Re: [DNSOP] I-D Action: draft-lee-dnsop-recursion-performance-improvement-00.txt

Mark Andrews <marka@isc.org> Mon, 14 December 2015 09:49 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBE2D1A9045; Mon, 14 Dec 2015 01:49:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phX121g3Wzbs; Mon, 14 Dec 2015 01:49:17 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C09A1A9036; Mon, 14 Dec 2015 01:49:17 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 273333493B6; Mon, 14 Dec 2015 09:40:57 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 1756716003D; Mon, 14 Dec 2015 09:43:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0311E160059; Mon, 14 Dec 2015 09:43:46 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id mQXKtUVHPGnU; Mon, 14 Dec 2015 09:43:45 +0000 (UTC)
Received: from [172.30.42.83] (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 24EA416003D; Mon, 14 Dec 2015 09:43:45 +0000 (UTC)
References: <20151211172132.2410.88613.idtracker@ietfa.amsl.com> <20151211173028.GA27573@nic.fr> <20151211231529.5C3DE3F3251D@rock.dv.isc.org> <201512141620224544401@cnnic.cn>
Mime-Version: 1.0 (1.0)
In-Reply-To: <201512141620224544401@cnnic.cn>
Content-Type: multipart/alternative; boundary="Apple-Mail-88BE3F40-FCB2-4437-BCF9-55439DE0FE08"
Content-Transfer-Encoding: 7bit
Message-Id: <95673598-74D5-4A04-A8F1-A08352C59A0F@isc.org>
X-Mailer: iPhone Mail (10B500)
From: Mark Andrews <marka@isc.org>
Date: Mon, 14 Dec 2015 20:40:53 +1100
To: "zuopeng@cnnic.cn" <zuopeng@cnnic.cn>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/YYQ7_bgKdbOmRFMxFpDT2MVKsek>
Cc: dnsop <dnsop@ietf.org>, "draft-lee-dnsop-recursion-performance-improvement.all" <draft-lee-dnsop-recursion-performance-improvement.all@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-lee-dnsop-recursion-performance-improvement-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2015 09:49:20 -0000


On 14/12/2015, at 19:20, "zuopeng@cnnic.cn" <zuopeng@cnnic.cn> wrote:

> thanks for your comment!
> 
> i just read draft-ietf-dnsop-cookies and it seems this draft is much more approriate to 
> work between stub resolves and recursive resolvers. it provides authentication for both 
> sides to improve security. but for outbound requests, a recursive server may not benefit 
> a lot because of the calculation and extra cache cost. 
> besides, i am also not clear about how it rejects forged requests. for every first 
> request, the client has no server cookies, how can the server recognize these requests?

Cookies is designed to work with stub resolvers. Add a couple of bytes of shared memory and you can preserve the server cookies across multiple clients without hitting disk. 

As for not having a server cookie  you just send the request without a server cookie and you will get back a answer or badcookie with a server cookie and in that case you resend the query with the learnt server cookie. 

> actually, we initially came up with this RQID draft to improve recursion performance 
> using fixed port numbers, it mainly aims to work between recursive servers and authorized 
> servers.

And that was on of the reasons for cookies. 

> 
> the main differences between a RQID and a cookie are:
> 1)RQID is stateless, nothing has to be cached;

Cookies can be completely stateless. 

> 2)low calculation cost for RQID

So is cookies. 

> also, your suggestion of not just accepting responses without the option but fall back to 
> port randomisation is helpful, we will supplement this to our new version.
> 
> thanks!
> 
> zuopeng@cnnic.cn
>  
> From: Mark Andrews
> Date: 2015-12-12 07:15
> To: Stephane Bortzmeyer
> CC: draft-lee-dnsop-recursion-performance-improvement.all; dnsop
> Subject: Re: [DNSOP] I-D Action: draft-lee-dnsop-recursion-performance-improvement-00.txt
>  
> In message <20151211173028.GA27573@nic.fr>, Stephane Bortzmeyer writes:
> > On Fri, Dec 11, 2015 at 09:21:32AM -0800,
> >  internet-drafts@ietf.org <internet-drafts@ietf.org> wrote
> >  a message of 42 lines which said:
> >
> > >         Title           : An approach to improve recursion performance
> > >         Authors         : Xiaodong Lee
> > >                           Hongtao Li
> > >                           Haikuo Zhang
> > >                           Peng Zuo
> > > Filename        : draft-lee-dnsop-recursion-performance-improvement-00.
> > txt
> >
> > At the first reading, I do not see the difference between your RQID
> > and a cookie, as documented in draft-ietf-dnsop-cookies (currently
> > past working group last call and sent to the IESG).
>  
> It's half of the client half/part of a cookie.  I would also suggest
> not just accepting responses without the option but rather fall back
> to port randomisation.
>  
> We were planning to switch back to a fixed port.  The only question
> was for the first query and retry with a random port if one didn't
> get the cookie option in a reply or to only send using the fixed
> port when you know that cookies are supported by the server.  The
> choice of which strategy to employ is really dependent on the uptake
> of cookie support in servers.
>  
> At 50%+ deployment the first strategy should give the greatest
> benefit.  Before that the second strategy should be the winning
> one.
>  
> Mark
>  
> > If there is a difference, and a reason why you just don't use DNS
> > cookies, please document it.
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org