Re: [DNSOP] Fwd: I-D Action: draft-song-atr-large-resp-00.txt

Paul Vixie <> Mon, 11 September 2017 06:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7FF1813217D for <>; Sun, 10 Sep 2017 23:11:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9YjWxu0o4jhK for <>; Sun, 10 Sep 2017 23:11:42 -0700 (PDT)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 17CFB126BF3 for <>; Sun, 10 Sep 2017 23:11:42 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:e0e2:dee8:8f5f:3537] (unknown [IPv6:2001:559:8000:c9:e0e2:dee8:8f5f:3537]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id DA0FB61FA2; Mon, 11 Sep 2017 06:11:41 +0000 (UTC)
Message-ID: <>
Date: Sun, 10 Sep 2017 23:11:40 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.19 (Windows/20170908)
MIME-Version: 1.0
To: Davey Song <>
CC: dnsop <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Fwd: I-D Action: draft-song-atr-large-resp-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Sep 2017 06:11:43 -0000

Davey Song wrote:
> Hi folks,
> I just submit a draft dealing with issue of large DNS response
> especially in IPv6. [Comments] are welcome.

in the original EDNS I-D, the following text was present:

> .IP MD
> ``More data'' flag.  Valid only in TCP streams where message ordering and
> reliability are guaranteed.  This flag indicates that the current message is
> not the complete request or response, and should be aggregated with the
> following message(s) before being considered complete.  Such messages are
> called ``segmented.''  It is an error for the RCODE (including the
> EXTENDED-RCODE), AA flag, or DNS Message ID to differ among segments of a
> segmented message.  It is an error for TC to be set on any message of a
> segmented message.  Any given RR must fit completely within a message, and
> all messages will both begin and end on RR boundaries.  Each section in a
> multipart message must appear in normal message order, and each section
> must be complete before later sections are added.  All segments of a message
> must be transmitted contiguously, without interleaving of other messages.

the MD extended flag was removed due to its complexity in 1998 or so, 
and while i planned to re-introduce it in EDNS2, however, EDNS1 never 
made it out the door, so it was lost.

i did not make it possible to use it in UDP because of packet reordering 
and because of microburst problems -- which is to say, TCP delivers 
things in the order they were transmitted, and attempts to avoid 
overloading the path bandwidth-delay-product (BDP) in ways that cause 
congestive loss.

by implication, MD was intended to allow messages larger than 64K 
octets, even while requiring individual RRsets to remain atomic within 
64K octet message segments. i realize that this is not the same goal 
you're pursuing with your draft, but this history may help you.

> If chairs think it is in the scope of dnsop wg and encourage us to
> discuss it in this mailing list, I can submit it as a draft listed in
> dnsop wg.

my own view is that changing the DNS protocol to work around middle 
boxes is a losing game. if measurement shows that a large fraction of 
today's deployed IPv6 edge does not accept extension headers or ICMP, 
and if that means fragmentation will not work toward those edges, then 
our proper response is to change all DNS servers to send extension 
headers on every IPv6 response. force the failures to occur as close as 
possible to, and as early as possible after, they are caused.

separately, we should be working on TFO deployment, and DNS-over-QUIC. 
we need a vision, rather than a long series of easy complications.

P Vixie