Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
Lars Eggert <lars@eggert.org> Tue, 30 November 2021 07:51 UTC
Return-Path: <lars@eggert.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0CDC3A10D0; Mon, 29 Nov 2021 23:51:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eggert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LixsNhJIN0mt; Mon, 29 Nov 2021 23:51:27 -0800 (PST)
Received: from mail.eggert.org (mail.eggert.org [91.190.195.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81ED13A10CE; Mon, 29 Nov 2021 23:51:27 -0800 (PST)
Received: from smtpclient.apple (unknown [IPv6:2a00:ac00:4000:400:c1a3:8155:80b9:705b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.eggert.org (Postfix) with ESMTPSA id 78798601F03; Tue, 30 Nov 2021 09:51:12 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=eggert.org; s=dkim; t=1638258673; bh=+kAC6h0rwMMIRRmILRpvnpxbPupLvAqnHGm2NSUM6gk=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=FVRfSroXXXGxwVGQY14kQTFn9+BpoDeEO+NJ2GSIK+jsupxRiQNIxG9VH5XkQKfV/ QlPOVcfFeeEgk0j1cm3gX5Cq42c7zR1AUqSkCHzo2380JKdsVqZbUXnJUfg8Td8c6u RhhMG2KXwN96bnIGzgZFp1fXRnD/T3W5bgSBKlFA=
Content-Type: multipart/signed; boundary="Apple-Mail=_F0EF86B5-B99F-4565-881B-B87B09BFD9A9"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.20.0.1.32\))
From: Lars Eggert <lars@eggert.org>
In-Reply-To: <AB8A981D-4923-4D58-8035-3708E4C991A1@verisign.com>
Date: Tue, 30 Nov 2021 09:51:11 +0200
Cc: The IESG <iesg@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Suzanne Woolf <suzworldwide@gmail.com>
Message-Id: <D3BA2B5C-C398-430D-B526-248A5A74F571@eggert.org>
References: <163524814397.6773.7925615506385048342@ietfa.amsl.com> <AB8A981D-4923-4D58-8035-3708E4C991A1@verisign.com>
To: "Wessels, Duane" <dwessels@verisign.com>
X-MailScanner-ID: 78798601F03.A438B
X-MailScanner: Found to be clean
X-MailScanner-From: lars@eggert.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1Pvd8I7kwwY66hr8lba7oK0jRes>
Subject: Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 07:51:33 -0000
Hi, thanks for the detailed response. I have a few comments below, and I've trimmed everything from this reply where I agree with the resolution you proposed in your response. On 2021-11-30, at 1:53, Wessels, Duane <dwessels@verisign.com> wrote: >> Section 4.2. , paragraph 3, discuss: >>> Since host memory for TCP state is a finite resource, DNS clients and >>> servers MUST actively manage their connections. Applications that do >>> not actively manage their connections can encounter resource >>> exhaustion leading to denial of service. For DNS, as in other >>> protocols, there is a tradeoff between keeping connections open for >>> potential future use and the need to free up resources for new >>> connections that will arrive. >> >> For it to contain a MUST-level requirement, this section needs to give a lot >> more concrete guidance on what it means to "actively" manage connections. Most >> operating systems by default impose some application limits that usually >> effectively prevent DOS or other resource exhaustion issues. Is the intent here >> that DNS implementations need to do more? If so, what? > > I can easily be convinced that SHOULD is more appropriate than MUST here. I think that would be better, esp. for clients and because the "actively manage" term is still unclear to me - it seems to mean "must implement (some of) the limits below"? > I dont necessarily agree that operating systems alone do a very good job > of preventing DOS conditions. It is possible that Im not up-to-date on > the latest and greatest in terms of operating system features, but I think > historically applications have fared better when they manage their own > connections. For example, can we realistically expect the OS to know which > idle connections should be closed? The OS will certainly try to close sufficient connections under DDoS to remain operational. But if an application wants to see connections closed according to a certain policy - and DNS servers probably would - they need to actively engage. Maybe that's the rationale here? (Also, Linux and other major OSs these days handle very large numbers of TCP connections just fine, I think I recall seeing numbers up to a million for Linux (assuming sufficiently beefy hardware). And deployments that needs to handle such connection counts would normally load-balance into a server cluster anyway. So I remain a bit unconvinced that the limits described in this doc are all that important. But that's just a comment and I'm certainly not going to block the document over this.) >> Section 3. , paragraph 1, comment: >>> 3. DNS over TCP Requirements >> >> While the history preceding this section is interesting for context, I think >> moving this section up would increase readability significantly. > > Okay with me. I would like to hear from the Chairs. I'm OK with whatever resolution they prefer. >> Section 4.2. , paragraph 3, comment: >>> DNS server software MAY provide a configurable limit on the number of >>> established connections per source IP address or subnet. This can be >>> used to ensure that a single or small set of users cannot consume all >>> TCP resources and deny service to other users. Operators SHOULD >>> ensure this limit is configured appropriately, based on their number >>> and diversity of users. >> >> This limit only begins to establish fairness once the overall number of >> permitted connections is reached. Until that point, it possibly limits client >> performance without any benefit. > > I suppose this depends on how it is implemented and there are lessons to be > learned from the world of IP QOS. > > I surveyed open source DNS server code and their developers and found that only > one implements this limit and ships with no limit by default. > > Perhaps this current (updated) paragraph is better: > > DNS server software MAY provide a configurable limit on the number of > established connections per source IP address or subnet. This can be > used to ensure that a single or small set of users cannot consume all > TCP resources and deny service to other users. Note, however, that > if this limit is enabled, it possibly limits client performance while > leaving some TCP resources unutilized. Operators SHOULD be aware of > these tradeoffs and ensure this limit, if configured, is set > appropriately based on the number and diversity of their users, and > whether users connect from unique IP addresses or through a shared > Network Address Translator [RFC3022]. > >> Section 4.2. , paragraph 3, comment: >>> DNS server software SHOULD provide a configurable timeout for idle >>> TCP connections. For very busy name servers this might be set to a >>> low value, such as a few seconds. For less busy servers it might be >>> set to a higher value, such as tens of seconds. >> >> Ditto. > > In this case all of the open source implementations I surveyed have this > limit enabled by default. It might be useful to add a brief note similar to the one above here as well. Thanks, Lars
- [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop… Lars Eggert via Datatracker
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Lars Eggert
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Benjamin Kaduk
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Benjamin Kaduk
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane