[DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-values
Philip Homburg <pch-dnsop-5@u-1.phicoh.com> Wed, 10 July 2024 13:27 UTC
Return-Path: <pch-b538D2F77@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BB55C14F60A for <dnsop@ietfa.amsl.com>; Wed, 10 Jul 2024 06:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LLt2L0hXT9Mq for <dnsop@ietfa.amsl.com>; Wed, 10 Jul 2024 06:27:40 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [45.83.6.19]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC0C4C16941F for <dnsop@ietf.org>; Wed, 10 Jul 2024 06:27:24 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1sRXLs-0000LpC; Wed, 10 Jul 2024 15:27:20 +0200
Message-Id: <m1sRXLs-0000LpC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
From: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Sender: pch-b538D2F77@u-1.phicoh.com
References: <20240709.190627.2171739541556622717.fujiwara@jprs.co.jp> <b46fb097-d8d9-4765-b797-18c8e8e74389@bellis.me.uk>
In-reply-to: Your message of "Wed, 10 Jul 2024 10:21:18 +0100 ." <b46fb097-d8d9-4765-b797-18c8e8e74389@bellis.me.uk>
Date: Wed, 10 Jul 2024 15:27:19 +0200
Message-ID-Hash: 2ETWHOVNM3L5VP55LETNDCWWMTUD3T57
X-Message-ID-Hash: 2ETWHOVNM3L5VP55LETNDCWWMTUD3T57
X-MailFrom: pch-b538D2F77@u-1.phicoh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ray Bellis <ray@bellis.me.uk>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-values
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6QLMdGA5B9MULfJNAdWz1lr2zwQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
> I disagree with the rationale for 13 name servers. > > The root (and .com) have that because it was what would fit into > packets of a particular size given their naming scheme and that > scheme's efficient compressibility. > > If there is to be a recommended limit, it should be specifically > for packet size reasons, and not just "because this is what the > root does". In this case, what the root does is a minimum otherwise things would break. But there is more at play than packet sizes. From a packet size point of view the limit on RRsets is around 64 KB per RRset. For CNAMEs, all CNAMEs plus the result RRset need to fit in 64 KB. For delegations, all NS records plus required glue need to fit, etc. However those limits provide an opportunity to completely DoS a recursive resolver. No recursive resolver just keeps following CNAMEs until a 64 KB limit is reached. So in practice recursive resolvers have far lower limits on the number of CNAMEs they are willing to follow. So what we see is that some names cannot be resolved by some resolvers because the CNAME chain is longer than what the resolver accepts. Currently, security researchers seems to have a hard time finding interesting bugs in DNS software so they mainly focus on DoS attacks. The net result is that for recursive resolver software, there is a push to reduce the limits of what the resolver accepts. When the limits get to low, things start breaking. So the question becomes, do we want some limits in an RFC that everybody agrees on or do we want to keep the current informal system where limits are not fixed and people can get unlucky if they exceed limits they didn't know exist.
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Joe Abley
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Mukund Sivaraman
- [DNSOP] draft-fujiwara-dnsop-dns-upper-limit-valu… Kazunori Fujiwara
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Yorgos Thessalonikefs
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Ray Bellis
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Ray Bellis
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Yorgos Thessalonikefs
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Mukund Sivaraman
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Ben Schwartz
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Ben Schwartz
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Geoff Huston
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Kazunori Fujiwara
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Yorgos Thessalonikefs
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Mukund Sivaraman
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Peter Thomassen
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Mukund Sivaraman
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Dave Lawrence
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Ondřej Surý
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Jim Reid
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… libor.peltan
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Mukund Sivaraman