Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-priming
Shane Kerr <shane@time-travellers.org> Thu, 18 February 2016 11:06 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8C861A88DC for <dnsop@ietfa.amsl.com>; Thu, 18 Feb 2016 03:06:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.044
X-Spam-Level:
X-Spam-Status: No, score=-0.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_PROFIT1=3.858, GB_I_LETTER=-2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55EAEpixzmnH for <dnsop@ietfa.amsl.com>; Thu, 18 Feb 2016 03:06:23 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A27C1AC3E4 for <dnsop@ietf.org>; Thu, 18 Feb 2016 03:06:21 -0800 (PST)
Received: from [2001:470:78c8:2:224:9bff:fe13:3a9c] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1aWMPY-0000b9-Ft; Thu, 18 Feb 2016 11:06:16 +0000
Date: Thu, 18 Feb 2016 12:06:16 +0100
From: Shane Kerr <shane@time-travellers.org>
To: "Wessels, Duane" <dwessels@verisign.com>
Message-ID: <20160218120616.06f5f9bf@pallas.home.time-travellers.org>
In-Reply-To: <E44C4779-9B8E-4520-9535-7477F436D6C6@verisign.com>
References: <12831BC8-EE53-46C7-80A5-A7DAE651F157@vpnc.org> <2552EB05-B015-42F6-ABA6-D67B21CEBD4F@verisign.com> <C702935B-C23E-4DBC-9467-6DD024E172DE@vpnc.org> <56A3FDCE.6070001@uni-due.de> <E44C4779-9B8E-4520-9535-7477F436D6C6@verisign.com>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/b5xDxMjic0plpP-U9BwSObYPEuw>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2016 11:06:25 -0000
Duane, At 2016-01-26 22:32:45 +0000 "Wessels, Duane" <dwessels@verisign.com> wrote: > > On Jan 23, 2016, at 2:25 PM, Matthäus Wander <matthaeus.wander@uni-due.de> wrote: > > > > > > There's another issue: once root-servers.net is signed, the priming > > response will contain RRSIG in the ADDITIONAL section. > > Indeed. According to my simple test if root-servers.net is signed (the > same way as the root zone), the response size jumps quite a bit: > > > EDNS0? UDPsize DO= RSN signed? resp size > ------ ------- --- ----------- --------- > n - - n 492-512 > y 4096 0 n 755 > y 4096 1 n 913 > y 8192 1 y 4081 > > And these sizes could increase if two remaining letters decide to add AAAA records. This means that the section talking about the EDNS reassembly size could become outdated: The recursive resolver SHOULD use EDNS0 [RFC6891] for priming queries and SHOULD announce and handle a reassembly size of at least 1024 octets [RFC3226]. Doing so allows responses that cover the size of a full priming response (see Section 4.2). I guess a new RFC can be rolled if root-servers.net is signed, but we could just future-proof it now and recommend a larger size? Of course, if the result is larger than 4096 - the most common value for EDNS right now IIRC - then maybe we should just start recommending TCP right away? (My colleague Davey Song actually has an expired draft saying just that - draft-song-dnsop-tcp-primingexchange - but I think that a single sentence in the priming draft saying something like "if the DO bit is set, then TCP SHOULD be used, since a UDP response may be truncated" is enough). Personally I think TCP for root priming makes complete sense, since root priming traffic is a small fraction of a percent of both root server traffic and resolver queries. (In fact this is a subset of the general set of queries where "if you expect truncation, just start with TCP". That's a possibly useful optimization that probably nobody has bothered with because truncation is very rare.) Cheers, -- Shane
- [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-primi… Paul Hoffman
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Paul Hoffman
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Matthäus Wander
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Shane Kerr
- Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-p… Wessels, Duane
- [DNSOP] TCP for resolver priming (was DNSSEC in d… Shane Kerr
- Re: [DNSOP] TCP for resolver priming (was DNSSEC … Wessels, Duane