Re: [DNSOP] I-D Action: draft-lee-dnsop-recursion-performance-improvement-00.txt
Mark Andrews <marka@isc.org> Mon, 14 December 2015 09:49 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBE2D1A9045; Mon, 14 Dec 2015 01:49:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phX121g3Wzbs; Mon, 14 Dec 2015 01:49:17 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C09A1A9036; Mon, 14 Dec 2015 01:49:17 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 273333493B6; Mon, 14 Dec 2015 09:40:57 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 1756716003D; Mon, 14 Dec 2015 09:43:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0311E160059; Mon, 14 Dec 2015 09:43:46 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id mQXKtUVHPGnU; Mon, 14 Dec 2015 09:43:45 +0000 (UTC)
Received: from [172.30.42.83] (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 24EA416003D; Mon, 14 Dec 2015 09:43:45 +0000 (UTC)
References: <20151211172132.2410.88613.idtracker@ietfa.amsl.com> <20151211173028.GA27573@nic.fr> <20151211231529.5C3DE3F3251D@rock.dv.isc.org> <201512141620224544401@cnnic.cn>
Mime-Version: 1.0 (1.0)
In-Reply-To: <201512141620224544401@cnnic.cn>
Content-Type: multipart/alternative; boundary="Apple-Mail-88BE3F40-FCB2-4437-BCF9-55439DE0FE08"
Content-Transfer-Encoding: 7bit
Message-Id: <95673598-74D5-4A04-A8F1-A08352C59A0F@isc.org>
X-Mailer: iPhone Mail (10B500)
From: Mark Andrews <marka@isc.org>
Date: Mon, 14 Dec 2015 20:40:53 +1100
To: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/YYQ7_bgKdbOmRFMxFpDT2MVKsek>
Cc: dnsop <dnsop@ietf.org>, "draft-lee-dnsop-recursion-performance-improvement.all" <draft-lee-dnsop-recursion-performance-improvement.all@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-lee-dnsop-recursion-performance-improvement-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2015 09:49:20 -0000
On 14/12/2015, at 19:20, "zuopeng@cnnic.cn" <zuopeng@cnnic.cn> wrote: > thanks for your comment! > > i just read draft-ietf-dnsop-cookies and it seems this draft is much more approriate to > work between stub resolves and recursive resolvers. it provides authentication for both > sides to improve security. but for outbound requests, a recursive server may not benefit > a lot because of the calculation and extra cache cost. > besides, i am also not clear about how it rejects forged requests. for every first > request, the client has no server cookies, how can the server recognize these requests? Cookies is designed to work with stub resolvers. Add a couple of bytes of shared memory and you can preserve the server cookies across multiple clients without hitting disk. As for not having a server cookie you just send the request without a server cookie and you will get back a answer or badcookie with a server cookie and in that case you resend the query with the learnt server cookie. > actually, we initially came up with this RQID draft to improve recursion performance > using fixed port numbers, it mainly aims to work between recursive servers and authorized > servers. And that was on of the reasons for cookies. > > the main differences between a RQID and a cookie are: > 1)RQID is stateless, nothing has to be cached; Cookies can be completely stateless. > 2)low calculation cost for RQID So is cookies. > also, your suggestion of not just accepting responses without the option but fall back to > port randomisation is helpful, we will supplement this to our new version. > > thanks! > > zuopeng@cnnic.cn > > From: Mark Andrews > Date: 2015-12-12 07:15 > To: Stephane Bortzmeyer > CC: draft-lee-dnsop-recursion-performance-improvement.all; dnsop > Subject: Re: [DNSOP] I-D Action: draft-lee-dnsop-recursion-performance-improvement-00.txt > > In message <20151211173028.GA27573@nic.fr>, Stephane Bortzmeyer writes: > > On Fri, Dec 11, 2015 at 09:21:32AM -0800, > > internet-drafts@ietf.org <internet-drafts@ietf.org> wrote > > a message of 42 lines which said: > > > > > Title : An approach to improve recursion performance > > > Authors : Xiaodong Lee > > > Hongtao Li > > > Haikuo Zhang > > > Peng Zuo > > > Filename : draft-lee-dnsop-recursion-performance-improvement-00. > > txt > > > > At the first reading, I do not see the difference between your RQID > > and a cookie, as documented in draft-ietf-dnsop-cookies (currently > > past working group last call and sent to the IESG). > > It's half of the client half/part of a cookie. I would also suggest > not just accepting responses without the option but rather fall back > to port randomisation. > > We were planning to switch back to a fixed port. The only question > was for the first query and retry with a random port if one didn't > get the cookie option in a reply or to only send using the fixed > port when you know that cookies are supported by the server. The > choice of which strategy to employ is really dependent on the uptake > of cookie support in servers. > > At 50%+ deployment the first strategy should give the greatest > benefit. Before that the second strategy should be the winning > one. > > Mark > > > If there is a difference, and a reason why you just don't use DNS > > cookies, please document it. > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] I-D Action: draft-lee-dnsop-recursion… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-lee-dnsop-recursion… Mark Andrews
- Re: [DNSOP] I-D Action: draft-lee-dnsop-recursion… zuopeng@cnnic.cn
- Re: [DNSOP] I-D Action: draft-lee-dnsop-recursion… Mark Andrews