Re: [DNSOP] Priming query transport selection
Alfred Hönes <ah@TR-Sys.de> Wed, 13 January 2010 20:58 UTC
Return-Path: <A.Hoenes@TR-Sys.de>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA3C13A683C for <dnsop@core3.amsl.com>; Wed, 13 Jan 2010 12:58:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.575
X-Spam-Level:
X-Spam-Status: No, score=0.575 tagged_above=-999 required=5 tests=[AWL=-0.676, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XaeEznCquJpF for <dnsop@core3.amsl.com>; Wed, 13 Jan 2010 12:58:57 -0800 (PST)
Received: from TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id 98CBC3A6783 for <dnsop@ietf.org>; Wed, 13 Jan 2010 12:58:55 -0800 (PST)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA178196314; Wed, 13 Jan 2010 21:58:34 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id VAA11959; Wed, 13 Jan 2010 21:58:33 +0100 (MEZ)
From: Alfred Hönes <ah@TR-Sys.de>
Message-Id: <201001132058.VAA11959@TR-Sys.de>
To: ogud@ogud.com, dnsop@ietf.org
Date: Wed, 13 Jan 2010 21:58:32 +0100
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 7bit
Cc: namedroppers@ops.ietf.org
Subject: Re: [DNSOP] Priming query transport selection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2010 20:58:57 -0000
I apologize for cross-posting due to topical overlap. Please confine follow-up messages to the appropriate list. In the message to DNSOP regarding draft-ietf-dnsop-resolver-priming-02 archived at <http://www.IETF.ORG/mail-archive/web/dnsop/current/msg07843.html>, Olafur Gudmundsson scratched at a topic of interest to namedroppers as well; he wrote: > ... > > Background: > 26 signed glue records will require about 5K answer if each RRSet is > signed by a single 1024 bit RSA key. > This will never fit into an ENDS0 answer as number of implementations > have 4096 byte hard limit on answer size. Did you read the News these days? An international team lead by the BSI (the "German NSA") and others has solved the RSA-768 challenge, and experts reportedly expect, due to significant progresses, that RSA-1024 will be solved in a rather short time, likely by the end of this year or so! This means that we should immediately plan operationally for widespread use of 2048-bit RSA keys in the "near" future. > As of today all the root servers instances that my host reached > answered a TCP query. > > Proposed replacement text: > >|2.1. Parameters of a Priming Query >| >| A priming query MUST use a QNAME of "." and a QTYPE of NS, QCLASS >| of IN, with RD bit set to 0, the source port of the query should >| be randomly selected [RFC5452]. >| >| A DNSSEC aware resolver SHOULD sent the priming query over TCP. >| If TCP is refused a different server SHOULD be tried, after 3 tries >| the resolver SHOULD fall back on UDP. >| >| A DNSSEC ignorant but EDNS0 capable, resolver SHOULD issue the >| priming query over UDP, ENDS0 option MUST be included with buffer >| size of 1220 or larger. If the UDP query times out TCP SHOULD be >| tried. >| >| An EDNS0 ignorant resolver MUST issue the priming query over UDP. > > ... I therefore support the proposal suggested by Olafur: Recommend that <DNSSEC aware resolvers> SHOULD issue priming queries immediately over TCP, and not waste time and bandwidth with an initial query over UDP (that will be truncated with certainty). Even UDP with EDNS0 and 4k message size limit (which most likely will need fragmentation and have trouble with firewalls) will not provide a workable solution for a reasonable life time (of RFCs and deployed equipment) and should only be tried as a fallback. Those not liking DNS over TCP might wish to convince the IEEE to quickly double the Ethernet frame size in the interim (in deployed networks as well, of course!) and the IETF to bump the IPv4 512-byte UDP margin. :-) Additionally: ++++++++++++ Work on the use of Elliptic Curve Signatures with DNSSEC urgently needs to be resumed *now* (in DNSEXT). EC keys and signatures will roughly be shorter than RSA keys and signatures by a *factor* of 4..8, for comparable levels of security. Kind regards, Alfred. P.S: Olafur: s/ENDS0/EDNS0/g ! :-) ^^ ^^ [ BTW, one of my favorite personal typos, as well! ] -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+
- [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Alfred Hönes
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Edward Lewis
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
- Re: [DNSOP] Priming query transport selection Nicholas Weaver
- Re: [DNSOP] Priming query transport selection Ray.Bellis
- [DNSOP] RSA cracking Jim Reid
- Re: [DNSOP] Priming query transport selection Patrik Fältström
- Re: [DNSOP] Priming query transport selection bmanning
- Re: [DNSOP] Priming query transport selection Nicholas Weaver
- Re: [DNSOP] Priming query transport selection Patrik Fältström
- Re: [DNSOP] Priming query transport selection Sebastian Castro
- Re: [DNSOP] Priming query transport selection Ray.Bellis
- Re: [DNSOP] Priming query transport selection Simon Leinen
- Re: [DNSOP] Priming query transport selection Florian Weimer
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Florian Weimer
- Re: [DNSOP] Priming query transport selection George Barwood
- Re: [DNSOP] Priming query transport selection George Barwood
- [DNSOP] signing glue and additional data Jim Reid
- Re: [DNSOP] signing glue and additional data George Barwood
- Re: [DNSOP] Priming query transport selection Sebastian Castro
- [DNSOP] on what glue is (was: signing glue and ad… Andrew Sullivan
- Re: [DNSOP] on what glue is (was: signing glue an… Roy Arends
- Re: [DNSOP] [dnsext] Re: Priming query transport … Danny Mayer
- Re: [DNSOP] [dnsext] Re: Priming query transport … Alfred Hönes
- Re: [DNSOP] [dnsext] Re: Priming query transport … Olafur Gudmundsson