Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt
Paul Wouters <paul@nohats.ca> Mon, 09 March 2015 19:01 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 394111A92BA for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 12:01:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTXdzOLgkaoh for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 12:01:50 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AF9E1AC3E5 for <dnsop@ietf.org>; Mon, 9 Mar 2015 12:01:20 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3l186405xxz47H; Mon, 9 Mar 2015 20:01:16 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=jnFgJe+C; dkim-adsp=pass
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 1iAC0tIYpMSu; Mon, 9 Mar 2015 20:01:15 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 9 Mar 2015 20:01:15 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 3EA8182A1E; Mon, 9 Mar 2015 15:01:14 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1425927674; bh=sQjwt52yPK5rcO0aCA2DaboaK1GpU0/xCoxBST7pJiA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=jnFgJe+CXyVZYmKJNxMsx7Uu+zxN7RK3ce3jkSwsfjYVXkuLqeDH/i/S7TGnaeFju TVXzz+qTIfNZ5jTAbgOYbBD8OaH5SA+r/X2z/nTsFjcUCALiUdicGEpPtwuJGEbBuB wIq5Xz6gDqCee/EDKx3BACLWSahTIUUXlJVMcn34=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t29J1DSi016461; Mon, 9 Mar 2015 15:01:13 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 09 Mar 2015 15:01:13 -0400
From: Paul Wouters <paul@nohats.ca>
To: Tony Finch <dot@dotat.at>
In-Reply-To: <alpine.LSU.2.00.1503091825470.23307@hermes-1.csi.cam.ac.uk>
Message-ID: <alpine.LFD.2.10.1503091454110.31683@bofh.nohats.ca>
References: <20150309181620.6735.40863.idtracker@ietfa.amsl.com> <alpine.LSU.2.00.1503091825470.23307@hermes-1.csi.cam.ac.uk>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/8TRMeQBv-MxcVRfUa_BiIyXPS-U>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 19:01:55 -0000
On Mon, 9 Mar 2015, Tony Finch wrote: > The justification in the introduction is misleading: > > This document specifies an EDNS0 extension that allows a validating > Resolver running as a Forwarder to open a TCP connection to another > Resolver and request a DNS chain answer using one DNS query/answer > pair. This reduces the number of round-trip times ("RTT") to two. > If combined with long livd TCP or [TCP-KEEPALIVE] there is only 1 > RTT. > > Without this extension the typical number of RTTs required is 1, so this > isn't a reduction. When you have nothing of nohats.ca in your cache, and you ask for the A record of www.nohats.ca, you will normally get back the A record and the RRSIG. Then you need to query for the DS, DNSKEY, etc etc. And then for the DS, DNSKEY et all of the parent, the parents parent, etc. All of those require round trips. Yes you can blindly send a bunch of parallel udp queries on every dot and hope the last one you need didn't take too long or drop. Clearly this extension provides a more robust way of doing this. The interface is clean, and you get all you need in a single DNS packet. > There is also no guarantee > that the initial set of UDP questions will result in all the records > required for DNSSEC validation. More round trips could be required > depending on the resulting DNS answers. > > With this extension you still require 2 RTT if the target is SRV or MX, > and maybe if it is CNAME or DNAME depending on how much the server decides > to return. Maybe it requires 3 RTT if the server decides it doesn't like > doing chain queries any more. I'm happy to add a section of recommendations for adding common "related records" such as IPSECKEY, TLSA, SSHFP or what not. It does mention CNAME/DNAME and I'm happy to add an entry about SRV and MX. Would that address your concerns? > It occurs to me that you could get a lot of edns-chain-query's bandwidth > saving with a simple "minimal responses please" query flag. This is not about bandwidth saving. Paul
- [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-q… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Tony Finch