IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt

Tony Finch <dot@dotat.at> Thu, 12 March 2015 01:01 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E45961A8948 for <dnsop@ietfa.amsl.com>; Wed, 11 Mar 2015 18:01:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.011
X-Spam-Level:
X-Spam-Status: No, score=-3.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_26=0.6, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2-gPCw6ii_1D for <dnsop@ietfa.amsl.com>; Wed, 11 Mar 2015 18:01:53 -0700 (PDT)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 556A81A88B0 for <dnsop@ietf.org>; Wed, 11 Mar 2015 18:01:53 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:43808) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1YVrVW-00025l-qn (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 12 Mar 2015 01:01:50 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1YVrVW-0001Bn-9O (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 12 Mar 2015 01:01:50 +0000
Date: Thu, 12 Mar 2015 01:01:50 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Paul Wouters <paul@nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1503101027590.1870@bofh.nohats.ca>
Message-ID: <alpine.LSU.2.00.1503120034300.30006@hermes-1.csi.cam.ac.uk>
References: <20150309181620.6735.40863.idtracker@ietfa.amsl.com> <alpine.LSU.2.00.1503091825470.23307@hermes-1.csi.cam.ac.uk> <alpine.LFD.2.10.1503091454110.31683@bofh.nohats.ca> <alpine.LSU.2.00.1503101017390.10193@hermes-1.csi.cam.ac.uk> <alpine.LFD.2.10.1503101027590.1870@bofh.nohats.ca>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/_5hHxE2Nl4kgxpvgE1pzPFOnLjY>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 01:01:59 -0000

Paul Wouters <paul@nohats.ca> wrote:
> On Tue, 10 Mar 2015, Tony Finch wrote:

> > > All of those require round trips.
> >
> > No they do not. Please stop repeating this falsehood.
>
> paul@bofh:~$ sudo unbound-control flush_zone nohats.ca
> paul@bofh:~$ dig a +dnssec www.nohats.ca @127.0.0.1

Oh come on, surely you understand the difference between a protocol
requirement and an implementation artifact.

I agree that current validators use too many round trips, but that is not
because of problems in the protocol.

> > > Yes you can blindly send a bunch of parallel udp queries on every dot
> > > and hope the last one you need didn't take too long or drop.
> >
> > Or you can use TCP and send the whole lot in a single packet.
>
> Yes, that is what this draft recommends. Are you agreeing with me?

Sorry, by "send the whole lot" I mean the client can bundle up half a
dozen queries (each a separate DNS message) into one TCP packet.

Most existing recursive servers will process these queries serially, but
as Mark Andrews pointed out, if you send the original query before the
queries for the DS+DNSKEY chain, the first query will prime the cache so
the later queries can be answered immediately, for a 1RTT response.

> Sending a number of queries, and then when finding out you are still
> lacking some information, sending out another number of queries, is
> not the same as sending 1 query and getting a dns answer packet back
> that in itself completely validates.

But with the existing DNS protocol you can send out queries for everything
you need up front. If you use edns-chain-query there are still situations
where you have to ask follow-up queries, in pretty much the same cases as
without the extension.

You can implement the API you want without edns-chain-query.

I have looked at several validators, and they all have network logic
intertwined with the validation logic. None of the ones I looked at
currently have a function which can take a chain of RRsets and validate
them, the kind of function edns-chain-query would need. Once you have such
a function it's fairly easy to do 1 RTT query and validation without
edns-chain-query, and you want to do that anyway for compatibility with
old servers.

> > > I'm happy to add a section of recommendations for adding common "related
> > > records" such as IPSECKEY, TLSA, SSHFP or what not. It does mention
> > > CNAME/DNAME and I'm happy to add an entry about SRV and MX. Would that
> > > address your concerns?
> >
> > Well, it would fix an omission.
>
> Should the draft list those RRTYPEs it should consider including?
> If so, should the draft list these in weighted order?
> Does this include _prefix locations? (eg like for TLSA)
> Which records do you think should be considered?

You misunderstand what I mean. I am not suggesting adding answers for
questions that were not asked. I mean dealing with situations where the
DNS protocol (ignoring DNSSEC) requires follow-up queries that the client
cannot predict in advance, and which therefore require a second round
trip.

For example, if I ask for:
  dotat.at in mx ?
I may have to make follow-up queries regarding the target of the MX
record(s), and they have to be a second round trip.

This also applies to CNAME, DNAME, SRV, NS, maybe others.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
South Utsire, Southeast Forties: Southwesterly 4 or 5, becoming variable 3 or
4, then southeasterly 6 to gale 8 later. Moderate or rough. Fair. Good.

v2.23.0 | Report a Bug | By Email