Re: [DNSOP] [v6ops] New draft at dnsop a bis for DNS IPv6 Transport Operational Guidelines
Momoka Yamamoto <momoka.my6@gmail.com> Tue, 05 December 2023 19:53 UTC
Return-Path: <momoka.my6@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A874C14F617; Tue, 5 Dec 2023 11:53:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.855
X-Spam-Level:
X-Spam-Status: No, score=-1.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1I1700dvJ5vO; Tue, 5 Dec 2023 11:53:25 -0800 (PST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00167C14F5EA; Tue, 5 Dec 2023 11:53:24 -0800 (PST)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-50c04ebe1bbso143853e87.1; Tue, 05 Dec 2023 11:53:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701806003; x=1702410803; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hDN70fhxT9Tg+awcSPWOn/I/cWQvMVkyyuFsbV8GLwo=; b=hF881zV0H9o/L8fzHJ/AwaXJjaWOQO7yOcTEXl/5xiB/N87Lu732fZq8yMdan/O5yG p4aGLS0uAeVTIDKad83lB59RCpxcyfUgbedxynIwNbcjiC0VCZcub7PWBmGoUWwXPYVO Ncea2QpPUHnDhoUD5tccWqWF5xa594B8LwVIWFVF9DlNgefFtGZ7qD0TxEenTiDJdhs9 o7eIMI0vaRMYHeL1o815SGJhJgY8mGuYUO4K8QYOYQbIl38Ow4os7yTDjL3pZMOzMU1k OnmUrig7AYy+4NLTAB1MjCvWGcpb/bx0Or9BDz6DRDKLft6l2mTw4mm5pSQ+3GTPJ8zG /yTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701806003; x=1702410803; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hDN70fhxT9Tg+awcSPWOn/I/cWQvMVkyyuFsbV8GLwo=; b=U4YQmD+DPHm9KjKimp6W7KN1lyCoTfEYchAhj3tbh/kBq8cK9iS8+Rfmm9XFuV21jr vJ08N0TkYAhSXrh1jijtXwMzD9azGNC80+a7ghFPjjGQz70sRbn5Qjoa3vUWZBYjNwHu Cy0TzyhZE47hL5XJymFJ+Okb4y/6B9sMUv+amYVhlo9oTj6HB8MYL0bhpfQmUfhsy6am Fqg23lmyWlp0GsZpHphWKn8594C43K52oNVGD1mcQf7yQp43iMzOFTALUvpRYuEpLtNS ByBKoPGAP515u259KLHL6Dkuv+Nc9YexEgJRwMN0oxM5xkF+J3SkkMnrzmpXQ/+MP2CJ t52w==
X-Gm-Message-State: AOJu0Yy57yuNzXh5jglCIzfA2WnZic08XMYXXcfUciUbzKurITZLnLk+ HXFtgEiT/wa8VS2rQa/kBdh1/DrKBer0f4bolmFctEAvA6o=
X-Google-Smtp-Source: AGHT+IEXGoqCrdNrTJ1CwD+BTC6gdJUtUObQy1lvHzMipeE5SeydVtJ2NqNJkI5szYaPRcYQqWxQ0pFhqKNAqH/g+D0=
X-Received: by 2002:a05:6512:1390:b0:50b:fdb6:9937 with SMTP id fc16-20020a056512139000b0050bfdb69937mr1403544lfb.5.1701806002371; Tue, 05 Dec 2023 11:53:22 -0800 (PST)
MIME-Version: 1.0
References: <927959F5-71C8-4488-A52D-2A5A0969A951@apnic.net> <ZU8-4cLjPvTzXyJB@Space.Net> <2532F4E0-725A-4403-9B62-0145EB9279BB@apnic.net> <20231123.193744.1766915964051686702.he@uninett.no> <A137855F-F70F-429A-AFB2-B1F3271F1BE5@apnic.net> <035B98C3-517E-4839-9725-81A79B0A8419@isc.org>
In-Reply-To: <035B98C3-517E-4839-9725-81A79B0A8419@isc.org>
From: Momoka Yamamoto <momoka.my6@gmail.com>
Date: Wed, 06 Dec 2023 04:53:10 +0900
Message-ID: <CAD9w2qZbT0s3SRQhxFZaDSjTgfpuUeGLnYsVbY8xpynFx=w-Sg@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Geoff Huston <gih@apnic.net>, "v6ops@ietf.org" <v6ops@ietf.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003f823b060bc89690"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Kj8wBufzZdsT2nSGiOnfQFTBLlw>
Subject: Re: [DNSOP] [v6ops] New draft at dnsop a bis for DNS IPv6 Transport Operational Guidelines
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Dec 2023 19:53:30 -0000
Thank you Geoff for your insightful clarification and the valuable data presented in your article. The alternative wording you suggest for draft 3901bis provides a balanced approach. It is more in line with the principle of minimizing potential harm while maintaining operational efficiency. We will incorporate your suggested wording with a reference to draft-ietf-dnsop-avoid-fragmentation. This draft intends to make DNS possible with IPv6, and with Geoff's wording, I think we should be able to make IPv6 a SHOULD safely. We do not want to make bad recommendations and this is very critical. Thank you all for the discussion. If there are still parts that should be done, please give us your input. Momoka Y On Fri, Nov 24, 2023 at 9:17 AM Mark Andrews <marka@isc.org> wrote: > There are a number of issues involved here > > Anycast DNS servers and blocking of PTB breaking PMTUD for both TCP and > UDP. > > 1) set a lower MSS for TCP (e.g. 1280) so the replies don’t generate > PTBs. TCP > retransmission timers are much too big for DNS. The TCP sessions are torn > down > if there is no response in a couple