Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Michael Graff <Michael.Graff@nominum.com> Thu, 12 March 2015 16:12 UTC

Return-Path: <Michael.Graff@nominum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEB991A1EEA for <dnsop@ietfa.amsl.com>; Thu, 12 Mar 2015 09:12:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dQGdxfH7vmj9 for <dnsop@ietfa.amsl.com>; Thu, 12 Mar 2015 09:12:05 -0700 (PDT)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFC481A1B3C for <dnsop@ietf.org>; Thu, 12 Mar 2015 09:12:04 -0700 (PDT)
Received: from webmail.nominum.com (cas-03.win.nominum.com [64.89.235.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id 9209DDA03EE; Thu, 12 Mar 2015 16:12:04 +0000 (UTC)
Received: from MBX-02.WIN.NOMINUM.COM ([64.89.235.69]) by CAS-03.WIN.NOMINUM.COM ([64.89.235.66]) with mapi id 14.03.0224.002; Thu, 12 Mar 2015 09:11:58 -0700
From: Michael Graff <Michael.Graff@nominum.com>
To: "D. J. Bernstein" <djb@cr.yp.to>
Thread-Topic: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
Thread-Index: AQHQXMi84FUJbh7Z/Eik1Km8WxKdh50ZekwA
Date: Thu, 12 Mar 2015 16:11:57 +0000
Message-ID: <3D558422-D5DA-4434-BDED-E752BA353358@flame.org>
References: <20150312125913.20188.qmail@cr.yp.to>
In-Reply-To: <20150312125913.20188.qmail@cr.yp.to>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [64.89.232.242]
Content-Type: multipart/alternative; boundary="_000_3D558422D5DA4434BDEDE752BA353358flameorg_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/UMEZLqrCWz1fPadDx7yunnVrtJI>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, "dns-operations@dns-oarc.net" <dns-operations@dns-oarc.net>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 16:12:07 -0000

Packet size is harder to analyze. ANY often pulls some records that
aren't used, and if the site isn't configured carefully then ANY can
even end up falling back to TCP, costing bytes _and_ packets. On the
other hand, there are a huge number of Internet sites that don't have a
noticeable volume of unusual records and don't need TCP, and there's a
clear traffic win for every skipped query and skipped no-data response.

My guess is that with DNSSEC, this will be common, as often times the domain apex is where the email would be sent.  For my personal domain, that’s @flame.org<http://flame.org>, and weighs in at 1758 bytes to an ANY query right now.

Once this is done, the MX target then needs to be followed of course (or targets in the case of a failure to connect.)

In the following, I’m using ESND0.  If this isn’t true, we all know anything > 512 bytes as a response was a TCP hit.  I’m not as scared of TCP hits as others may be, but I do think they should be avoided when practical.

ANY comes in as 1769 with or without DNSSEC.  Had it asked for the MX directly, it would have gotten 60 bytes without DNSSEC, and 229 with.

If there was no MX record, I assume then another query would be issued for the AAAA and A records.  That’s two more queries, but both of which would be smallish in comparison to the ANY query.  The DNSSEC keys nearly always dominate ANY queries at the apex.

I’m happy we are discussing issues with ANY queries, and the fairly small number of clients that use them.  I would have to see hard numbers collected over a lot of data showing where the ANY query was actually better than following the <MX, AAAA, A> path.  Until data is collected from how people set up zones today, I’m not sure I can say one is better than the other, other than as a feeling that it might help reduce queries but I’m not sure it reduces bandwidth.

What problem are we specifically trying to solve here again?

—Michael