Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
"Wessels, Duane" <dwessels@verisign.com> Fri, 03 December 2021 23:57 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A7CC3A0BB7; Fri, 3 Dec 2021 15:57:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IseHKMYgXALs; Fri, 3 Dec 2021 15:57:02 -0800 (PST)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F00A3A0B5F; Fri, 3 Dec 2021 15:57:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=3848; q=dns/txt; s=VRSN; t=1638575823; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=LmOss97ECDOBC5gASt/qJhAXjzhLEU+OwLsNFTV4Jx8=; b=oYWGqaSIfgcVCVAx14KDhI7bMrCN/B9lx5640C7UFlOqU+stTsS3Grt0 jXN26xsudeiX2Uq2p6I2QJADrufrz6nuV4VTcPhfH26Gl7DqgJ9xNmwGg E0GWqTqBNnqYVxkooiSWpED2OvS9NGPH3zzNxfrRWyZckbk6owZnObQm/ asRG4DByYQ4I8EeeCVqFl0NXTfY6lIawl5OMsiM+c9w4272imm6Myj9QB 5ZjCve5fG1wanY8gTIFYq6kfJ8ya0buQOnHpCWsNZ9v67tJ3aQDHm1w8P 3EufC71yf/vzRhDFmK/SsID+0f37fu/I4FmKMgApuzsdJKkepT+ibXL79 A==;
IronPort-SDR: OPX1+iZ2YZ0hjez0N4/5N/+kIuTXP/KbBjP3hSsD/KYQmRQiE7pItdY0Vag+ShuTwxGAn+SiO1 12jhq3RruVTJrKvtLKZoQB5wb+PWHyDG4x9FwsNPdIwv4f7qPm+4Yeix4zJV6PCOngOHcRI6Xq T0izKiK7/Uq8w1q98oQ5sqVPlgq22Mj3cOZn9/pDU9IWEu2ULEs+viRrijt5wjFJdFOmpZLCD6 PzGfD3MwnPAMcQhMGwwk+YILvVXNlOdZZs5C4ei4gsuBZdz3HMRJ6UBtdj5mxmZSyfEzjUjj9b PmA=
IronPort-Data: A9a23:RXtOB60Ry/k0RErApvbD5ctwkn2cJEfYwER7XKvMYLTBsI5bpzxVy mNOXjjXP/vZNjOjLt4nbNux/B4CscDXzYdqT1c6qSg9HnlHl5HIVI+TRqvS04N+DSFioGZPt Zh2hgzodZhsJpPkS5TE3oHJ9RGQ74nRLlbHILOCan8ZqTNMEn970Es5w7Vh2OaEvPDia++zk YKqyyHgEAL9s9JEGjp8B3Wr8U4HUFza4Vv0j3RmDRx5lAa2e0o9VfrzEZqMw07QGeG4KAIaq 9Hrl9lV9kuBl/skIo39zuajKiXmSJaKVeSFoiI+t6RPHnGuD8H9u0o2HKN0VKtZt9mGt5dA6 olzl7uhdVs4J6jQu80kXgtWLy4raMWq+JefSZS+meap6RT5VVbcm6woEkoxJ5Ve8+oxH3tV8 7oTLzVlghKr3rrwme3gDLAx3YJ/fKEHP6tG0p1k5T3GAO09TJTYa7vH/95D3Tg2wMtJGJ4yY uJAMGE2MkqbO3WjPH8SMdUykbv420DnbiJJqhWWhpMOuEvcmVkZPL/FdYC9lsaxbcFchF2wq 23J8n7lRBYAO7S3yDee/Vqti/PB2yThV+o6GKex+OIvgVCPyCkfDgYRTR63p+L8lkWmHshSM lEV4CcroK4u72SqQ8XzGRqirxasshgHXMIVGO0z6RuW4qvZ/wjfAXILJhZNbschrOc3SCAkk FiTkLvBHiF9r7qPTX6C97uZhTy3MCkRa2QFYEc5oRAt6cPl+Z41gwKXF5N4DrTzi9zuXDv3h TqQqnF4ma8Ii4gA0KDTEU37vg9Ab6PhFmYdjjg7lEr8hu+lTOZJv7CV1GU=
IronPort-HdrOrdr: A9a23:FaQ9Oq4LmHL5ZmVMewPXwBXXdLJyesId70hD6qkXc20xTiX4rb HNoB1173/JYVoqNk3I+uruBEDoexq1yXcf2/hzAV7NZmjbkVrtAo1k4ZDr3jHsXwbvn9Qw6Y 5QN4xzEsf5A1Q/r8rriTPTL/8QhP2K6rqhi+ub9WpqVg0CUcxdxh10ERmWCXd7QwR6BZ40fa D22vZ6
X-IronPort-AV: E=Sophos;i="5.87,284,1631592000"; d="scan'208";a="11316630"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Fri, 3 Dec 2021 18:57:00 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.2375.007; Fri, 3 Dec 2021 18:57:00 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Lars Eggert <lars@eggert.org>
CC: The IESG <iesg@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Suzanne Woolf <suzworldwide@gmail.com>
Thread-Topic: [EXTERNAL] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
Thread-Index: AQHX5Xxa1WHeYbA7FU2LSxLF5LNQ7Q==
Date: Fri, 03 Dec 2021 23:57:00 +0000
Message-ID: <F8429D79-1E25-43FA-8BEF-562F64A71F8C@verisign.com>
References: <163524814397.6773.7925615506385048342@ietfa.amsl.com> <AB8A981D-4923-4D58-8035-3708E4C991A1@verisign.com> <D3BA2B5C-C398-430D-B526-248A5A74F571@eggert.org>
In-Reply-To: <D3BA2B5C-C398-430D-B526-248A5A74F571@eggert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.120.0.1.13)
