Re: [DNSOP] 答复: 答复: Fwd: I-D Action: draft-song-atr-large-resp-00.txt

Mark Andrews <marka@isc.org> Fri, 22 September 2017 04:25 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16632132CE7 for <dnsop@ietfa.amsl.com>; Thu, 21 Sep 2017 21:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dccEx16a5RDn for <dnsop@ietfa.amsl.com>; Thu, 21 Sep 2017 21:25:25 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C46DE1321DF for <dnsop@ietf.org>; Thu, 21 Sep 2017 21:25:25 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id DF41B34B423; Fri, 22 Sep 2017 04:24:55 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id BE49E16003D; Fri, 22 Sep 2017 04:24:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 3EC08160069; Fri, 22 Sep 2017 04:24:55 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id mZpQWasoyTGH; Fri, 22 Sep 2017 04:24:55 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id C639816003D; Fri, 22 Sep 2017 04:24:54 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 08EA187A1E04; Fri, 22 Sep 2017 14:24:53 +1000 (AEST)
To: Paul Vixie <paul@redbarn.org>
Cc: =?UTF-8?B?IkRhdmV5IFNvbmco5a6L5p6X5YGlKSI=?= <ljsong@biigroup.cn>, 'dnsop' <dnsop@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <150509601027.9852.16967877638602485585@ietfa.amsl.com> <CAAObRXJ6wJGCXkbKVkNmQCJ8NccBT63A8-9-LiRVZCFsDicchw@mail.gmail.com> <CACfw2hhaKTyfJfjQ5-_kfqiHX1oX+9P6mUWD06B87y_2ysdztA@mail.gmail.com> <045b01d33288$d3fadad0$7bf09070$@cn>+5DE3FF4CB4E4721A <59C34510.4080705@redbarn.org> <048701d332a8$6f944980$4ebcdc80$@cn>+1004318D79D4A4F6 <59C47601.5030804@redbarn.org> <20170922031358.94ABB87A157F@rock.dv.isc.org> <59C48658.9000608@redbarn.org>
In-reply-to: Your message of "Thu, 21 Sep 2017 20:41:12 -0700." <59C48658.9000608@redbarn.org>
Date: Fri, 22 Sep 2017 14:24:52 +1000
Message-Id: <20170922042453.08EA187A1E04@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/V1CWe6Zpvxddl8aqOIoR9HjzRSk>
Subject: Re: [DNSOP] =?utf-8?b?562U5aSNOiAgIOetlOWkjTogIEZ3ZDogSS1EIEFjdGlv?= =?utf-8?q?n=3A_draft-song-atr-large-resp-00=2Etxt?=
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Sep 2017 04:25:28 -0000

In message <59C48658.9000608@redbarn.org>rg>, Paul Vixie writes:
> Mark Andrews wrote:
> ...
> > Just padding UDP responses to EDNS buffer size should be enough to
> > force fragmentation.  If you advertise a 4096 buffer you should be
> > able to accept such a response.
> 
> i don't want to waste the octets. a lot of links are still mobile. 
> forcing source fragmentation for payloads longer than 512 will do.

Setsockopt IPV6_USE_MIN_MTU=1 for IPv6.
 
> > We also need to bump the EDNS version number.  Going to EDNS(1)
> > will hit the firewalls that think EDNS(0) is the only EDNS version
> > they will ever see.
> 
> that would drag in version negotiation -- a lot of responders would say 
> BADVERS which would lead, best case, to another round trip. but since 
> the version negotiation code paths aren't tested, it may be worse.

Version negotiation occuring will self correct.  A extra round trip
isn't too expensive.  We get enough FORMERR/BADVERS to EDNS(0) +
DNS COOKIE queries to know that it isn't a practical issue.

I've tested enough version negotiation paths.  See https://ednscomp.isc.org/
The entries with "badversion" show a failed EDNS version negotiation.
The entire Alexa top 1M is scanned once a month.

	EDNS(0) + rcode != BADVERS -> badversion
	BADVERS + response version >= request version -> badversion

> > BIND 9.11 is already adding a DNS COOKIE option to every request.
> > That is causing some firewalls to be fixed as well as some nameservers.
> > We haven't added additional workaround code for this.
> 
> nice. thanks for that.
> 
> -- 
> P Vixie
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org