IETF Logo Mail Archive

Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)

"Wessels, Duane" <dwessels@verisign.com> Fri, 03 December 2021 23:57 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A7CC3A0BB7; Fri, 3 Dec 2021 15:57:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IseHKMYgXALs; Fri, 3 Dec 2021 15:57:02 -0800 (PST)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F00A3A0B5F; Fri, 3 Dec 2021 15:57:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=3848; q=dns/txt; s=VRSN; t=1638575823; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=LmOss97ECDOBC5gASt/qJhAXjzhLEU+OwLsNFTV4Jx8=; b=oYWGqaSIfgcVCVAx14KDhI7bMrCN/B9lx5640C7UFlOqU+stTsS3Grt0 jXN26xsudeiX2Uq2p6I2QJADrufrz6nuV4VTcPhfH26Gl7DqgJ9xNmwGg E0GWqTqBNnqYVxkooiSWpED2OvS9NGPH3zzNxfrRWyZckbk6owZnObQm/ asRG4DByYQ4I8EeeCVqFl0NXTfY6lIawl5OMsiM+c9w4272imm6Myj9QB 5ZjCve5fG1wanY8gTIFYq6kfJ8ya0buQOnHpCWsNZ9v67tJ3aQDHm1w8P 3EufC71yf/vzRhDFmK/SsID+0f37fu/I4FmKMgApuzsdJKkepT+ibXL79 A==;
IronPort-SDR: OPX1+iZ2YZ0hjez0N4/5N/+kIuTXP/KbBjP3hSsD/KYQmRQiE7pItdY0Vag+ShuTwxGAn+SiO1 12jhq3RruVTJrKvtLKZoQB5wb+PWHyDG4x9FwsNPdIwv4f7qPm+4Yeix4zJV6PCOngOHcRI6Xq T0izKiK7/Uq8w1q98oQ5sqVPlgq22Mj3cOZn9/pDU9IWEu2ULEs+viRrijt5wjFJdFOmpZLCD6 PzGfD3MwnPAMcQhMGwwk+YILvVXNlOdZZs5C4ei4gsuBZdz3HMRJ6UBtdj5mxmZSyfEzjUjj9b PmA=
IronPort-Data: A9a23:RXtOB60Ry/k0RErApvbD5ctwkn2cJEfYwER7XKvMYLTBsI5bpzxVy mNOXjjXP/vZNjOjLt4nbNux/B4CscDXzYdqT1c6qSg9HnlHl5HIVI+TRqvS04N+DSFioGZPt Zh2hgzodZhsJpPkS5TE3oHJ9RGQ74nRLlbHILOCan8ZqTNMEn970Es5w7Vh2OaEvPDia++zk YKqyyHgEAL9s9JEGjp8B3Wr8U4HUFza4Vv0j3RmDRx5lAa2e0o9VfrzEZqMw07QGeG4KAIaq 9Hrl9lV9kuBl/skIo39zuajKiXmSJaKVeSFoiI+t6RPHnGuD8H9u0o2HKN0VKtZt9mGt5dA6 olzl7uhdVs4J6jQu80kXgtWLy4raMWq+JefSZS+meap6RT5VVbcm6woEkoxJ5Ve8+oxH3tV8 7oTLzVlghKr3rrwme3gDLAx3YJ/fKEHP6tG0p1k5T3GAO09TJTYa7vH/95D3Tg2wMtJGJ4yY uJAMGE2MkqbO3WjPH8SMdUykbv420DnbiJJqhWWhpMOuEvcmVkZPL/FdYC9lsaxbcFchF2wq 23J8n7lRBYAO7S3yDee/Vqti/PB2yThV+o6GKex+OIvgVCPyCkfDgYRTR63p+L8lkWmHshSM lEV4CcroK4u72SqQ8XzGRqirxasshgHXMIVGO0z6RuW4qvZ/wjfAXILJhZNbschrOc3SCAkk FiTkLvBHiF9r7qPTX6C97uZhTy3MCkRa2QFYEc5oRAt6cPl+Z41gwKXF5N4DrTzi9zuXDv3h TqQqnF4ma8Ii4gA0KDTEU37vg9Ab6PhFmYdjjg7lEr8hu+lTOZJv7CV1GU=
IronPort-HdrOrdr: A9a23:FaQ9Oq4LmHL5ZmVMewPXwBXXdLJyesId70hD6qkXc20xTiX4rb HNoB1173/JYVoqNk3I+uruBEDoexq1yXcf2/hzAV7NZmjbkVrtAo1k4ZDr3jHsXwbvn9Qw6Y 5QN4xzEsf5A1Q/r8rriTPTL/8QhP2K6rqhi+ub9WpqVg0CUcxdxh10ERmWCXd7QwR6BZ40fa D22vZ6
X-IronPort-AV: E=Sophos;i="5.87,284,1631592000"; d="scan'208";a="11316630"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Fri, 3 Dec 2021 18:57:00 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.2375.007; Fri, 3 Dec 2021 18:57:00 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Lars Eggert <lars@eggert.org>
CC: The IESG <iesg@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Suzanne Woolf <suzworldwide@gmail.com>
Thread-Topic: [EXTERNAL] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
Thread-Index: AQHX5Xxa1WHeYbA7FU2LSxLF5LNQ7Q==
Date: Fri, 03 Dec 2021 23:57:00 +0000
Message-ID: <F8429D79-1E25-43FA-8BEF-562F64A71F8C@verisign.com>
References: <163524814397.6773.7925615506385048342@ietfa.amsl.com> <AB8A981D-4923-4D58-8035-3708E4C991A1@verisign.com> <D3BA2B5C-C398-430D-B526-248A5A74F571@eggert.org>
In-Reply-To: <D3BA2B5C-C398-430D-B526-248A5A74F571@eggert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.120.0.1.13)
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <01A92E48D44E5548827E6D0B8111BCB1@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KdcnqGQBL5OtpIuyfmEgi6MzoPI>
Subject: Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2021 23:57:08 -0000


