IETF Logo Mail Archive

Re: [dnsext] Slamming the TCP door, was Re: Fwd: New Version Notification for draft-ah-dnsext-rfc1995bis-ixfr-02

Edward Lewis <Ed.Lewis@neustar.biz> Mon, 20 June 2011 13:24 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA9821F0C44 for <dnsext@ietfa.amsl.com>; Mon, 20 Jun 2011 06:24:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.165
X-Spam-Level:
X-Spam-Status: No, score=-106.165 tagged_above=-999 required=5 tests=[AWL=0.434, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6nXn9b9MFT3Y for <dnsext@ietfa.amsl.com>; Mon, 20 Jun 2011 06:24:04 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id ABBA31F0C37 for <dnsext@ietf.org>; Mon, 20 Jun 2011 06:24:03 -0700 (PDT)
Received: from bsul-lt500.cis.neustar.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p5KDO1jM025779; Mon, 20 Jun 2011 09:24:01 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [192.168.128.30] by bsul-lt500.cis.neustar.com (PGP Universal service); Mon, 20 Jun 2011 09:24:02 -0400
X-PGP-Universal: processed; by bsul-lt500.cis.neustar.com on Mon, 20 Jun 2011 09:24:02 -0400
Mime-Version: 1.0
Message-Id: <a06240802ca24f57df4ca@[192.168.128.30]>
In-Reply-To: <20110620125420.E9F9D10EF90C@drugs.dv.isc.org>
References: <4DB81069.3080404@nic.cz> <4DF9B5BD.7010900@nic.cz> <a06240803ca1fd7525c50@10.31.201.23> <BANLkTinjRDHyKH-tLEoejodXb2+7qQLO7w@mail.gmail.com> <a06240801ca2102b8b4f2@10.31.201.23> <BANLkTikoVVaXF2_LJ3KHm6P7oFpfC+n2tw@mail.gmail.com> <a06240801ca21246f76de@10.31.201.23> <BANLkTinVfuL0WEYwaycTaAnWDS9vYF5NjQ@mail.gmail.com> <4DFEFBDE.4030303@nlnetlabs.nl> <1308572047.2742.37.camel@shane-desktop> <a06240801ca24edde2b90@[192.168.1.104]> <20110620125420.E9F9D10EF90C@drugs.dv.isc.org>
Date: Mon, 20 Jun 2011 09:22:07 -0400
To: Mark Andrews <marka@isc.org>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, dnsext@ietf.org
Subject: Re: [dnsext] Slamming the TCP door, was Re: Fwd: New Version Notification for draft-ah-dnsext-rfc1995bis-ixfr-02
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2011 13:24:19 -0000

At 22:54 +1000 6/20/11, Mark Andrews wrote:

>They differ by the QTYPE is the question section of the response otherwise
>they are identical.

>The following is legal with IXFR and results in a AXFR style IXFR response.

My assumption is that IXFR is a single query, single response message 
mechanism, so I would disagree with the example shown.  But I can see 
why there's a disagreement here, based on this passage from RFC 1995.

    Transport of a query may be by either UDP or TCP.  If an IXFR query
    is via UDP, the IXFR server may attempt to reply using UDP if the
    entire response can be contained in a single DNS packet.  If the UDP
    reply does not fit, the query is responded to with a single SOA
    record of the server's current version to inform the client that a
    TCP query should be initiated.

    Thus, a client should first make an IXFR query using UDP.  If the
    query type is not recognized by the server, an AXFR (preceded by a
    UDP SOA query) should be tried, ensuring backward compatibility.  If
    the query response is a single packet with the entire new zone, or if
    the server does not have a newer version than the client, everything
    is done.  Otherwise, a TCP IXFR query should be tried.

When reading the first paragraph I get that IXFR is one message 
query, one message response ("single DNS packet").  However, the "may 
attempt to reply" is not correct, the RFC should read "and will reply 
with one of three kinds of responses."  One being the "no IXFR 
possible", the other being the ordinary IXFR, and then the AXFR-style 
IXFR.  BTW, the latter is not a term used in the RFC.

 From that I have always assumed that the IXFR response is one DNS 
message.  Even on TCP.

The second paragraph adds to the confusion over fallback.  It talks 
about trying AXFR, but only if the IXFR is not understood.  And the 
has one line tacked on to the end of the paragraph of TCP IXFR being 
tried.

What needs to be fixed is how IXFR behaves on TCP.  It should be 
limited in its resource consumption.  That's what I'd go after.

I suppose I never assumed an implementation try IXFR over TCP. 
That's why I've never seen this issue in code or operations.

I think that the change here is not to cut off AXFR-stype IXFRs but 
to limit what a IXFR server considers an acceptable IXFR response. 
On TCP though you don't have a forced limit (512, EDNS0).

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

I'm overly entertained.

v2.23.0 | Report a Bug | By Email