Re: [DNSOP] 答复: Call for Adoption: draft-song-atr-large-resp

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 24 January 2019 20:28 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0891A13118A for <dnsop@ietfa.amsl.com>; Thu, 24 Jan 2019 12:28:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_PHARMACY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0XfTVtUKXV9 for <dnsop@ietfa.amsl.com>; Thu, 24 Jan 2019 12:28:03 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA318131132 for <dnsop@ietf.org>; Thu, 24 Jan 2019 12:28:02 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id l12so8250291qtf.8 for <dnsop@ietf.org>; Thu, 24 Jan 2019 12:28:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nfW1p5sOSMJKJdtAi8tIzj6IQtfoy37jDDcnqJWM668=; b=eJ13x6G8kbwuxAdgX5TOIMuAdykILeNU63hE5vwdJojpbds0QWh7KRqjpv69zln/o2 pB4gZpNSW38uDleWIIxuGW+e1sQo7cFsVeAtEdZHYhX11slOFZgSVfF+cpkadPHEW7j8 3kCT5WryT2vENXetsgeqSS2k4/yR+ddiOonWTGybEhDrF41YpFgbtEZ5ltpepjpbLNVv XP0IQy/zh3EPOB+oYtaCgOb/GA+A9v3BNEXA2lvZhjXF1zGy/tQloc3MWMg2buthY+Yl 9wtXGCLNoiFpCVJOY+8c8Xol2dobDK7FZ/umeLzHCoXpxqEKGkvSI0OI1YviPI/BygDI 4IAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nfW1p5sOSMJKJdtAi8tIzj6IQtfoy37jDDcnqJWM668=; b=icsQz5BbooFncbUQIMWQS7iixkBCz6TiGPilRa+2KlAKGDCMK6mzMbfnOZ40f7JWrd nsq/qH9JSiBvHUF+e+Zkc4PUNdocFx1oZiPar+pclI8qasltuols3o8AddN7z9/SyK5B 2GX3sBPokLxqFVzRHpDTbcgfYJr8OetfO1DRngTmBn9sutX//W463eNuhxWOAk4S90CC 4EEyY0HJmnQiJX+vQiy/IIEUsEp39W5mR/oXBh/pYzStp0jWrJk68cx0DCHfyfrDD4WO xM1PozECbf8WI2yurL8iDGoc2k2dgvjXbfqtpzo536AZMLAXk3blqI8u/zKO8P/FUMlE ocTw==
X-Gm-Message-State: AJcUukexQY+sOzmGab5P6JxDTm/YjE05qzWjTc4D1f9hUUYtgMko1iuv m74kWe3rH7bOCDLaWZm1bsOHzG92AqUkSzRsFMGZ0w==
X-Google-Smtp-Source: ALg8bN4TkD6t4undzwjTYKzYRUlCKS6hqZGFh6ppyRTIyVnfdCV/vKelY2tUq5afSrQKSnH5UY1+iF9zJoO7oVbwrks=
X-Received: by 2002:a0c:9dc6:: with SMTP id p6mr7673763qvf.217.1548361681609; Thu, 24 Jan 2019 12:28:01 -0800 (PST)
MIME-Version: 1.0
References: <BCACF554-8BE6-49BC-B75A-BCED776F5189@NLnetLabs.nl> <4A75C4E3-F74F-46DB-9A8A-879C0BB79190@powerdns.com> <52CC68F4-231A-4002-A615-12F2F044342E@isc.org> <533234C8-A97C-4AA3-8395-0708909444B0@rfc1035.com> <595ae5ba-d92c-5d4d-d62b-293a343bf69b@nic.cz> <5c46d965.1c69fb81.5b50.dcd6SMTPIN_ADDED_BROKEN@mx.google.com>
In-Reply-To: <5c46d965.1c69fb81.5b50.dcd6SMTPIN_ADDED_BROKEN@mx.google.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 24 Jan 2019 12:27:49 -0800
Message-ID: <CAH1iCiqHYqh_1vMJkQ5-qMxDatccv7hmLeUps8DwDRpXFY-XWA@mail.gmail.com>
To: =?UTF-8?B?RGF2ZXkgU29uZyjlrovmnpflgaUp?= <ljsong@biigroup.cn>
Cc: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= <petr.spacek@nic.cz>, Peter van Dijk <peter.van.dijk@powerdns.com>, Ralf Weber <dns@fl1ger.de>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000004282005803a0cc7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8SRieTlWTwDbMRvFSsCzuXBmfIU>
Subject: Re: [DNSOP] =?utf-8?b?562U5aSNOiBDYWxsIGZvciBBZG9wdGlvbjogZHJhZnQt?= =?utf-8?q?song-atr-large-resp?=
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2019 20:28:10 -0000

(Top-reply, apologies for those offended by this practice.)

