Re: [dns-privacy] Multiple DNS requests per packet, multiple packet responses

Tim Wicinski <> Fri, 21 March 2014 04:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DE0331A091F for <>; Thu, 20 Mar 2014 21:33:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5AAxvXB_gjLC for <>; Thu, 20 Mar 2014 21:33:16 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c01::22b]) by (Postfix) with ESMTP id 7062B1A046C for <>; Thu, 20 Mar 2014 21:33:16 -0700 (PDT)
Received: by with SMTP id wn1so1977953obc.30 for <>; Thu, 20 Mar 2014 21:33:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=pdzItg/4ClwYBCaEEy+OFuwSXDxMk+RbpBcJlDxl+gI=; b=ae6S48IYsmeAhScdvJwFAFXREFEoQs61mcvqd1eLgbC5cj/vAxuU8zr7EFxCciuZm2 XrUmYGRJJkYhZ/cZMVP/+1rolwc3gcNz+A20wFJtkG5UaGHsBDH3OlSbTQxgqNpuf5ws zpPPNtlRK6P+zI7X4rp0eq8QyRXKNVFkTqNQondIR/YgeqsXk7FDdxIMmtWdrR0clLTr bksMf72uMrQLsW6FRw1nkKJ4iOsaA9/SMlfD8SyW5d2NadIF6vuXYMpwEEUd4HSMAWGa tRXFfdX6OIKdKM9+EnVDNnwsgyFsIR0ibiGIj9pK6PdhV01mBQf7HuVVHb+kVkY+aiXp wdcQ==
X-Received: by with SMTP id o3mr36613512obi.15.1395376387260; Thu, 20 Mar 2014 21:33:07 -0700 (PDT)
Received: from feather.local ( []) by with ESMTPSA id b2sm16273729oed.7.2014. for <> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Mar 2014 21:33:06 -0700 (PDT)
Message-ID: <>
Date: Fri, 21 Mar 2014 00:33:04 -0400
From: Tim Wicinski <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Thunderbird/30.0a2
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [dns-privacy] Multiple DNS requests per packet, multiple packet responses
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 21 Mar 2014 04:33:18 -0000

On 3/20/14, 8:54 AM, Phillip Hallam-Baker wrote:
> Really?
> When DNSSEC was first proposed in 1995 or thereabouts it wasn't
> deployable because most of the DNS infrastructure could not support
> new RR types, there was a 500 byte limit on messages in many cases and
> several other issues.
> It took another five years to fix those issues in the infrastructure
> before deployment became practical.
> What I am saying here is that we have an opportunity to say that we
> leave certain parts of the legacy behind without additional cost.
> Or we could start the work by declaring that the DNS protocols were
> handed down in a state of grace and that they represent the most
> shining example of perfection we can hope to achieve and that anyone
> who suggests the mere possibility of alternative approaches must be
> cast out as a heretic.

Or we can do something like HTTP/2 is doing and approaching it as a new 
mechanism and allow methods for choosing, but having a fall back strategy.

> DNSSEC has always had to dance round the problem that DNS responses
> have to fit in one packet. And that pushes a huge number of
> contortions onto designs. I think it is more than reasonable to
> require that if people are going to start encrypting packets that they
> be required to have a strategy that can transport DNSSEC packets for
> almost all real world protocols without having to switch from UDP to
> TCP. That could mean staying in UDP all along or starting in TCP from
> the start. But switching horses in midstream from UDP to TCP hits all
> sorts of ugly real world deployment issues.

I would agree it should either all work in UDP or start in TCP.

And Pauls' drafts are very relevant to this conversation.