rp0eq8QyRXKNVFkTqNQondIR/YgeqsXk7FDdxIMmtWdrR0clLTr bksMf72uMrQLsW6FRw1nkKJ4iOsaA9/SMlfD8SyW5d2NadIF6vuXYMpwEEUd4HSMAWGa tRXFfdX6OIKdKM9+EnVDNnwsgyFsIR0ibiGIj9pK6PdhV01mBQf7HuVVHb+kVkY+aiXp wdcQ==
X-Received: by 10.182.33.35 with SMTP id o3mr36613512obi.15.1395376387260; Thu, 20 Mar 2014 21:33:07 -0700 (PDT)
Received: from feather.local (wsip-70-168-128-206.dc.dc.cox.net. [70.168.128.206]) by mx.google.com with ESMTPSA id b2sm16273729oed.7.2014.03.20.21.33.04 for <dns-privacy@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Mar 2014 21:33:06 -0700 (PDT)
Message-ID: <532BC100.4050704@gmail.com>
Date: Fri, 21 Mar 2014 00:33:04 -0400
From: Tim Wicinski <tjw.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Thunderbird/30.0a2
MIME-Version: 1.0
To: dns-privacy@ietf.org
References: <CAMm+LwgXExHH6YxpvQLEsgZ+C4uUjvv0E=+g0XBmWVBrQnG_-w@mail.gmail.com> <CA+9kkMAVkUtLZ95g-Enk1EaSif4FOuuCy_utwcHYDN3Vjw3xjg@mail.gmail.com> <CAMm+Lwi_aLqyyC4ek_twcr_x_XC6J1AOFbEgJkHaAe=skfSmLw@mail.gmail.com> <532A9BDF.80401@nlnetlabs.nl> <CAMm+LwjysRvkKqH=HeuQtxf8Kh0VRBDzwW63G0Z58yb0ptQB2w@mail.gmail.com>
In-Reply-To: <CAMm+LwjysRvkKqH=HeuQtxf8Kh0VRBDzwW63G0Z58yb0ptQB2w@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/qPxQmDdy6oRI5OSnyttgR0mQUnk
Subject: Re: [dns-privacy] Multiple DNS requests per packet, multiple packet responses
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 04:33:18 -0000

On 3/20/14, 8:54 AM, Phillip Hallam-Baker wrote:
> Really?
>
> When DNSSEC was first proposed in 1995 or thereabouts it wasn't
> deployable because most of the DNS infrastructure could not support
> new RR types, there was a 500 byte limit on messages in many cases and
> several other issues.
>
> It took another five years to fix those issues in the infrastructure
> before deployment became practical.
>
> What I am saying here is that we have an opportunity to say that we
> leave certain parts of the legacy behind without additional cost.
>
>
> Or we could start the work by declaring that the DNS protocols were
> handed down in a state of grace and that they represent the most
> shining example of perfection we can hope to achieve and that anyone
> who suggests the mere possibility of alternative approaches must be
> cast out as a heretic.

Or we can do something like HTTP/2 is doing and approaching it as a new 
mechanism and allow methods for choosing, but having a fall back strategy.

>
> DNSSEC has always had to dance round the problem that DNS responses
> have to fit in one packet. And that pushes a huge number of
> contortions onto designs. I think it is more than reasonable to
> require that if people are going to start encrypting packets that they
> be required to have a strategy that can transport DNSSEC packets for
> almost all real world protocols without having to switch from UDP to
> TCP. That could mean staying in UDP all along or starting in TCP from
> the start. But switching horses in midstream from UDP to TCP hits all
> sorts of ugly real world deployment issues.

I would agree it should either all work in UDP or start in TCP.

And Pauls' drafts are very relevant to this conversation.

tim

v2.23.0 | Report a Bug | By Email