> On Nov 29, 2021, at 11:51 PM, Lars Eggert <lars@eggert.org> wrote:
> 
> 
>> I dont necessarily agree that operating systems alone do a very good job
>> of preventing DOS conditions.  It is possible that Im not up-to-date on
>> the latest and greatest in terms of operating system features, but I think
>> historically applications have fared better when they manage their own
>> connections.  For example, can we realistically expect the OS to know which
>> idle connections should be closed?
> 
> The OS will certainly try to close sufficient connections under DDoS to remain operational. But if an application wants to see connections closed according to a certain policy - and DNS servers probably would - they need to actively engage. Maybe that's the rationale here?
> 

Yes, that is the rationale.  I’ve added a new sentence to the end
of this paragraph along those lines:

   Operators of DNS server software SHOULD be aware that operating
   system and application vendors MAY impose a limit on the total number
   of established connections.  These limits may be designed to protect
   against DDoS attacks or performance degradation.  Operators SHOULD
   understand how to increase these limits if necessary, and the
   consequences of doing so.  Limits imposed by the application SHOULD
   be lower than limits imposed by the operating system, so that the
   application can apply its own policy to connection management, such
   as closing the oldest idle connections first.


>> 
>>> Section 4.2. , paragraph 3, comment:
>>>> DNS server software SHOULD provide a configurable timeout for idle
>>>> TCP connections.  For very busy name servers this might be set to a
>>>> low value, such as a few seconds.  For less busy servers it might be
>>>> set to a higher value, such as tens of seconds.
>>> 
>>> Ditto.
>> 
>> In this case all of the open source implementations I surveyed have this
>> limit enabled by default.
> 
> It might be useful to add a brief note similar to the one above here as well.

Okay, I’ve done so in this paragraph. Second and third sentences are new:

   DNS server software SHOULD provide a configurable timeout for idle
   TCP connections.  This can be used to free up resources for new
   connections and to ensure that idle connections are eventually
   closed.  At the same time, it possibly limits client performance
   while leaving some TCP resources untilizied.  For very busy name
   servers this might be set to a low value, such as a few seconds.  For
   less busy servers it might be set to a higher value, such as tens of
   seconds.  DNS clients and servers SHOULD signal their timeout values
   using the edns-tcp-keepalive option [RFC7828].


> 
> Thanks,
> Lars
> 

Thank you!

DW

v2.23.0 | Report a Bug | By Email