I also oppose adoption (at least of the draft in its current form).

Very quick questions:
(1) Has your testing revealed *where* the IPv6 fragmentation is occurring?
IIRC, IPv6 requires the originating host to do so. And originating UDP
packet size will be the smaller of the authority servers' configs and the
EDNS bufsize on the request.
(2) Have you experimented with setting EDNS0 UDP bufsize to the *actual max
size* that IPv6 allows *without fragmenting* (or MTU?), and what happens
when you do that? (Actual MTU may vary topologically, YMMV, etc.)

My suspicion is that the better approach for resolvers might actually be to
do their IPv6 stuff "better", for some value of "better", in a way that
does not require DNS protocol changes (or changes to transport specs like
UDP or IPv6).
Or maybe we could add a new edns0 ip6-bufsize option in future so v4 vs v6
limits can be separated (and thus standardize (and kind of simplify)
resolver and auth server configs).

Please experiment a bit and let us know the results.

Brian


On Tue, Jan 22, 2019 at 12:50 AM Davey Song(宋林健) <ljsong@biigroup.cn> wrote:

> Thanks for all commenter's, I appreciate your frankness and vote based on
> your technical sense. I understand your push back especially considering
> the DNS camel stuff. I try to reply some of comments here.
>
> Some people argues on the problem statement of this draft.
>
> > Peter: Meanwhile, we have no indication that the draft solves any
> existing real world problem in a useful way.
>
> > Petr Špaček : Solving rare operational problem with a huge and ugly hack
> is no-go territory for Knot Resolver project.
>
> It is not rare. It is just under the water. You cannot run a ship unaware
> of it, especially towards IPv6-only future. Here are some pointer and
> number are given:
>
> [1] presents a 28.26% ~ 55.23% packets drop rate for IPv6 fragements. [2]
> reports 10% of the paths between the vantage points and the experimental
> setup filter IP fragments. [3] reports 37.45% of endpoints used
> IPv6-capable DNS resolvers that were incapable of receiving a fragmented
> IPv6 response. [4] Yeti testbed also observed over 7% failure rate for
> queries against IPv6-only server during KSK rollover using 100 probes. [5]
> is a IETF workgroup document of this problem. It is **not** a rare
> operational problem.
>
> > Ralf Weber: Having one v6 name server that will respond correct with
> fragments also solves the problem. I think the problem space is to narrow
> to burden this problem on all resolvers.
>
> Now 389 of v6 tld server including .org reply with large packets, please
> check [Appendix]. I'm not sure how they can respond correct currently when
> they need to add more content in answer section. I'm told that a few large
> DNS operator using certain DNSSEC tool generating a large DNSKEY RRset and
> RRSIG RRset.
>
> > [Most importantly we need to get an explanation why Geoff's experiments
> > show problems but clients can in practice resolve org. DNSKEY just fine.]
>
> Network operation issues are hidden from the sense of application layer.
> The impact introduced by IPv6 fragments dropping is hidden by different
> layer of redundancy. From users perspective, dualstack applications run
> Happy eyeballs willl hide IPv6 networking issues from themselves and
> network operator. From DNS perspective, resolvers can retry, mostly likely
> fallback to TCP , without TCP they finally fallback to IPv4 to deliver AAAA
> record ! If we leave this issue along, I bet the dual-stack period will
> last much longer than expect.
>
> There is a separate thread in ORAC mailing list on " How .org name server
> handle large DNS response?". I'm looking forward to the response from org.
> DNS people. I expect some data and analysis not only emotion. I'm wondering
> there is difference in the query pattern (in terms of UDP/TCP ratio,
