Re: [DNSOP] Tsvart last call review of draft-ietf-dnsop-dns-tcp-requirements-12
"Wessels, Duane" <dwessels@verisign.com> Fri, 17 September 2021 19:46 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF9983A114C; Fri, 17 Sep 2021 12:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JT80ZboS-ZUA; Fri, 17 Sep 2021 12:46:48 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D670C3A1143; Fri, 17 Sep 2021 12:46:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=10557; q=dns/txt; s=VRSN; t=1631908008; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=PLn3TmEU9L6oRWWSTt0zeTsxD6i+A2nJovJN6S44Of4=; b=fvrLhusqoA2ZUhTW96moi0s8ZlczTeb1ZoX6LY4ky3ya/Gph6UUJdrzQ bKAAXzjAjIxXbyu4cRawGMPl9UnO9cBS/o8qDfxaIP0uO7hxpbbHGDxps 5El/tSFYfPcP16I5Z8VPCkGunjoc+zSBEAiaCqQP0/83NtVOuFCjia9K6 JtiLTSjgPTY5n03uTKnQWRKI7ZH62DyZhDjTmG8D47Smy6PoEP/qYCTCW Qx9X8Vz5gPgX4zP+gO0uXvWlIj4YaCGYYgRGyAmCqk3lfAUJKzxx7H79E Qra4UjggrtidcXWWGDXrot59ZRqH3DKZQvsK+6ivVwGXXFselnddHtYBy g==;
IronPort-SDR: rYHDU6eSdIFnMh2ks36elg+UfWeDjmdm9bh3sEWaviF2Bnt61j36V16vGRZYxL4w1TjipgpOvS RPkGZWUlYbGoGH2HfVXmZ0iHc2fXkiYUDS59fcrjijZMNIuHqo7hlap4x5SD8qOU0/fo1pOt3G 8lSGaicfdk0dYWUn8BkXUh1UiqSR7YMceu1CPQfK9ojFVLAlriM0u+LWpW2//pirFngp/MPISn KtRaFFxTV5nG37VccUcD8+hgkCJw/75HiQ7BA+fjly8RvODWbgsIooHFfx3E0+N08CWxIwgQEo 18o=
IronPort-Data: A9a23:4wD7e6/HUDbG50C5ubWDDrUDiX+TJUtcMsCJ2f8bNWPcYEJGY0x3y jdKUGqGPqyKZWr0ctwnatix9hsGv8OHyt9mSgE9rS0xFiIbosf7XtnIdU2Y0wF+jiHgoOOLy +1EN7Es+ehtFie0Si9AsdENlFEkvU2ybuOU5NXsZ2YhGGeIdA970Ug6w79g3dYz6TSEK1jlV e3a8pW31GCNhmYc3lI8s8pvfzs24ZweEBtB1rAPTagjUG32zhH5P7pGTU2FFEYUd6EPdgKMq 0Yv+5nilo/R109F5tqNzO6nIhVSKlLYFVDmZnF+A8BOjvXez8CbP2lS2Pc0MC9qZzu1c99Zl eUX6LWoURcQG4LTw+cUeAcIERh+BPgTkFPHCSDXXc275XfgKkTK7sU2VgcoNooC4qB+DSdQ7 +cebjsKa3hvhcrvmPTiFbIq35l4apW6VG8ckigIITXxAekrWovOR77i+9JC3SwxicYIFvHbD yYcQWs/PEqeM0In1lE/D9EYu7uPgETFTwJWiHGFhJsws0nT5VkkuFTqGJ+PEjCQfu1Uk1qWj mHb8mT9Dw4bMtDZzzeZmlqwnfGKlDnncIMfCLP+8eRl6HWfwHcUEDUXWEe15/6jhSaWV8hWJ VBR+ycyo+0+8lesVpzxWQb9vHWc+wQRQsdRCeA/5QeR0ezd5wKxB2UYQHhGctNOnMs/XiBv3 VaNm/voCCBh9rqPRhqgGqy8pym0YDcTIH9aP2ofUxFD5tj45Ys0yBjVSI8lDrSuiJv+HjSYL y22kRXSTo471aYjv5hXN3id695wjvAlljII2zg=
IronPort-HdrOrdr: A9a23:+xRmV66nOgjjHGocyQPXwOvXdLJyesId70hD6qkoc20wTiSZ// rDoB1p726StN9xYgBbpTnuAsm9qB/nn6KdpLNhWItKPzOWxVdATrsSjrcKqgeIc0bDH6xmpM VdmsNFZ+EYeGIasS+M2meF+rgbreVvu5rY49s2h00dND2D+8lbnn9E4yigYzZLeDU=
X-IronPort-AV: E=Sophos; i="5.85,302,1624334400"; d="p7s'?scan'208"; a="9886687"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Fri, 17 Sep 2021 15:46:45 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.2308.008; Fri, 17 Sep 2021 15:46:45 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Mirja Kuehlewind <ietf@kuehlewind.net>
CC: "tsv-art@ietf.org" <tsv-art@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: [EXTERNAL] Tsvart last call review of draft-ietf-dnsop-dns-tcp-requirements-12
Thread-Index: AQHXq/y/SCY4/dkNJUWo3hJH3iZKhw==
Date: Fri, 17 Sep 2021 19:46:45 +0000
Message-ID: <C43337DC-B981-4721-AC52-A9D77042915A@verisign.com>
References: <162990671395.10583.8870779506155492851@ietfa.amsl.com> <79387CF2-2A23-4B04-BCAC-53ECD85447A4@verisign.com> <9B3DDFF6-B5BA-4F96-B853-C1A3D8E9E532@kuehlewind.net>
In-Reply-To: <9B3DDFF6-B5BA-4F96-B853-C1A3D8E9E532@kuehlewind.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_87E01AA8-EDA7-4CA9-B6C8-BEDE0CB27FB1"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LufxBvGGzONtUC_8RroNP3zbVHo>
Subject: Re: [DNSOP] Tsvart last call review of draft-ietf-dnsop-dns-tcp-requirements-12
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2021 19:46:55 -0000