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <01A92E48D44E5548827E6D0B8111BCB1@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KdcnqGQBL5OtpIuyfmEgi6MzoPI>
Subject: Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop-dns-tcp-requirements-13: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2021 23:57:08 -0000
> On Nov 29, 2021, at 11:51 PM, Lars Eggert <lars@eggert.org> wrote: > > >> I dont necessarily agree that operating systems alone do a very good job >> of preventing DOS conditions. It is possible that Im not up-to-date on >> the latest and greatest in terms of operating system features, but I think >> historically applications have fared better when they manage their own >> connections. For example, can we realistically expect the OS to know which >> idle connections should be closed? > > The OS will certainly try to close sufficient connections under DDoS to remain operational. But if an application wants to see connections closed according to a certain policy - and DNS servers probably would - they need to actively engage. Maybe that's the rationale here? > Yes, that is the rationale. I’ve added a new sentence to the end of this paragraph along those lines: Operators of DNS server software SHOULD be aware that operating system and application vendors MAY impose a limit on the total number of established connections. These limits may be designed to protect against DDoS attacks or performance degradation. Operators SHOULD understand how to increase these limits if necessary, and the consequences of doing so. Limits imposed by the application SHOULD be lower than limits imposed by the operating system, so that the application can apply its own policy to connection management, such as closing the oldest idle connections first. >> >>> Section 4.2. , paragraph 3, comment: >>>> DNS server software SHOULD provide a configurable timeout for idle >>>> TCP connections. For very busy name servers this might be set to a >>>> low value, such as a few seconds. For less busy servers it might be >>>> set to a higher value, such as tens of seconds. >>> >>> Ditto. >> >> In this case all of the open source implementations I surveyed have this >> limit enabled by default. > > It might be useful to add a brief note similar to the one above here as well. Okay, I’ve done so in this paragraph. Second and third sentences are new: DNS server software SHOULD provide a configurable timeout for idle TCP connections. This can be used to free up resources for new connections and to ensure that idle connections are eventually closed. At the same time, it possibly limits client performance while leaving some TCP resources untilizied. For very busy name servers this might be set to a low value, such as a few seconds. For less busy servers it might be set to a higher value, such as tens of seconds. DNS clients and servers SHOULD signal their timeout values using the edns-tcp-keepalive option [RFC7828]. > > Thanks, > Lars > Thank you! DW
- [DNSOP] Lars Eggert's Discuss on draft-ietf-dnsop… Lars Eggert via Datatracker
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Lars Eggert
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Benjamin Kaduk
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Benjamin Kaduk
- Re: [DNSOP] Lars Eggert's Discuss on draft-ietf-d… Wessels, Duane