Re: [DNSOP] Priming query transport selection

Jim Reid <> Wed, 13 January 2010 19:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6CE873A6A3B for <>; Wed, 13 Jan 2010 11:19:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.949
X-Spam-Status: No, score=-3.949 tagged_above=-999 required=5 tests=[AWL=-1.350, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JOORdHezTn80 for <>; Wed, 13 Jan 2010 11:19:46 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 49FD93A6A38 for <>; Wed, 13 Jan 2010 11:19:46 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jim) by (Postfix) with ESMTPSA id 40B2E154283B; Wed, 13 Jan 2010 19:19:41 +0000 (GMT)
Message-Id: <>
From: Jim Reid <>
To: Olafur Gudmundsson <>
In-Reply-To: <>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 13 Jan 2010 19:19:40 +0000
References: <>
X-Mailer: Apple Mail (2.936)
Subject: Re: [DNSOP] Priming query transport selection
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Jan 2010 19:19:47 -0000

On 13 Jan 2010, at 18:19, Olafur Gudmundsson wrote:

> I would like to propose that the document take the plunge of  
> recommending that
> modern DNSSEC capable resolvers perform the priming query over TCP.

I'm not sure it's a good idea to encourage more TCP traffic to the  
root servers or make that the default. It doesn't seem right to oblige  
servers with decent underlying transport that can handle big EDNS0  
payloads to ignore that and use TCP for their priming queries.

How about the following text instead?

Priming queries from DNSSEC-aware resolvers

A DNSSEC-aware priming query will generate a response of at least 5K.  
DNSSEC-aware resolvers making a priming query with EDNS0 SHOULD use a  
minimum buffer size of foo*. If such a priming query fails -- say  
because of fragmentation issues in the underlying network -- a DNSSEC- 
aware resolver SHOULD use TCP. If TCP is refused or times out a  
different server SHOULD be tried. After TCP failures from 3 root  
servers, the resolver SHOULD fall back on UDP and use an EDNS0 buffer  
no larger than bar*. A resolver resorting to UDP/EDNS with a buffer  
size of bar should use that combination for subsequent queries needed  
to fully validate the response to their priming query.

Priming queries from DNSSEC-ignorant resolvers

A resolver that is DNSSEC ignorant but EDNS0 capable SHOULD issue the  
priming query over UDP using ENDS0 and MUST provide a buffer size of  
1220 or larger.  If the UDP query with EDNS0 times out or fails, TCP  
SHOULD be tried.

Priming queries from DNSSEC-ignorant resolvers

An EDNS0 ignorant resolver MUST issue the priming query over UDP.

* The values for foo and bar are open for discussion. Though there  
should be some text to explain whatever values were decided. As a  
straw man, how about 8K for foo and 1220 for bar? As a number plucked  
from the air, 8K should be "big enough" to cope with larger or extra  
signatures, when there's say a rollover of 2048 bit RSA keys under  
way. [I've not done the arithmetic to check if a signed root response  
with 2 such keys will fit in 8K. So shoot me...] For bar, the number  
is even murkier. It needs to be much less than foo (obviously), so  
maybe the payload should be set to that for an unsigned UDP response?