Re: [DNSOP] Robert Wilton's Discuss on draft-ietf-dnsop-avoid-fragmentation-16: (with DISCUSS)
Paul Vixie <paul@redbarn.org> Thu, 01 February 2024 02:56 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9451C14F61A; Wed, 31 Jan 2024 18:56:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.198
X-Spam-Level:
X-Spam-Status: No, score=-7.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWJU_8LDC6MX; Wed, 31 Jan 2024 18:56:08 -0800 (PST)
Received: from util.redbarn.org (util.redbarn.org [24.104.150.222]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5676EC14F61B; Wed, 31 Jan 2024 18:56:00 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.redbarn.org", Issuer "RapidSSL TLS RSA CA G1" (not verified)) by util.redbarn.org (Postfix) with ESMTPS id BFFC719CCAE; Thu, 1 Feb 2024 02:55:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1706756157; bh=tFb+mjl9pfBPwoO5+9ghsolLrGLmpvS8jhLkdgxWA7c=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=GPO1GWcXOlrXpfj74KEfHW4988TH2FSU34mmg+34+diq0n9KvDCIvBbEvUyTe5Rfn 87SCfjWdtecYCI6j6qxgbvokp+0VEpCiTSbB3QAAokpkjFrrzUrbIx3AjdTP4fGbZr zMTKV/Xf79zOwYeEDBhDjz3XeROYOI3W6ALu+cvo=
Received: from [24.104.150.166] (dhcp-166.access.rits.tisf.net [24.104.150.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 834A3C3F1F; Thu, 1 Feb 2024 02:55:57 +0000 (UTC)
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>
Cc: "draft-ietf-dnsop-avoid-fragmentation@ietf.org" <draft-ietf-dnsop-avoid-fragmentation@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "benno@NLnetLabs.nl" <benno@NLnetLabs.nl>, "swoolf@pir.org" <swoolf@pir.org>, "tjw.ietf@gmail.com" <tjw.ietf@gmail.com>, The IESG <iesg@ietf.org>, Mahesh Jethanandani <mjethanandani@gmail.com>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, Warren Kumari <warren@kumari.net>
References: <170421006263.51518.3056523891589638914@ietfa.amsl.com> <LV8PR11MB8536B8B0C65B0E2160B82720B57E2@LV8PR11MB8536.namprd11.prod.outlook.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <24aeb153-d39a-45ca-a280-2782115055a9@redbarn.org>
Date: Wed, 31 Jan 2024 18:55:54 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.60
MIME-Version: 1.0
In-Reply-To: <LV8PR11MB8536B8B0C65B0E2160B82720B57E2@LV8PR11MB8536.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RpZJQ6QGYJmRk8K9bFR6HrqaGQA>
Subject: Re: [DNSOP] Robert Wilton's Discuss on draft-ietf-dnsop-avoid-fragmentation-16: (with DISCUSS)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2024 02:56:12 -0000
thanks rob for your long service. we'll do as you suggest. Rob Wilton (rwilton) wrote on 2024-01-29 02:48: > Hi Authors, > > Just a note/reminder that I am stepping down as an AD in March. I don’t > think that I’ve seen any reply to my DISCUSS comments (perhaps the > authors and/or WG are still discussing the resolution), but if you are > able to speed this up at all so that I can clear my discuss before I > step down that would be preferable. Actually, if you manage to clear > all the DISCUSSes on this doc before March, so that Warren can approve > it before the new IESG is seated, that would probably make both yours > and Warren’s lives slightly easier at the transition. > > Regards, > > Rob > > *From: *DNSOP <dnsop-bounces@ietf.org> on behalf of Robert Wilton via > Datatracker <noreply@ietf.org> > *Date: *Tuesday, 2 January 2024 at 15:41 > *To: *The IESG <iesg@ietf.org> > *Cc: *draft-ietf-dnsop-avoid-fragmentation@ietf.org > <draft-ietf-dnsop-avoid-fragmentation@ietf.org>, dnsop-chairs@ietf.org > <dnsop-chairs@ietf.org>, dnsop@ietf.org <dnsop@ietf.org>, > benno@NLnetLabs.nl <benno@NLnetLabs.nl>, swoolf@pir.org > <swoolf@pir.org>, tjw.ietf@gmail.com <tjw.ietf@gmail.com>, > tjw.ietf@gmail.com <tjw.ietf@gmail.com> > *Subject: *[DNSOP] Robert Wilton's Discuss on > draft-ietf-dnsop-avoid-fragmentation-16: (with DISCUSS) > > Robert Wilton has entered the following ballot position for > draft-ietf-dnsop-avoid-fragmentation-16: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Hi, > > Thanks for this document. > > I'm echoing Paul's and the SECDIR review comments here on the use of MAY in > recommendations (since everywhere you see MAY it is equally valid for an > interpretation to treat it as "MAY NOT"), but I think that this makes the > document, as a proposed BCP, unclear enough that I'm raising this to > level of a > DISCUSS. > > (1) p 3, sec 3.1. Recommendations for UDP responders > > At the time of writing, most DNS server software did not set the DF > bit for IPv4, and many OS kernel constraints make it difficult to set > the DF bit in all cases. Best Current Practice documents should not > specify what is currently impossible, so R2, which is setting the DF > bit, is "MAY" rather than "SHOULD". > > I think that this recommendation, particularly because it is using RFC 2119 > language, is unclear. I would suggest rephasing this to something like: > > R2. Where supported, UDP responders SHOULD set IP "Don't Fragment > flag (DF) bit" [RFC0791] on IPv4. > > (2) p 3, sec 3.2. Recommendations for UDP requestors > > R6. UDP requestors SHOULD limit the requestor's maximum UDP payload > size to the RECOMMENDED size of 1400 or a smaller size. > > I find this recommendation to be unclear because it mixes both a > "SHOULD" and > "RECOMMENDED", i.e., I find it unclear as to what the "SHOULD" applies > to. Is > the recommendation (i) that UDP requestors should limit the maximum UDP > payload. Or (ii) is the recommendation that a limit of 1400 be used, or > (iii) > perhaps both. Maybe rewording this to something like the following > would help: > > R6. UDP requestors SHOULD limit the requestor's maximum UDP payload > size to 1400 bytes, but MAY limit the maximum UDP payload size to a > smaller size on small MTU (less than 1500 bytes) networks. > > or, > > R6. UDP requestors SHOULD limit the requestor's maximum UDP payload > size. It is RECOMMENDED to use a limit of 1400 bytes, but a smaller > limit MAY be used. > > (3) p 3, sec 3.2. Recommendations for UDP requestors > > R7. UDP requestors MAY drop fragmented DNS/UDP responses without IP > reassembly to avoid cache poisoning attacks. > > As written, I don't think that this is really a recommendation. Either > it is a > just a statement or fact (in which case it is not a recommendation), or it > should be upgraded to a SHOULD. > > (4) p 4, sec 3.2. Recommendations for UDP requestors > > R7. UDP requestors MAY drop fragmented DNS/UDP responses without IP > reassembly to avoid cache poisoning attacks. > R8. DNS responses may be dropped by IP fragmentation. Upon a > timeout, to avoid resolution failures, UDP requestors MAY retry using > TCP or UDP with a smaller EDNS requestor's maximum UDP payload size > per local policy. > > Again, I think that this document would be clearer if this was a SHOULD > rather > than a MAY. > > Regards, > Rob > > > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- P Vixie
- [DNSOP] Robert Wilton's Discuss on draft-ietf-dns… Robert Wilton via Datatracker
- Re: [DNSOP] Robert Wilton's Discuss on draft-ietf… Rob Wilton (rwilton)
- Re: [DNSOP] Robert Wilton's Discuss on draft-ietf… Paul Vixie
- Re: [DNSOP] Robert Wilton's Discuss on draft-ietf… Rob Wilton (rwilton)