Re: [DNSOP] Priming query transport selection

Olafur Gudmundsson <> Wed, 13 January 2010 22:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 625F93A6804 for <>; Wed, 13 Jan 2010 14:41:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.377
X-Spam-Status: No, score=-2.377 tagged_above=-999 required=5 tests=[AWL=-0.378, BAYES_00=-2.599, J_CHICKENPOX_43=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4+b96Mg1RY0V for <>; Wed, 13 Jan 2010 14:41:32 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 67FF73A67B0 for <>; Wed, 13 Jan 2010 14:41:32 -0800 (PST)
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id o0DMfOO3070819; Wed, 13 Jan 2010 17:41:24 -0500 (EST) (envelope-from
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Wed, 13 Jan 2010 17:41:14 -0500
To: Jim Reid <>, Alex Bligh <>
From: Olafur Gudmundsson <>
In-Reply-To: <>
References: <> <> <D9CCEA0D18D9D5B457A90853@Ximines.local> <> <CDE7E0414BC50C42E4FCC54F@Ximines.local> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.67 on
Subject: Re: [DNSOP] Priming query transport selection
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Jan 2010 22:41:33 -0000

At 16:16 13/01/2010, Jim Reid wrote:
>On 13 Jan 2010, at 20:49, Alex Bligh wrote:
>>Current operational practice would result in DO clear packets
>>fitting within 4096 bytes, so no need for TCP when DO is clear.
>I don't think that's always the case Alex. See the lengthy discussion
>in this list about datagram fragmentation and broken middleware boxes
>that don't grok EDNS0. [Or do EDNS0 with a 512 byte buffer size.
>Sigh.] Mind you, some of those boxes will also barf on TCP DNS traffic.

EDNS0 RFC restricts EDNS0 to 4096 bytes, number of implementations
will not send more even if client ask for it. Firewalls will
enforce this.

>>Thinking about it, a total prohibition (at MUST level) of using TCP
>>is probably a bit harsh given we don't even know they have UDP
>>connectivity. Perhaps "MUST issue the priming query *first*
>>over UDP", or use a SHOULD.
>SHOULD is more appropriate than a MUST IMO. If the resolver has a
>priori knowledge that UDP/EDNS0 will fail for some reason, forcing
>them to do that and then revert to TCP or whatever would be a Bad Thing.

We are talking about the priming query, assume no prior knowledge
only hints that the resolver is configured with i.e. the SBELT.

>The preferred approach might probably be along these lines:
>         [1] EDNS0 + DO with a buffer of 5-8K (ish)
>         [2] TCP + DO when [1] fails
>         [3] EDNS0 + DO + 1.5K (ish) buffer if [2] fails
>         [4] EDNS0 (no DO) with a 1.5K (ish) buffer
>         [5] Vanilla UDP (no EDNS0) if [4] fails

1 is not an option

>I think it would be helpful if the guidance on priming queries was
>split into 3 categories: resolvers that speak DNSSEC, those that are
>not DNSSEC-aware but speak EDNS0 and resolvers that are ignorant of
>both protocols. They'd start at [1], [4] and [5] respectively in the
>scenario above. The optimal priming behaviour for each may well be
>different, particularly wrt EDNS0 buffer minima and maxima. It would
>be good to give an explanation for those buffer sizes too in case
>we've all forgotten about that when revisiting the issue 5-10 years
>from now.
>Perhaps the recommended resolver behaviour should apply to all queries
>and not just the priming query?

No the priming query is different from all other queries.
Yes there should be guidance on fall back for ENDS0 and that
should be discussed in the ENDS0bis document context.