IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt

Tony Finch <dot@dotat.at> Tue, 10 March 2015 10:32 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49BF11A8760 for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2015 03:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zikjOWfRyUHu for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2015 03:32:48 -0700 (PDT)
Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk [131.111.8.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F291A00CF for <dnsop@ietf.org>; Tue, 10 Mar 2015 03:32:48 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:47547) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1YVHSv-0003w0-Wn (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 10 Mar 2015 10:32:45 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1YVHSv-0007HR-4K (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 10 Mar 2015 10:32:45 +0000
Date: Tue, 10 Mar 2015 10:32:45 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Paul Wouters <paul@nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1503091454110.31683@bofh.nohats.ca>
Message-ID: <alpine.LSU.2.00.1503101017390.10193@hermes-1.csi.cam.ac.uk>
References: <20150309181620.6735.40863.idtracker@ietfa.amsl.com> <alpine.LSU.2.00.1503091825470.23307@hermes-1.csi.cam.ac.uk> <alpine.LFD.2.10.1503091454110.31683@bofh.nohats.ca>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/YHeYXv_gwHMNJ7Smfj5MG79MvmA>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 10:32:51 -0000

Paul Wouters <paul@nohats.ca> wrote:
> On Mon, 9 Mar 2015, Tony Finch wrote:
> >
> > Without this extension the typical number of RTTs required is 1, so this
> > isn't a reduction.
>
> When you have nothing of nohats.ca in your cache, and you ask for the
> A record of www.nohats.ca, you will normally get back the A record
> and the RRSIG. Then you need to query for the DS, DNSKEY, etc etc. And
> then for the DS, DNSKEY et all of the parent, the parents parent, etc.
> All of those require round trips.

No they do not. Please stop repeating this falsehood.

> Yes you can blindly send a bunch of parallel udp queries on every dot
> and hope the last one you need didn't take too long or drop.

Or you can use TCP and send the whole lot in a single packet.

In most cases the number of queries required is about the same number of
packets as a TCP initial window, so if your network can't cope with that
you are not going to have a happy time.

> > With this extension you still require 2 RTT if the target is SRV or MX,
> > and maybe if it is CNAME or DNAME depending on how much the server decides
> > to return. Maybe it requires 3 RTT if the server decides it doesn't like
> > doing chain queries any more.
>
> I'm happy to add a section of recommendations for adding common "related
> records" such as IPSECKEY, TLSA, SSHFP or what not. It does mention
> CNAME/DNAME and I'm happy to add an entry about SRV and MX. Would that
> address your concerns?

Well, it would fix an omission.

There is also the question of how the server should decide whether to
include the target validation chain or not, and if that depends on whether
the target is under the last known name or not. Is it entirely at the
server's discretion?

> > It occurs to me that you could get a lot of edns-chain-query's bandwidth
> > saving with a simple "minimal responses please" query flag.
>
> This is not about bandwidth saving.

But that is all it does.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Southeast Iceland: Northwesterly backing southerly 6 to gale 8, occasionally
severe gale 9 later. Rough or very rough, becoming high or very high. Wintry
showers, rain later. Good, occasionally poor.

v2.23.0 | Report a Bug | By Email