> IPv4/IPv6 ratio etc. ) between small response and large response .
>
> [1] RFC7872, Observations on the Dropping of Packets with IPv6 Extension
> Headers in the Real World, https://tools.ietf.org/html/rfc7872
> [2] De Boer, M. and J. Bosma, "Discovering Path MTU black holes on the
> Internet using RIPE Atlas", July 2012, <
> http://www.nlnetlabs.nl/downloads/publications/pmtu-black-holes-msc-thesis.pdf
> >.
> [3] APNIC measurement study,
> https://blog.apnic.net/2017/08/22/dealing-ipv6-fragmentation-dns/
> [4] RFC8483 Yeti DNS testbed https://tools.ietf.org/html/rfc8483
> [5] IP Fragmentation Considered Fragile,
> https://tools.ietf.org/html/draft-ietf-intarea-frag-fragile-04
> [Appendix] 389 TLD's response for dnsky with RRSIG larger than 1500 (msg
> size + 48)
>
>
> #####389 TLD's response packet for dnsky with RRSIG are larger than 1500
> (msg size + 48) ########
> sl.     3319
> bg.     3103
> mm.     3063
> si.     2739
> xn--mgbx4cd0ab. 2511
> za.     2455
> best.   2053
> kred.   2053
> ceo.    2051
> americanexpress.        2006
> bananarepublic. 2003
> weatherchannel. 2003
> hiv.    1994
> inc.    1994
> xn--kpu716f.    1994
> xn--pbt977c.    1994
> swiftcover.     1991
> analytics.      1988
> homegoods.      1988
> homesense.      1988
> honeywell.      1988
> marshalls.      1988
> statefarm.      1988
> country.        1987
> discover.       1985
> jpmorgan.       1985
> athleta.        1982
> banamex.        1982
> booking.        1982
> cartier.        1982
> chintai.        1982
> citadel.        1982
> farmers.        1982
> ferrero.        1982
> lincoln.        1982
> oldnavy.        1982
> watches.        1982
> weather.        1982
> winners.        1982
> dupont. 1979
> flickr. 1979
> intuit. 1979
> kinder. 1979
> mutual. 1979
> office. 1979
> piaget. 1979
> rocher. 1979
> tjmaxx. 1979
> tkmaxx. 1979
> yandex. 1979
> chase.  1976
> cisco.  1976
> gucci.  1976
> hyatt.  1976
> intel.  1976
> lilly.  1976
> praxi.  1976
> skype.  1976
> yahoo.  1976
> zippo.  1976
> amex.   1973
> citi.   1973
> dell.   1973
> duns.   1973
> ford.   1973
> hsbc.   1973
> ieee.   1973
> kpmg.   1973
> mint.   1973
> open.   1973
> ping.   1973
> teva.   1973
> vivo.   1973
> aaa.    1970
> cbn.    1970
> fox.    1970
> ftr.    1970
> gap.    1970
> jmp.    1970
> jnj.    1970
> mlb.    1970
> nfl.    1970
> qvc.    1970
> sas.    1970
> tdk.    1970
> tjx.    1970
> gdn.    1954
> ar.     1951
> uy.     1951
> buy.    1916
> xn--bck1b9a5dre4c.      1864
> xn--eckvdtc9d.  1852
> xn--gckr3f0f.   1849
> xn--1ck2e1b.    1846
> xn--cck2b3b.    1846
> xn--fct429k.    1846
> xn--g2xx48c.    1846
> xn--gk3at1e.    1846
> xn--jvr189m.    1846
> xn--rovu88b.    1846
> accountant.     1843
> baseball.       1837
> download.       1837
> grainger.       1837
> pharmacy.       1837
> audible.        1834
> cricket.        1834
> science.        1834
> wanggou.        1834
> whoswho.        1834
> yamaxun.        1834
> author. 1831
> circle. 1831
> coupon. 1831
> dealer. 1831
> health. 1831
> hotels. 1831
> kindle. 1831
> racing. 1831
> review. 1831
> safety. 1831
> secure. 1831
> stream. 1831
> taipei. 1831
> vuelos. 1831
> webcam. 1831
> zappos. 1831
> bible.  1828
> earth.  1828
> faith.  1828
> osaka.  1828
> party.  1828
> prime.  1828
> smile.  1828
> trade.  1828
> tunes.  1828
> tushu.  1828
> able.   1825
> baby.   1825
> book.   1825
> buzz.   1825
> call.   1825
> date.   1825
> deal.   1825
> fast.   1825
> fire.   1825
> free.   1825
> imdb.   1825
> like.   1825
> loan.   1825
> qpon.   1825
> read.   1825
> room.   1825
> safe.   1825
> save.   1825
> silk.   1825
> song.   1825
> spot.   1825
> talk.   1825
> tube.   1825
> zero.   1825
> aws.    1822
> bid.    1822
> bot.    1822
> got.    1822
> hot.    1822
> jot.    1822
> joy.    1822
> moe.    1822
> moi.    1822
> now.    1822
> nyc.    1822
> pay.    1822
> pin.    1822
