Re: [dnsext] Slamming the TCP door, was Re: Fwd: New Version Notification for draft-ah-dnsext-rfc1995bis-ixfr-02
Edward Lewis <Ed.Lewis@neustar.biz> Mon, 20 June 2011 13:24 UTC
Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA9821F0C44 for <dnsext@ietfa.amsl.com>; Mon, 20 Jun 2011 06:24:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.165
X-Spam-Level:
X-Spam-Status: No, score=-106.165 tagged_above=-999 required=5 tests=[AWL=0.434, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6nXn9b9MFT3Y for <dnsext@ietfa.amsl.com>; Mon, 20 Jun 2011 06:24:04 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id ABBA31F0C37 for <dnsext@ietf.org>; Mon, 20 Jun 2011 06:24:03 -0700 (PDT)
Received: from bsul-lt500.cis.neustar.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p5KDO1jM025779; Mon, 20 Jun 2011 09:24:01 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [192.168.128.30] by bsul-lt500.cis.neustar.com (PGP Universal service); Mon, 20 Jun 2011 09:24:02 -0400
X-PGP-Universal: processed; by bsul-lt500.cis.neustar.com on Mon, 20 Jun 2011 09:24:02 -0400
Mime-Version: 1.0
Message-Id: <a06240802ca24f57df4ca@[192.168.128.30]>
In-Reply-To: <20110620125420.E9F9D10EF90C@drugs.dv.isc.org>
References: <4DB81069.3080404@nic.cz> <4DF9B5BD.7010900@nic.cz> <a06240803ca1fd7525c50@10.31.201.23> <BANLkTinjRDHyKH-tLEoejodXb2+7qQLO7w@mail.gmail.com> <a06240801ca2102b8b4f2@10.31.201.23> <BANLkTikoVVaXF2_LJ3KHm6P7oFpfC+n2tw@mail.gmail.com> <a06240801ca21246f76de@10.31.201.23> <BANLkTinVfuL0WEYwaycTaAnWDS9vYF5NjQ@mail.gmail.com> <4DFEFBDE.4030303@nlnetlabs.nl> <1308572047.2742.37.camel@shane-desktop> <a06240801ca24edde2b90@[192.168.1.104]> <20110620125420.E9F9D10EF90C@drugs.dv.isc.org>
Date: Mon, 20 Jun 2011 09:22:07 -0400
To: Mark Andrews <marka@isc.org>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, dnsext@ietf.org
Subject: Re: [dnsext] Slamming the TCP door, was Re: Fwd: New Version Notification for draft-ah-dnsext-rfc1995bis-ixfr-02
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2011 13:24:19 -0000
At 22:54 +1000 6/20/11, Mark Andrews wrote: >They differ by the QTYPE is the question section of the response otherwise >they are identical. >The following is legal with IXFR and results in a AXFR style IXFR response. My assumption is that IXFR is a single query, single response message mechanism, so I would disagree with the example shown. But I can see why there's a disagreement here, based on this passage from RFC 1995. Transport of a query may be by either UDP or TCP. If an IXFR query is via UDP, the IXFR server may attempt to reply using UDP if the entire response can be contained in a single DNS packet. If the UDP reply does not fit, the query is responded to with a single SOA record of the server's current version to inform the client that a TCP query should be initiated. Thus, a client should first make an IXFR query using UDP. If the query type is not recognized by the server, an AXFR (preceded by a UDP SOA query) should be tried, ensuring backward compatibility. If the query response is a single packet with the entire new zone, or if the server does not have a newer version than the client, everything is done. Otherwise, a TCP IXFR query should be tried. When reading the first paragraph I get that IXFR is one message query, one message response ("single DNS packet"). However, the "may attempt to reply" is not correct, the RFC should read "and will reply with one of three kinds of responses." One being the "no IXFR possible", the other being the ordinary IXFR, and then the AXFR-style IXFR. BTW, the latter is not a term used in the RFC. From that I have always assumed that the IXFR response is one DNS message. Even on TCP. The second paragraph adds to the confusion over fallback. It talks about trying AXFR, but only if the IXFR is not understood. And the has one line tacked on to the end of the paragraph of TCP IXFR being tried. What needs to be fixed is how IXFR behaves on TCP. It should be limited in its resource consumption. That's what I'd go after. I suppose I never assumed an implementation try IXFR over TCP. That's why I've never seen this issue in code or operations. I think that the change here is not to cut off AXFR-stype IXFRs but to limit what a IXFR server considers an acceptable IXFR response. On TCP though you don't have a forced limit (512, EDNS0). -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 I'm overly entertained.
- [dnsext] Fwd: New Version Notification for draft-… Ondřej Surý
- Re: [dnsext] Fwd: New Version Notification for dr… Ondřej Surý
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Brian Dickson
- Re: [dnsext] Fwd: New Version Notification for dr… Mark Andrews
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Fwd: New Version Notification for dr… Mark Andrews
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Ondřej Surý
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Brian Dickson
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Brian Dickson
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Fwd: New Version Notification for dr… Brian Dickson
- Re: [dnsext] Fwd: New Version Notification for dr… W.C.A. Wijngaards
- [dnsext] Use case for IXFR-only, was Re: Fwd: New… Shane Kerr
- [dnsext] Slamming the TCP door, was Re: Fwd: New … Shane Kerr
- Re: [dnsext] Use case for IXFR-only, was Re: Fwd:… Edward Lewis
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Edward Lewis
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Mark Andrews
- Re: [dnsext] Use case for IXFR-only, was Re: Fwd:… Mark Andrews
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Edward Lewis
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … W.C.A. Wijngaards
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Josh Littlefield
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Josh Littlefield
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Paul Vixie
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Masataka Ohta
- Re: [dnsext] Slamming the TCP door, was Re: Fwd: … Florian Weimer
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] Fwd: New Version Notification for dr… Edward Lewis
- Re: [dnsext] Fwd: New Version Notification for dr… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Ondřej Surý
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Ondřej Surý
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Ondřej Surý
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Mark Andrews
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Shane Kerr
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta
- Re: [dnsext] New Version Notification for draft-a… Mark Andrews
- Re: [dnsext] New Version Notification for draft-a… Masataka Ohta