Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-priming
"Wessels, Duane" <dwessels@verisign.com> Thu, 18 February 2016 22:18 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 748A71ACE69 for <dnsop@ietfa.amsl.com>; Thu, 18 Feb 2016 14:18:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.042
X-Spam-Level:
X-Spam-Status: No, score=-0.042 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FRT_PROFIT1=3.858, GB_I_LETTER=-2] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iqO-i8Tq0e7f for <dnsop@ietfa.amsl.com>; Thu, 18 Feb 2016 14:18:17 -0800 (PST)
Received: from mail-qg0-x261.google.com (mail-qg0-x261.google.com [IPv6:2607:f8b0:400d:c04::261]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F196C1ACD9A for <dnsop@ietf.org>; Thu, 18 Feb 2016 14:18:16 -0800 (PST)
Received: by mail-qg0-x261.google.com with SMTP id b35so7449927qge.0 for <dnsop@ietf.org>; Thu, 18 Feb 2016 14:18:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-type:content-id:content-transfer-encoding:mime-version; bh=wQhhp+TeA0zzy8Y3FWrKvJf5fSTQVTjYBzTCMq3gD90=; b=fx7CVVcisSL3TX0Sv7E0sFf5AZhdKeUzbnAWNJ4fhn2sDsihOwm1DGeNh1h0PMzFeW GBnnToK/BcWMy71EzUxWvESEGV25l+yCr9GpsNmYY3R4fGKFsiDp/PhJlfy5nfwnfeLR Kav6Q2hqkNygSiLC3dBdqGRB2d9SzrO6tp388/Tqjl/X1tUf60Ee/PSMQkBzsTqF/MNB +SUXgqwhlAxj3D+IdCGPEj50Dhe/gms8O/K29CFnXagNeeysy2EkLGKyUDeCNhzY1eEn 1FUnEYJFzpa25y53ZU8m/BAYk/B5sCbQLpBJr3BZCQCzF3WwC9MzewqA+dxAxemYtj5m IsPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-type:content-id:content-transfer-encoding :mime-version; bh=wQhhp+TeA0zzy8Y3FWrKvJf5fSTQVTjYBzTCMq3gD90=; b=gMFlmrpaeK2nHVR9mFMjvE/bRVUDkEYnBCUihe4pEwZ7SRKDpatD60Wu5DbE1lrVgR Y+8J01/LIjW3E5G+XhvxUnOeJALVGxEIAnG6w14Do4qNRbKkfr3dgRqaqQ5AGJtWj/WY ExSAGfdSQO2OBmI1QhqDUChssWaNDghJm7ICcEad+U8rv7Yn95tk3LY0gP2yXy/9wXEO aT5T+0NSsJ+HfM5e0Q1ZaUvN+rUp2BtkZ5nJGAwZJmUfEiROtd/KTlY37iJa91lnQ4Vf fVubhTBJinOGHbw5qFDoORtNE6KApkihMWUsPAafhgBpY27djJFIT96ccEen1KOoWuks 7iWQ==
X-Gm-Message-State: AG10YORC7ui3oCwhUyHopGRGzxaTK7NGi5uXTBcUUElDEd75QE+XIkSUJDPOxXQqQwRZYYa8Y3ho6CUCpQpS/yUAbGU9r/lq
X-Received: by 10.140.147.4 with SMTP id 4mr12658765qht.93.1455833895963; Thu, 18 Feb 2016 14:18:15 -0800 (PST)
Received: from brn1lxmailout02.verisign.com (brn1lxmailout02.verisign.com. [72.13.63.42]) by smtp-relay.gmail.com with ESMTPS id z142sm1245063qka.11.2016.02.18.14.18.15 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 18 Feb 2016 14:18:15 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02 [10.173.152.206]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id u1IMIFri016820 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 18 Feb 2016 17:18:15 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Thu, 18 Feb 2016 17:18:15 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Shane Kerr <shane@time-travellers.org>
Thread-Topic: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-priming
Thread-Index: AQHRVMQmJ2Hob7DPwEWzKumw1uKSbp8IdysAgAFxqICAABtWAIAEuRGAgCNl1QCAALu8AA==
Date: Thu, 18 Feb 2016 22:18:14 +0000
Message-ID: <68160F3D-33D9-441F-AE94-8425CC26D71C@verisign.com>
References: <12831BC8-EE53-46C7-80A5-A7DAE651F157@vpnc.org> <2552EB05-B015-42F6-ABA6-D67B21CEBD4F@verisign.com> <C702935B-C23E-4DBC-9467-6DD024E172DE@vpnc.org> <56A3FDCE.6070001@uni-due.de> <E44C4779-9B8E-4520-9535-7477F436D6C6@verisign.com> <20160218120616.06f5f9bf@pallas.home.time-travellers.org>
