[dnsext] draft-ietf-dnsext-rfc1995bis-ixfr -- questions on s3.2.3
Alfred Hönes <ah@TR-Sys.de> Wed, 18 April 2012 22:00 UTC
Return-Path: <A.Hoenes@TR-Sys.de>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AE7A11E809D for <dnsext@ietfa.amsl.com>; Wed, 18 Apr 2012 15:00:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.206
X-Spam-Level:
X-Spam-Status: No, score=-98.206 tagged_above=-999 required=5 tests=[AWL=0.543, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bKHpTYgzo54g for <dnsext@ietfa.amsl.com>; Wed, 18 Apr 2012 15:00:52 -0700 (PDT)
Received: from TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by ietfa.amsl.com (Postfix) with ESMTP id 579CF11E8091 for <dnsext@ietf.org>; Wed, 18 Apr 2012 15:00:51 -0700 (PDT)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA099566350; Wed, 18 Apr 2012 23:59:10 +0200
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id XAA00506; Wed, 18 Apr 2012 23:59:08 +0200 (MESZ)
From: Alfred Hönes <ah@TR-Sys.de>
Message-Id: <201204182159.XAA00506@TR-Sys.de>
To: dnsext@ietf.org
Date: Wed, 18 Apr 2012 23:59:08 +0200
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 7bit
Subject: [dnsext] draft-ietf-dnsext-rfc1995bis-ixfr -- questions on s3.2.3
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2012 22:00:53 -0000
Note: This thread actually has started on the predecessor individual draft, but to acoid confusion on the target of the discussion, I have changed the Subject to refer to the adopted WG draft, draft-ietf-dnsext-rfc1995bis-ixfr-00. The questions were about the level and detail of the requirements posed onto an IXFR server in packetizing the conceptual IXFR response -- in all the different cases that can occur --, and how thereby the detrimental need for IXFR clients to rely on timeouts (to determine the outcome/state of an IXFR session, under very specific conditions) can be avoided. I have revisited recent messages and previous work, and tried to arrive at the conclusions that look most reasonable and seem to correspond to evolving consensus. Observations and conclusions: (1) IXFR is intended as a more efficient method for in-band zone synchronization than AXFR (for deployment scenarios where it makes sense -- as explained in the draft); therefore, it seems fair that the specification is tailored to support timely, efficient completion of IXFR sessions under most conditions, and that the requirements for IXFR server implementations be at least as strong as the comparable requirements for modern AXFR servers that fully conform to RFC 5936 (excluding the kludges for backward compatibility still supported by that RFC). (2) Updated protocol specifications are not required to still contain specific requirements, or the lack of specific requirements, if that has been identified as a weak point in the protocol. So an updated specification needs to be allowed to specify more specific requirements than its predecessor, but preferably this should be done in a manner that interoperability with legacy implementations is assured as far as it makes sense. Of course, legacy implementations that do not follow the more stringent rules of the revised specification cannot claim conformance to the new specification until they get updated accordingly. But that's the fate of implementations at large, and the DNS world will not be doomed thereby. :-) (3) RFC 5936, Section 2.2 (at the bottom of page 11) specifies: | Each AXFR response message SHOULD contain a sufficient number of RRs | to reasonably amortize the per-message overhead, up to the largest | number that will fit within a DNS message (taking the required | content of the other sections into account, as described below). This was the consensus of the WG two years ago. I conclude -- and that seems to be in line with feedback from implementers -- that, to achieve the performance goal of IXFR, rfc1995bis needs to be *at least* as strong as RFC 5936 in its requirements in Section 3.2.3. Therefore, unless there is strong consensus to the contrary arising quickly, the next draft version will use uppercase "SHOULD" in this context: ! For multi-message IXFR responses, the conceptional answer is split ! into segments that are sent in order. Each segment is comprised of ! an integer number of full RRs, and for transport efficiency, the !