Re: [DNSOP] [dnsext] Re: Computerworld apparently has changed DNS protocol

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Wed, 11 November 2009 14:58 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD6AD3A6877 for <dnsop@core3.amsl.com>; Wed, 11 Nov 2009 06:58:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.08
X-Spam-Level:
X-Spam-Status: No, score=-6.08 tagged_above=-999 required=5 tests=[AWL=0.519, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KElYSya-Z4q4 for <dnsop@core3.amsl.com>; Wed, 11 Nov 2009 06:58:11 -0800 (PST)
Received: from fruitcake.ICSI.Berkeley.EDU (fruitcake.ICSI.Berkeley.EDU [192.150.186.11]) by core3.amsl.com (Postfix) with ESMTP id EC7CA3A68B5 for <dnsop@ietf.org>; Wed, 11 Nov 2009 06:58:11 -0800 (PST)
Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU [192.150.186.73]) by fruitcake.ICSI.Berkeley.EDU (8.12.11.20060614/8.12.11) with ESMTP id nABEwPOd017095; Wed, 11 Nov 2009 06:58:25 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
In-Reply-To: <AEB16CE2-B7F9-421E-AD74-52919DA4666C@apnic.net>
Date: Wed, 11 Nov 2009 06:58:25 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <F152505E-6A33-48AE-9DA1-5716F0360DC2@icsi.berkeley.edu>
References: <200911041858.TAA24009@TR-Sys.de> <FD44BF39-5B62-4689-AC6D-8DFFAF340EA1@icsi.berkeley.edu> <20091104192634.GA31981@vacation.karoshi.com.> <d791b8790911041141k71066fa9nede54d5dff9394fa@mail.gmail.com> <AF9E632C-C470-4EA8-9BB4-BF144D208619@ICSI.Berkeley.EDU> <alpine.BSF.2.00.0911110625230.73921@in1.dns-oarc.net> <AEB16CE2-B7F9-421E-AD74-52919DA4666C@apnic.net>
To: George Michaelson <ggm@apnic.net>
X-Mailer: Apple Mail (2.1077)
Cc: namedroppers@ops.ietf.org, dnsop@ietf.org, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] [dnsext] Re: Computerworld apparently has changed DNS protocol
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 14:58:12 -0000

On Nov 10, 2009, at 10:42 PM, George Michaelson wrote:
> On 11/11/2009, at 3:29 PM, Duane Wessels wrote:
>> On Wed, 4 Nov 2009, Nicholas Weaver wrote:
>> 
>>> Also, has someone done a study what the major recursive resolvers do on response failures from a root?  Do they go to another first or do they try a smaller EDNS MTU?
>> 
>> I gave a presentation on this at the DNS-OARC meeting last week:
>> 
>> https://www.dns-oarc.net/files/workshop-200911/Duane_Wessels.pdf
>> 
>> I was only able to test BIND (9.4.3) and Unbound (1.3.3) before the
>> workshop.
>> 
>> I've since learned that since my graphs only show 7 seconds after
>> the initial query, it misses Unbound's fallback to TCP, which
>> takes longer than that.
> 
> Great presentation.

A strong second, and many thanks for posting this.

The only other thing which needs to be added is understanding what happens at the 1500B MTU point rather than the 512B point (increase key size and/or record count to hit), since our early testing with Netalyzr showed that its the 1500B boundary that is the big problem for most recursive resolvers, due to firewall rules and similar that can't handle UDP fragments.