> uno.    1822
> win.    1822
> wow.    1822
> you.    1822
> ma.     1769
> blackfriday.    1762
> christmas.      1756
> property.       1753
> flowers.        1750
> guitars.        1750
> hosting.        1750
> hiphop. 1747
> juegos. 1747
> tattoo. 1747
> audio.  1744
> click.  1744
> photo.  1744
> auto.   1741
> cars.   1741
> diet.   1741
> game.   1741
> gift.   1741
> help.   1741
> link.   1741
> pics.   1741
> sexy.   1741
> car.    1738
> lol.    1738
> mom.    1738
> ky.     1735
> xn--mgbai9azgqp6j.      1720
> firmdale.       1693
> travelersinsurance.     1685
> xn--mgbt3dhd.   1681
> xn--fzys8d69uvgm.       1677
> xn--i1b6b1a6a2e.        1673
> xn--nqv7fs00ema.        1673
> nowruz. 1669
> xn--b4w605ferd. 1669
> xn--jlq61u9w7b. 1669
> pars.   1665
> shia.   1665
> wolterskluwer.  1665
> tci.    1663
> scholarships.   1661
> creditunion.    1657
> lamborghini.    1657
> motorcycles.    1657
> progressive.    1657
> redumbrella.    1657
> xn--6frz82g.    1657
> xn--9krt00a.    1657
> xn--estv75g.    1657
> bnpparibas.     1653
> boehringer.     1653
> extraspace.     1653
> schaeffler.     1653
> volkswagen.     1653
> xn--4gbrim.     1653
> xn--5tzm5g.     1653
> xn--kput3i.     1653
> homedepot.      1649
> richardli.      1649
> statebank.      1649
> stockholm.      1649
> travelers.      1649
> xn--c1avg.      1649
> xn--nqv7f.      1649
> cipriani.       1645
> clinique.       1645
> goodyear.       1645
> hdfcbank.       1645
> helsinki.       1645
> istanbul.       1645
> marriott.       1645
> redstone.       1645
> agakhan.        1641
> alibaba.        1641
> avianca.        1641
> bugatti.        1641
> ismaili.        1641
> lasalle.        1641
> metlife.        1641
> organic.        1641
> origins.        1641
> shiksha.        1641
> shriram.        1641
> temasek.        1641
> abbott. 1637
> abbvie. 1637
> active. 1637
> alipay. 1637
> dunlop. 1637
> emerck. 1637
> gallup. 1637
> global. 1637
> hermes. 1637
> imamat. 1637
> kosher. 1637
> locker. 1637
> mormon. 1637
> natura. 1637
> viking. 1637
> yachts. 1637
> adult.  1633
> autos.  1633
> black.  1633
> boats.  1633
> dabur.  1633
> delta.  1633
> edeka.  1633
> green.  1633
> homes.  1633
> lamer.  1633
> lotto.  1633
> nokia.  1633
> nowtv.  1633
> poker.  1633
> promo.  1633
> stada.  1633
> vegas.  1633
> weibo.  1633
> akdn.   1629
> ally.   1629
> asia.   1629
> audi.   1629
> blue.   1629
> cern.   1629
> cyou.   1629
> fage.   1629
> icbc.   1629
> info.   1629
> lgbt.   1629
> ltda.   1629
> ollo.   1629
> pccw.   1629
> pink.   1629
> porn.   1629
> post.   1629
> rich.   1629
> shaw.   1629
> sina.   1629
> star.   1629
> vote.   1629
> voto.   1629
> zara.   1629
> aco.    1625
> bcg.    1625
> bet.    1625
> bnl.    1625
> ceb.    1625
> dot.    1625
> dtv.    1625
> gea.    1625
> hkt.    1625
> ist.    1625
> itv.    1625
> jcp.    1625
> jll.    1625
> kim.    1625
> lds.    1625
> ngo.    1625
> nra.    1625
> ong.    1625
> onl.    1625
> org.    1625
> ott.    1625
> pet.    1625
> pwc.    1625
> red.    1625
> sbi.    1625
> sew.    1625
> sex.    1625
> srl.    1625
> thd.    1625
> trv.    1625
> tvs.    1625
> ups.    1625
> vig.    1625
> xin.    1625
> xxx.    1625
> ag.     1621
> bz.     1621
> gi.     1621
> lc.     1621
> me.     1621
> mn.     1621
> sc.     1621
> cancerresearch. 1585
> barclaycard.    1573
> barclays.       1561
> luxury. 1553
> monash. 1553
> physio. 1553
> build.  1549
> tel.    1546
> doha.   1545
> menu.   1545
> ibm.    1541
> men.    1541
> mtn.    1541
> one.    1541
> wtc.    1541
> au.     1537
> xn--fiqs8s.     1505
> xn--fiqz9s.     1505
> icu.    1479
> capetown.       1477
> hyundai.        1474
> cn.     1473
> durban. 1473
> joburg. 1473
> sharp.  1468
> kiwi.   1465
> kia.    1462
>
> Best regards,
> Davey
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>