In-Reply-To: <20160218120616.06f5f9bf@pallas.home.time-travellers.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <3BDE7AF9F1610F489DE7BE03DD7D7E6A@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Il4AkHnKIRzhlYOI0Sc1bUEc0hs>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2016 22:18:18 -0000
> On Feb 18, 2016, at 3:06 AM, Shane Kerr <shane@time-travellers.org> wrote: > > Duane, > > At 2016-01-26 22:32:45 +0000 > "Wessels, Duane" <dwessels@verisign.com> wrote: > >>> On Jan 23, 2016, at 2:25 PM, Matthäus Wander <matthaeus.wander@uni-due.de> wrote: >>> >>> >>> There's another issue: once root-servers.net is signed, the priming >>> response will contain RRSIG in the ADDITIONAL section. >> >> Indeed. According to my simple test if root-servers.net is signed (the >> same way as the root zone), the response size jumps quite a bit: >> >> >> EDNS0? UDPsize DO= RSN signed? resp size >> ------ ------- --- ----------- --------- >> n - - n 492-512 >> y 4096 0 n 755 >> y 4096 1 n 913 >> y 8192 1 y 4081 >> >> And these sizes could increase if two remaining letters decide to add AAAA records. > > This means that the section talking about the EDNS reassembly size > could become outdated: > > The recursive resolver SHOULD use EDNS0 [RFC6891] for priming queries > and SHOULD announce and handle a reassembly size of at least 1024 > octets [RFC3226]. Doing so allows responses that cover the size of a > full priming response (see Section 4.2). > > I guess a new RFC can be rolled if root-servers.net is signed, but > we could just future-proof it now and recommend a larger size? > > Of course, if the result is larger than 4096 - the most common value > for EDNS right now IIRC - then maybe we should just start recommending > TCP right away? (My colleague Davey Song actually has an expired draft > saying just that - draft-song-dnsop-tcp-primingexchange - but I think > that a single sentence in the priming draft saying something like "if > the DO bit is set, then TCP SHOULD be used, since a UDP response may > be truncated" is enough). > > Personally I think TCP for root priming makes complete sense, since root > priming traffic is a small fraction of a percent of both root server > traffic and resolver queries. (In fact this is a subset of the general > set of queries where "if you expect truncation, just start with TCP". > That's a possibly useful optimization that probably nobody has bothered > with because truncation is very rare.) I took a look at some data to see if priming queries truly are a small fraction. From what I see, about 3.5 to 4.0% of root server traffic is priming queries. I have a "second opinion" analysis running at DNS-OARC but that is taking longer, so if it indicates anything different I'll follow up. I guess I'm a little hesitant here because in an earlier discussion on this document we talked about saying "resolvers SHOULD send DO when priming" and if we add "SHOULD use TCP when DO is set" then TCP sort of becomes the default for all priming queries. Unless and until the root-servers.net zone is signed, the priming response doesn't really need TCP because it can entirely fit in an unfragmented UDP packet. DW
- [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-primi… Paul Hoffman
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Paul Hoffman
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Matthäus Wander
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Shane Kerr
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- [DNSOP] TCP for resolver priming (was DNSSEC in d… Shane Kerr
- Re: [DNSOP] TCP for resolver priming (was DNSSEC … Wessels, Duane