of seconds. > 2) set IPV6_USE_MIN_MTU=1 so that UDP packets are fragmented at network > minimum MTU. > > BIND does both of these by default. Other servers do one or the other, > both or none > of these measures. > > Get firewall vendors to permit fragments from the reversed src/dst pairs > when setting > up connection tracking using the same expiry timers that they are using > for the non > fragmented responses. IPv6 has a 32 bit fragment id which makes off path > fragmentation > reassembly attacks very hard for IPv6. Alternatively just permit > fragments. They > should be doing this independently of DNS. > > Servers should have a pool of multiple non sequential fragmentation > identifier sources > which are randomly selected from based on destination address. > > The reason for the draft is that DNS queries are being made from behind > NAT64’s and > that puts a lot of state there if there aren’t IPv6 servers available. > > Recursive DNS servers track RTT, preference IPv6 servers and use sub > second timeouts > when talking to the set of server addresses for a zone. > > As for EDNS advertised UDP size servers can restrict the response size > independently > of the client’s advertised response size if they want. It comes at a cost > of more TCP. > > Mark > > > On 24 Nov 2023, at 06:07, Geoff Huston <gih@apnic.net> wrote: > > > > > > > >> On 24 Nov 2023, at 5:37 am, Havard Eidnes <he@uninett.no> wrote: > >> > >>> Go read https://www.potaroo.net/ispcol/2023-11/dns-ipv6.html to > >>> get a clearer explanation of the issues here about the DNS, UDP > >>> and IPv6. > >> > >> OK, I've done that, and I'm not entirely certain that I fully > >> agree. > >> > >> ... > > > > Thanks for the thoughtful response Havard.As a minor point of correction > the data > > in that article is not a census of individual resolvers, but a census of > users. i.e. if a resolver > > is used by 100 users and another is used by just a single user the data > will be weighted in > > favour of the heavily used resolver. > > > > So the current data shows that some 69% of users pass their queries to a > recursive > > resolver over IPv6 use an EDNS buffer size that is greater than 1232 > bytes, > > and 49% use a buffer size that is greater than 1500. In these cases the > > odds of encountering a timeout rather than a response for large responses > > is considerably higher. What this means is that it takes more time to > resolve the name > > (1 second is the most commonly observed timeout). > > > > So why should the IETF be proposing in a normative SHOULD the adoption of > > an operational configuration that results in cases of slower response > and an elevated > > set of retransmissions? To quote RFC2119: > > > > "[SHOULD] MUST only be used where it is actually required for > interoperation > > or to limit behaviour which has potential for causing harm (e.g., > limiting > > retransmissions)" > > > > As I said in the article ( > https://www.potaroo.net/ispcol/2023-11/dns-ipv6.html) I offerred an > > alternative wording for this 3901bis draft along the lines of: > > > > In using IPv6 as the platform for DNS queries, DNS implementations SHOULD > > use an EDNS Buffer Size value of 1,232 bytes. An operator MAY use a > greater > > value for this parameter, but only if the DNS operator is confident that > this > > local setting will not result in IP packet fragmentation being required > to pass > > a DNS message to its intended recipient. > > > > If the reduced EDNS Buffer Size parameter is used by a DNS resolver, > then such > > DNS resolvers MAY order the list of servers that could be queried to > prefer to > > use an IPv6 query as the initial query. > > > > That would prevent the client performing a timeout and in the case of a > large response > > would allow the client to commence a TCP re-query within a single RTT. > > > > > > regards, > > > > Geoff > > > > _______________________________________________ > > v6ops mailing list > > v6ops@ietf.org > > https://www.ietf.org/mailman/listinfo/v6ops > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- Re: [DNSOP] [v6ops] New draft at dnsop a bis for … Momoka Yamamoto
- Re: [DNSOP] [v6ops] New draft at dnsop a bis for … Momoka Yamamoto