> On Sep 7, 2021, at 9:42 AM, Mirja Kuehlewind <ietf@kuehlewind.net> wrote: > > Thanks for the updates! One quick comment below. > >> On 7. Sep 2021, at 18:23, Wessels, Duane <dwessels@verisign.com> wrote: >> >>> On Aug 25, 2021, at 8:51 AM, Mirja Kühlewind via Datatracker <noreply@ietf.org> wrote: >>> >>> And a more general comment on section 4.2: this section takes about various >>> limits but doesn't recommend any values. I understand that there is not a >>> one-fits-all solution here but not knowing how to set these values correctly >>> might scared people aways from supporting TCP. So I think having a discussion >>> either of default values or how to derives these values based on a certain >>> configuration would be a very valuable contribution in this document. >> >> I've added some recommendations to the paragraphs in section 4.2. >> >> For the limit on total number of connections: "Absent any other information, >> 150 is a reasonable value for this limit in most cases." >> >> For the limit on connections per source address: "Absent any other >> information, 25 is a reasonable value for this limit in most cases." >> >> For the timeout on idle connections: "Absent any other information, 10 >> seconds is a reasonable value for this timeout in most cases." > > I think it would also make sense to explain a bit more why these values were taken and what considerations/“other information" can be used to make a different decisions. I know that might not be fully straight-forward but just providing “random” numbers might also only provide limited value. > > Mirja Mirja, I have gathered some information from the open source implementations and written a new section to talk about defaults and recommended values (below). The full document and diff from previous can be found in our github repo https://github.com/jtkristoff/draft-ietf-dnsop-dns-tcp-requirements/tree/master/Versions DW 4.5. Defaults and Recommended Limits A survey of features and defults was conducted for popular open source DNS server implementations at the time of writing. This section documents those defaults and makes recommendations for configurable limits that can be used in the absence of any other information. Any recommended values in this document are only intended as a starting point for administrators that are unsure what sorts of limits might be reasonable. Operators SHOULD use application-specific monitoring, system logs, and system monitoring tools to gauge whether their service is operating within or exceeding these limits, and adjust accordingly. Most open sorcue DNS server implementations provide a configurable limit on the total number of established connections. Default values range from 20 to 150. In most cases, where the majority of queries take place over UDP, 150 is a reasonable limit. For services or enviroments where most queries take place over TCP or TLS, 5000 is a more appropriate limit. Only some open source implementations provide a way to limit the number of connections per source IP address or subnet, but the default is to have no limit. For environments or situations where it may be neccessary to enable this limit, 25 connections per source IP address is a reasonable starting point. The limit should be increased when aggregated by subnet, or for services where most queries take place over TCP or TLS. Most open source implementations provide a configurable idle timeout on connections. Default values range from 2 to 30 seconds. In most cases, 10 seconds is a reasonable default for this limit. Longer timeouts improve connection reuse, but busy servers may need to use a lower limit. Only some open source implementations provide a way to limit the number of transactions per connection, but the default is to have no limit. This document does not offer advice on particular values for such a limit. Only some open source implementations provide a way to limit the duration of connection, but the default is to have no limit. This document does not offer advice on particular values for such a limit.
- [DNSOP] Tsvart last call review of draft-ietf-dns… Mirja Kühlewind via Datatracker
- Re: [DNSOP] Tsvart last call review of draft-ietf… Wessels, Duane
- Re: [DNSOP] [Tsv-art] Tsvart last call review of … Mirja Kuehlewind
- Re: [DNSOP] Tsvart last call review of draft-ietf… Wessels, Duane
- Re: [DNSOP] Tsvart last call review of draft-ietf… Mirja Kuehlewind
- Re: [DNSOP] Tsvart last call review of draft-ietf… Wessels, Duane
- Re: [DNSOP] Tsvart last call review of draft-ietf… Qin Wu