Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-edns-chain-query

Tony Finch <> Wed, 11 November 2015 15:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 49F281B2ACE for <>; Wed, 11 Nov 2015 07:56:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id de1M4beCc9Vs for <>; Wed, 11 Nov 2015 07:56:33 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF59B1B2A5A for <>; Wed, 11 Nov 2015 07:56:33 -0800 (PST)
X-Cam-AntiVirus: no malware found
Received: from ([]:36403) by ( []:25) with esmtpa (EXTERNAL:fanf2) id 1ZwXl9-0001tm-rd (Exim 4.86_36-e07b163) (return-path <>); Wed, 11 Nov 2015 15:56:31 +0000
Received: from fanf2 by ( with local id 1ZwXl9-00037i-JR (Exim 4.72) (return-path <>); Wed, 11 Nov 2015 15:56:31 +0000
Date: Wed, 11 Nov 2015 15:56:31 +0000
From: Tony Finch <>
To: Paul Vixie <>
In-Reply-To: <2974092.InZ2j6Ioop@linux-85bq.suse>
Message-ID: <>
References: <> <> <> <2974092.InZ2j6Ioop@linux-85bq.suse>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <>
Archived-At: <>
Cc:, Paul Hoffman <>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-edns-chain-query
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Nov 2015 15:56:35 -0000

Paul Vixie <> wrote:
> if you mean label boundaries you have to say label boundaries,
> because dots can appear inside labels.


> second, you can't send a burst of queries, as a validator. even apart
> from the fact that any CNAME (RFC 2317 style) can add delegation points
> that weren't at label boundaries in your original QNAME, and there can
> be more than one of these, so you're not at RTT=1 or even RTT<=2, you're
> at RTT>0 without knowing the upper bound...

You get the entire CNAME chain in the first RTT so you can validate all
the links in the chain in the second RTT.

> can't flood the channel.

In most cases this will be four or six concurrent queries which is hardly
flooding the channel. This is comparable to the TCP initial window or the
burst of SYNs you get when a browser starts fetching a page full of

Browsers send a lot of concurrent queries. My experience with adns tells
me that concurrent queries work nicely at volumes orders of magnitude
bigger than we are considering here.

If you already have a TCP channel open you can send all the queries with
one write and they'll happily fit in a single segment.

f.anthony.n.finch  <>
Shannon, South Rockall: Southwesterly 7 to severe gale 9, increasing storm 10,
perhaps violent storm 11 later. Very rough or high, becoming high or very high
later. Rain or thundery showers. Moderate or poor, occasionally good.