IETF Logo Mail Archive

Re: [DNSOP] Batch Multiple Query Packet

Shane Kerr <shane@isc.org> Thu, 01 March 2012 11:10 UTC

Return-Path: <shane@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABAE021F86C7 for <dnsop@ietfa.amsl.com>; Thu, 1 Mar 2012 03:10:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qFQL53Oz22Il for <dnsop@ietfa.amsl.com>; Thu, 1 Mar 2012 03:10:00 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id F08DA21F8664 for <dnsop@ietf.org>; Thu, 1 Mar 2012 03:09:59 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id D8D8EC9428; Thu, 1 Mar 2012 11:09:44 +0000 (UTC) (envelope-from shane@isc.org)
Received: from shane-desktop (unknown [IPv6:2001:610:719:1:beae:c5ff:fe43:aa00]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id AC46E216C31; Thu, 1 Mar 2012 11:09:42 +0000 (UTC) (envelope-from shane@isc.org)
Date: Thu, 01 Mar 2012 12:09:24 +0100
From: Shane Kerr <shane@isc.org>
To: John Levine <johnl@taugh.com>
Message-ID: <20120301120924.4e8f3d6e@shane-desktop>
In-Reply-To: <20120229164716.36600.qmail@joyce.lan>
References: <20120229102255.74fa4291@shane-desktop> <20120229164716.36600.qmail@joyce.lan>
X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.8; x86_64-redhat-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Batch Multiple Query Packet
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2012 11:10:01 -0000

John,

On Wednesday, 2012-02-29 16:47:16 -0000, 
"John Levine" <johnl@taugh.com> wrote:
> >The main (only?) advantage of doing it with EDNS is that you can work
> >with existing name servers. It means adding more logic to our already
> >fabulously complicated resolvers to get full benefit, but nobody ever
> >said DNS was easy.
> 
> If you're adding logic to servers and clients, why couldn't some of
> that logic listen on a different port?

Of course it could, but we would like old and new services to live
together happily.

What we don't want is for new servers to send a packet and have to go
through a timeout if old servers do not support the service.

In principle we could signal somehow that new servers are available
without sending a packet. The obvious way to do this - a new RR type -
is suboptimal, because if the new RR type does not live above the zone
cut then old style packets will still have to be used to figure out the
status of the servers.

Perhaps we could use a hack like the DNSCurve folks do, and encode in
the name of the delegation that it is a new-style server:

    waycool.example.com NS w--waycool-new-ns-1.waycool.example.com
			NS w--waycool-new-ns-2.waycool.example.com
			NS old-school-ns-1.waycool.example.com
			NS old-school-ns-2.waycool.example.com

If a hack like this makes sense, then a new port also makes sense.

> But honestly, I don't see what problem is being solved here.  The
> original motivation was to ask for SPF and TXT records at the same
> time, rather than sending two queries.  You don't need a new version
> of DNS to handle that, all you need is a kludge in your server that
> knows that when it gets a query for one, it can return the other in
> the additional section. MX queries already have their kludge,
> returning A and AAAA records.

I'm pretty sure MX queries do NOT have a kludge. I don't believe that
the additional section is actually used by any servers these days, so
MX queries (and their grown-up cousins, the SRV queries) are a great
example of where putting multiple queries in a single packet would be
helpful. While multiple queries in a single packet would not eliminate
all extra traffic, at least it would mean you could do all A/AAAA
queries in one follow-up packet:

  what is MX for xxx.example.com? ->
      <- a.example.com and b.example.com
  what are the A and AAAA for a.example.com and b.example.com?
      <- 192.0.2.1, 192.0.2.2

So we save 3 queries, although to be honest mail is the least
interesting since it all happens in the background and the traffic for
DNS is minimal compared to the traffic for the actual mail. :)

My personal goal is to improve resolution times for A/AAAA lookups by
collecting them into a single query. Perhaps it makes more sense to
simply add Yet Another DNS Hack and add a special QTYPE like ANY
meaning "any address", that is actually well-defined and usable.

There are possibly (probably?) other use cases, which is why I asked
what the use cases are. :)
 
> The meta-reason for doing two queries is that it's still so hard to
> provision new RR types that people fake them with TXT.  If we're going
> to hack on our DNS software, I'd rather work on that.

It will always be easier to simply use a TXT record. I can do pretty
much anything with a TXT record and my own software today... I just
start coding and a couple hours later there it is.

Even if the process is as simple as going to a web page on IANA and
filling in a 3-field form and waiting for the automatically-generated
confirmation e-mail, it will *still* be easier just to hack my own
stuff and not worry about it.

Having said that, it can't be extremely hard to get a new RR type.
There are tons of RR types that have been issued and never even had a
complete specification proposed. (You can see Ed's
draft-lewis-dns-undocumented-types for a list of these.)

So I think the meta-reason for doing multiple queries is because
sometimes you have related lookups and it would be handy to, you know,
do them at the same time.

Cheers,

--
Shane

v2.23.0 | Report a Bug | By Email