Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-edns-chain-query

Tony Finch <> Wed, 11 November 2015 22:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 78E761B3B04 for <>; Wed, 11 Nov 2015 14:01:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QRtMSMYLC2Pv for <>; Wed, 11 Nov 2015 14:01:53 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DA7601B3B03 for <>; Wed, 11 Nov 2015 14:01:52 -0800 (PST)
X-Cam-AntiVirus: no malware found
Received: from ([]:49209) by ( []:25) with esmtpa (EXTERNAL:fanf2) id 1ZwdSh-0000tF-kf (Exim 4.86_36-e07b163) (return-path <>); Wed, 11 Nov 2015 22:01:51 +0000
Received: from fanf2 by ( with local id 1ZwdSh-00026w-D6 (Exim 4.72) (return-path <>); Wed, 11 Nov 2015 22:01:51 +0000
Date: Wed, 11 Nov 2015 22:01:51 +0000
From: Tony Finch <>
To: Paul Vixie <>
In-Reply-To: <1610388.9fsJffuA5T@linux-85bq.suse>
Message-ID: <>
References: <> <4611426.Grkv5enuug@linux-85bq.suse> <> <1610388.9fsJffuA5T@linux-85bq.suse>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <>
Archived-At: <>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-edns-chain-query
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Nov 2015 22:01:54 -0000

Paul Vixie <> wrote:
> On Wednesday, November 11, 2015 04:41:27 PM Tony Finch wrote:
> > Paul Vixie <> wrote:
> >
> > > yes, that's flooding the channel. you're allowed one work-stream per
> > > query, in order that timeouts and other loss are only felt as
> > > backpressure by those apps who caused them.
> >
> > Where is that specified?
> it's written in tire tracks down my backside.

Sounds painful :-)

> > > i have no objection to multiple parallel outstanding upstream queries
> > > over a TCP stream.
> >
> > Why is TCP special?
> because it has per-flow congestion control.

Which is perfectly fair, but there is a big difference between saying that
high-volume DNS clients need congestion control, and saying that they must
have at most one query outstanding at any time. If you say TCP is OK, you
are implicitly saying that it's OK to have a window size greater than one
packet. And that implies there are engineering questions about how that
window size should be managed.

And this implies it is unreasonable to forbid concurrent queries over UDP.
(And it would be futile to break running code in every browser.)

The upshot of all this is that how you use concurrent queries to improve
performance without breaking things is a matter of engineering and
implementation quality.

And since (as far as I know) no-one has done that engineering, I think it
is premature to try to deploy a protocol fix for a hypothetical problem.
(adns's concurrency control is quite simplistic, for example.)

What edns-chain-query says to DNSSEC users is, DNSSEC still isn't finished
or ready for deployment on edge devices, and you have to wait another 5 or
10 years for another protocol change to be deployed before you can get
decent performance.

This is wrong!

In order to make edns-chain-query work, validators will need to be
refactored to decouple the validation logic from the network chatter. At
the moment there aren't APIs that let you present a chain of DNSKEY and DS
RRsets to a validator and get an assessment. The current model is
"validate this RRset please" and then wait for a dozen RTTs.

But once you have a validator API that works with edns-chain-query you
also have a validator API that works with concurrent queries on the
existing DNS.

So really we should be trying to make that work first, since it has a much
more compelling deployment story.

And if well-informed engineering makes it clear that the existing DNS
can't reliably handle 6 ish concurrent queries, then maybe it's time to
think about upgrading everything with a new protocol feature.

f.anthony.n.finch  <>
Northwest Fitzroy: Southwesterly 5 to 7, occasionally gale 8. Rough or very
rough, becoming very rough or high. Occasional rain. Good, occasionally poor.