Re: [dnsext] draft-ietf-dnsext-rfc1995bis-ixfr -- questions on s3.2.3

Andreas Gustafsson <gson@araneus.fi> Thu, 26 April 2012 09:31 UTC

Return-Path: <gson@araneus.fi>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79E8E21F8680 for <dnsext@ietfa.amsl.com>; Thu, 26 Apr 2012 02:31:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZyrKWaS3TzeI for <dnsext@ietfa.amsl.com>; Thu, 26 Apr 2012 02:31:53 -0700 (PDT)
Received: from gunk.araneus.fi (gunk.araneus.fi [166.84.6.82]) by ietfa.amsl.com (Postfix) with ESMTP id B839621F87A5 for <dnsext@ietf.org>; Thu, 26 Apr 2012 02:31:53 -0700 (PDT)
Received: from guava.gson.org (guava.gson.org [10.0.11.2]) by gunk.araneus.fi (Postfix) with ESMTP id B46C71D0E8C; Thu, 26 Apr 2012 09:31:49 +0000 (UTC)
Received: by guava.gson.org (Postfix, from userid 101) id 954CE75E62; Thu, 26 Apr 2012 12:31:50 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20377.5638.38126.16837@guava.gson.org>
Date: Thu, 26 Apr 2012 12:31:50 +0300
To: Alfred Hoenes <ah@TR-Sys.de>
In-Reply-To: <201204201057.MAA09367@TR-Sys.de>
References: <20369.9662.782882.466650@guava.gson.org> <201204201057.MAA09367@TR-Sys.de>
X-Mailer: VM 8.0.14 under 21.4.1 (i386--netbsdelf)
From: Andreas Gustafsson <gson@araneus.fi>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] draft-ietf-dnsext-rfc1995bis-ixfr -- questions on s3.2.3
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2012 09:31:54 -0000

Alfred,

Last week, you wrote (referring to the pseudocode in Appendix A
of http://tools.ietf.org/html/draft-ietf-dnsext-ixfr-01)

> [...] the only significant difference between
> that pseudocode and the more detailed description in our I-D (already
> being expanded upon as well in my working copy) seems to be the
> requirement for the second RR to be contained in the first response
> packet to avoid the waiting for the second packet before 'incremental'
> can be distinguished unambiguously from 'fallback-to-axfr'.

Yes, that difference is the sticking point.

> According to feedback from current implementers, they seem to have no
> trouble with the suggested small tightening -- in particular as it
> effectively needs no additional effort in server implementations
> that already follow the "SHOULD" for AXFR in RFC 5936 (to pack as
> much answer RRs into the response packets as possible) and reuse
> related code for IXFR.

As I see it, the proposed requirement to send the first two RRs in the
same message isn't so much a "small tightening" as a fundamental
change to the nature of the protocol, from one defined in terms of a
sequence of RRs where message boundaries carry no meaning to one where
the message boundaries are significant.

Also, RFC 5936 doesn't actually require packing "as much answer RRs as
possible" into the response message.  It says:

   Each AXFR response message SHOULD contain a sufficient number of RRs
   to reasonably amortize the per-message overhead, up to the largest
   number that will fit within a DNS message (taking the required
   content of the other sections into account, as described below).

Consider for example a server implementation that chooses to start a
new message whenever adding another RR to the current message would
cause it to grow larger than 16 kB, in order to take maximum advantage
of name compression given that compression pointers can only point
into the first 16 kB of the message.  I would consider such an
implementation compliant with the above SHOULD, but it would not meet
the proposed requirement when the second RR in the transfer is
larger than 16 kB.

Even filling the message with as many answer RRs as possible is not
always sufficient meet the proposed requirement.  When the second RR
is close to 64 kB in size, it may not fit in the same message as the
initial SOA even though it would fit in a separate message.  If
servers will be required to treat this situation as an error instead
of just sending the RRs in separate messages, code changes are needed.

RFC 5936 also says:

   Some old AXFR clients expect each response message to contain only a
   single RR.  To interoperate with such clients, the server MAY
   restrict response messages to a single RR.  As there is no standard
   way to automatically detect such clients, this typically requires
   manual configuration at the server.

There are server implementations where such manual configuration
causes single-RR messages to be sent to both AXFR and IXFR clients.
A client following the decision procedure in the draft will fail to
interoperate with a server configured in this way.

> I note that the example in Section 7 of the '2000 draft also shows
> answer RR packing, which is needed anyway if the IXFR server intends
> to make use of the option to send (packed) incremental (or even
> fallback-to-axfr) responses in a single UDP response packet, if
> they fit therein.

It's not that existing servers are incapable of packing multiple RRs
per message, or that they won't do it in the typical case, but that
there are atypical cases such as transfers involving large RRs or
non-default configurations where the initial SOA can end up being
sent in a message of its own.

That said, my main objection is not to the draft's "tightening" of
what the server may send, but to the corresponding "loosening" of what
the client must accept.  In other words, whether or not servers are
required to send the first two RRs in the same message, clients should
be required to accept TCP IXFR responses divided into messages at
arbitrary RR boundaries.

Regards,
-- 
Andreas Gustafsson, gson@araneus.fi