Re: [DNSOP] default value of draft-ietf-dnsop-avoid-fragmentation
Jim Reid <jim@rfc1035.com> Mon, 15 March 2021 17:38 UTC
Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D2843A1851 for <dnsop@ietfa.amsl.com>; Mon, 15 Mar 2021 10:38:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SqCAHLOxw5wm for <dnsop@ietfa.amsl.com>; Mon, 15 Mar 2021 10:38:46 -0700 (PDT)
Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 006013A1845 for <dnsop@ietf.org>; Mon, 15 Mar 2021 10:38:45 -0700 (PDT)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 57D782421481; Mon, 15 Mar 2021 17:38:41 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <20210315.131604.152003594194628775.fujiwara@jprs.co.jp>
Date: Mon, 15 Mar 2021 17:38:40 +0000
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5AB6AF96-F099-4F9F-812A-2C42C1934FF1@rfc1035.com>
References: <20210315.131604.152003594194628775.fujiwara@jprs.co.jp>
To: Kazunori Fujiwara <fujiwara@jprs.co.jp>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_TxgmZVpk9fCqAlVsrv8oWXkFqs>
Subject: Re: [DNSOP] default value of draft-ietf-dnsop-avoid-fragmentation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 17:38:54 -0000
> On 15 Mar 2021, at 04:16, fujiwara@jprs.co.jp wrote: > > Dear DNSOP participants, > > Thanks very much for good comments for draft-ietf-dnsop-avoid-fragmentation. > > These are my proposal of Section 3.3. Default Maximum DNS/UDP payload size. > > I'm not sure what to do with "MAY, "SHOULD", or "MUST", > so please give us your opinion. Fujiwara-san, “resolvers MAY use PMTU” is probably right. A SHOULD or a MUST seems too strong: for instance when the resolver already has a priori knowledge of the MTU or that’s somehow hard-wired into the link-layer technology end-to-end. > However, operators of DNS servers SHOULD measure their path MTU to > well-known locations on the Internet, such as [a-m].root-servers.net > or [a-m].gtld-servers.net at setting up the servers. I think it would be better to replace this with “Operators of DNS servers MAY measure their path MTU.”. Measuring the MTU to well-known locations on the Internet won’t be appropriate for some use cases. For instance inside private nets that aren’t connected to the Internet or for forwarding-only servers that never query an authoritatve server. IMO it’s a bad idea to recommend specific servers that could be the target for those PMTU probes. [Suppose those names change one day - unlikely for the above but you never know.] That could become a vector of (D)DoS attacks - probably not on the above name servers themselves but on the access routers in front of them that might well be rate-limiting ICMP packets. This could get nasty with icky CPE firmware: imagine every home router in (say) Comcast’s net doing PMTU to the same root server. Besides, is the PMTU to a root or .com server, going to be the same as that for the example.whatever name servers? If PMTU is to be used, maybe it needs to be applied to all authoritative name servers a resolver queries? And maybe these will need to be re-probed from time to time, just like how resolving servers continually monitor RTTs to authoritative servers. PMTUs might well change when the links and routes change. I think it would also be helpful to discuss some of the trade-offs of using PMTU for DNS resolution. Some of these are mentioned in RFC8899. I’m sure PMTU will unquestionably be the right thing to do in some settings. But in others, it could cause more operational trouble than fragmented DNS packets: increased latency for example. It would be great if the ID helped developers and operators to make informed choices on when to use or not use PMTU.
- [DNSOP] default value of draft-ietf-dnsop-avoid-f… fujiwara
- Re: [DNSOP] default value of draft-ietf-dnsop-avo… Jim Reid
- Re: [DNSOP] default value of draft-ietf-dnsop-avo… Viktor Dukhovni
- Re: [DNSOP] default value of draft-ietf-dnsop-avo… Donald Eastlake
- Re: [DNSOP] default value of draft-ietf-dnsop-avo… Jim Reid
- Re: [DNSOP] default value of draft-ietf-dnsop-avo… Brian Dickson
- [DNSOP] Introduction section of draft-ietf-dnsop-… Brian Dickson
- Re: [DNSOP] Introduction section of draft-ietf-dn… fujiwara