> response messages SHOULD be filled up with answer RRs as much as ! possible for the response message size chosen by the IXFR server, ! taking into account the space needed for the other sections in the ! messages. (4) Bulk IXFR runs over TCP, with potentially concurrent transactions for different zones served by the same authoritiative servers. Since the IXFR protocol allows very different kinds of responses (as specified in a fully backward-compatible manner in the draft) the most important kinds of which will consist of multiple response messages, yet does not contain an overall length indication or a specific, generic "end-of-response" indication for multi-message responses, there is a clear need for: * rules that ensure that the kind of response can be determined instantaneously and without ambiguity upon receipt of the first response message; and * rules that clearly allow to determine when a received response message is the last one in an IXFR session. As already indicated in the draft, there are a few specific conditions where the interpreation of an IXFR response cannot be disambiguated until (and if) the next response message arrives, unless IXFR servers are required to packetize their responses in a manner that allows immediate disambiguation at the client. Waiting (in corner cases) for another response message in a given IXFR session in order to eventually determine the status of the response requires the IXFR client to set a timeout and wait -- as a normal protocol operation. All such timeouts are generally regarded as detrimental, and in particular detrimental to the performance optimization we have as a target goal for IXFR. Therefore, unless strong consensus to the contrary arises quickly, the next draft version will contain a more precise description of what conditions indicate the end of an IXFR response, and how the different kinds of IXFR responses are to be disambiguated. But this needs to impose on IXFR servers a very few new, specific, stronger requirements for the packetization of their responses. These conditions already are in the draft, but the text will be revised to distinguish the new requirements and spell out the rationale. The core of this clarification will be a new clause added below the text quoted in (3) above, stating (modulo wordsmithing t.b.d.): ! If an IXFR server intends to send a conceptual IXFR response that ! is comprised of at least two answer RRs, the first two RRs of the ! response MUST be sent in the first response packet to allow the IXFR ! client to immediately distinguish the kind of response coming in. ! An IXFR server MUST NOT send over connection-oriented transport the ! kind of (single-RR) IXFR response that indicates that the server has ! to send a multi-packet response and hence the IXFR request needs to ! be retried over connection-orientend transport (currently: TCP); ! this kind of response is only allowed in response to an IXFR query ! received over connectionless transport (currently: UDP). ! See Section 4 for the details of the various kinds of conceptual ! IXFR responses and how an IXFR client distinguishes these. The verbiage already present in the draft that indicates the necessity to anyway set up timeouts as a safeguard to protect agains fatal conditions will be amended to say that this is also necessary for seamless interoperation with older IXFR servers not conforming to these new requirements, but the efficiency of IXFR operations in specific circumstances will no longer depend on clever heuristics to choose proper values, once the IXFR servers used in a given deployment are updated to conform to the revised specification, since the timeout values then will only apply in fatal cases and can be chosen rather long for resilience reasons without negative effects on normal protocol operation in specific cases. Finally, a closely related topic / question: (5) The example of "fallback to AXFR" in the draft (at the very end of Section 2) currently suggests that, for efficiency at both the IXFR server and the IXFR client, for full zone transfer (fallback to AXFR) an IXFR server (typically) sends the zone RRs grouped by RRset. It has been correctly observed that this ordering does not correspond to a requirement contained in the new AXFR specification, RFC 5936. Should this behavior be recommended/RECOMMENDED in the draft for new IXFR server implementations? Kind regards, Alfred. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+
- [dnsext] draft-ietf-dnsext-rfc1995bis-ixfr -- que… Alfred Hönes
- Re: [dnsext] draft-ietf-dnsext-rfc1995bis-ixfr --… Alfred Hönes
- Re: [dnsext] draft-ietf-dnsext-rfc1995bis-ixfr --… Andreas Gustafsson
- Re: [dnsext] draft-ietf-dnsext-rfc1995bis-ixfr --… Alfred Hönes
- Re: [dnsext] draft-ietf-dnsext-rfc1995bis-ixfr --… Andreas Gustafsson