Re: [DNSOP] Priming query transport selection
Jim Reid <jim@rfc1035.com> Wed, 13 January 2010 19:19 UTC
Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6CE873A6A3B for <dnsop@core3.amsl.com>; Wed, 13 Jan 2010 11:19:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.949
X-Spam-Level:
X-Spam-Status: No, score=-3.949 tagged_above=-999 required=5 tests=[AWL=-1.350, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JOORdHezTn80 for <dnsop@core3.amsl.com>; Wed, 13 Jan 2010 11:19:46 -0800 (PST)
Received: from hutch.rfc1035.com (hutch.rfc1035.com [195.54.233.70]) by core3.amsl.com (Postfix) with ESMTP id 49FD93A6A38 for <dnsop@ietf.org>; Wed, 13 Jan 2010 11:19:46 -0800 (PST)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jim) by hutch.rfc1035.com (Postfix) with ESMTPSA id 40B2E154283B; Wed, 13 Jan 2010 19:19:41 +0000 (GMT)
Message-Id: <555CFB98-BB21-4AD4-9D4A-3AF3BD98E4B2@rfc1035.com>
From: Jim Reid <jim@rfc1035.com>
To: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <201001131823.o0DINxYv068180@stora.ogud.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 13 Jan 2010 19:19:40 +0000
References: <201001131823.o0DINxYv068180@stora.ogud.com>
X-Mailer: Apple Mail (2.936)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Priming query transport selection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2010 19:19:47 -0000
On 13 Jan 2010, at 18:19, Olafur Gudmundsson wrote: > I would like to propose that the document take the plunge of > recommending that > modern DNSSEC capable resolvers perform the priming query over TCP. I'm not sure it's a good idea to encourage more TCP traffic to the root servers or make that the default. It doesn't seem right to oblige servers with decent underlying transport that can handle big EDNS0 payloads to ignore that and use TCP for their priming queries. How about the following text instead? Priming queries from DNSSEC-aware resolvers A DNSSEC-aware priming query will generate a response of at least 5K. DNSSEC-aware resolvers making a priming query with EDNS0 SHOULD use a minimum buffer size of foo*. If such a priming query fails -- say because of fragmentation issues in the underlying network -- a DNSSEC- aware resolver SHOULD use TCP. If TCP is refused or times out a different server SHOULD be tried. After TCP failures from 3 root servers, the resolver SHOULD fall back on UDP and use an EDNS0 buffer no larger than bar*. A resolver resorting to UDP/EDNS with a buffer size of bar should use that combination for subsequent queries needed to fully validate the response to their priming query. Priming queries from DNSSEC-ignorant resolvers A resolver that is DNSSEC ignorant but EDNS0 capable SHOULD issue the priming query over UDP using ENDS0 and MUST provide a buffer size of 1220 or larger. If the UDP query with EDNS0 times out or fails, TCP SHOULD be tried. Priming queries from DNSSEC-ignorant resolvers An EDNS0 ignorant resolver MUST issue the priming query over UDP. * The values for foo and bar are open for discussion. Though there should be some text to explain whatever values were decided. As a straw man, how about 8K for foo and 1220 for bar? As a number plucked from the air, 8K should be "big enough" to cope with larger or extra signatures, when there's say a rollover of 2048 bit RSA keys under way. [I've not done the arithmetic to check if a signed root response with 2 such keys will fit in 8K. So shoot me...] For bar, the number is even murkier. It needs to be much less than foo (obviously), so maybe the payload should be set to that for an unsigned UDP response?
- [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Alfred Hönes
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Edward Lewis
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
- Re: [DNSOP] Priming query transport selection Nicholas Weaver
- Re: [DNSOP] Priming query transport selection Ray.Bellis
- [DNSOP] RSA cracking Jim Reid
- Re: [DNSOP] Priming query transport selection Patrik Fältström
- Re: [DNSOP] Priming query transport selection bmanning
- Re: [DNSOP] Priming query transport selection Nicholas Weaver
- Re: [DNSOP] Priming query transport selection Patrik Fältström
- Re: [DNSOP] Priming query transport selection Sebastian Castro
- Re: [DNSOP] Priming query transport selection Ray.Bellis
- Re: [DNSOP] Priming query transport selection Simon Leinen
- Re: [DNSOP] Priming query transport selection Florian Weimer
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Florian Weimer
- Re: [DNSOP] Priming query transport selection George Barwood
- Re: [DNSOP] Priming query transport selection George Barwood
- [DNSOP] signing glue and additional data Jim Reid
- Re: [DNSOP] signing glue and additional data George Barwood
- Re: [DNSOP] Priming query transport selection Sebastian Castro
- [DNSOP] on what glue is (was: signing glue and ad… Andrew Sullivan
- Re: [DNSOP] on what glue is (was: signing glue an… Roy Arends
- Re: [DNSOP] [dnsext] Re: Priming query transport … Danny Mayer
- Re: [DNSOP] [dnsext] Re: Priming query transport … Alfred Hönes
- Re: [DNSOP] [dnsext] Re: Priming query transport … Olafur Gudmundsson