Re: [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-requirements
Warren Kumari <warren@kumari.net> Fri, 06 August 2021 15:23 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 495283A32C9 for <dnsop@ietfa.amsl.com>; Fri, 6 Aug 2021 08:23:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5iENq6zVxDDq for <dnsop@ietfa.amsl.com>; Fri, 6 Aug 2021 08:23:08 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF5E43A32CA for <dnsop@ietf.org>; Fri, 6 Aug 2021 08:23:07 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id t9so18620336lfc.6 for <dnsop@ietf.org>; Fri, 06 Aug 2021 08:23:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zd+AJbl/zO4Wf1sA6XcUrlyv/kYygXErOQd1/whwGis=; b=JrnuHHXBNWNna3HVNRTfoSnO2NFqjU85c3QJV1ZkLQd6mfZghHXMj1CrtTWCDXb+uO VXkzaLPBDrXVol5VY7do8rgDyWuPrKqErptBHFuUmtrRmJu63EbV0UYQukz/J5jObzWG B19L7AyiIyMxqFIe5KKymfCJxCOW8z9psnPhYt9N4d1Qn8OfFqB4B6N2oMdZ4Z766rdi ffrnDfsoolOTEgqO60EEisJGJ6Sk7ZUc8d+62Cm8ZNLrzW8WQpbaaai42ShCNeKSfAPC 59IZ0PFNVxrrBXFUtR1Zh7xNTZWAZp3q/2o6k//s77VOdq7E7xvkVfiVlvFN6v6I4kf4 tm0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zd+AJbl/zO4Wf1sA6XcUrlyv/kYygXErOQd1/whwGis=; b=PCkD/9ph/IcZjqm8d4HaA9Xma6H3Hqdv/J7q6GeD3M2mkvCuhweVlrM3qlDK2l86FT INLCQk5n+6Wmv/KW3txBny1u6TFSMpdxzPO0j9wiPUBvjXnTbRD0sU6giM1woqLJ5WYl imHM78vHh5Rf4KF4l62emUBg3Wb0Jei7l1VI5GhTESZo3NyGyvIQlvet7v98hNIs9lr/ xnDGTzMP1iNxJUrJ2iFhRsMVAbcKROSrlVWXQByxVyK5rGq60u8hHFlrBATA9MNhHNBA A2Vsvl8SYYkHuH9gCvrXwII+uwetC0GQr/n3tooob3q/FvWtegg5oD2hw8mO71YqV8yP Du4g==
X-Gm-Message-State: AOAM531iFyDFZfqmDdQh5jORfx5iroNy/wY+NAFsQq5RaN1Z0bZTnvvh PjBA6L2SVc1ar5cy4eqpCIc5rDZVi8RloD+sotmb6Q==
X-Google-Smtp-Source: ABdhPJzrDADBsU6KjGqSZpZoPPDYEcdSHrDR3qsOMUSkXXOvwdbtlkCEQS8k2n4kVThKM06TnyYAfJl5jBxeO2y2STM=
X-Received: by 2002:a19:ca1a:: with SMTP id a26mr1524659lfg.491.1628263384633; Fri, 06 Aug 2021 08:23:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAHw9_iJOovKwVcSs_+jNZ5hQE9exWshpESpVmDfLEhB6wY=25A@mail.gmail.com> <3E270EE8-62A5-44E1-B3A5-B0418C018D6D@verisign.com> <CAHw9_iKoPGwj1S-WkeS_mEjrMWfQY8ev3jQ7uMb_N8V0N=X4-w@mail.gmail.com>
In-Reply-To: <CAHw9_iKoPGwj1S-WkeS_mEjrMWfQY8ev3jQ7uMb_N8V0N=X4-w@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 06 Aug 2021 11:22:28 -0400
Message-ID: <CAHw9_iLR3Pe2VX7ZKKjZ6pqJX+ukUwQ4BrCapkUXFbzYJY5mrw@mail.gmail.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: dnsop <dnsop@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a4671b05c8e59cb6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/exIprMTM6Ao-tnYOmihRhAo8fpU>
Subject: Re: [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2021 15:23:14 -0000
On Wed, Jul 14, 2021 at 7:50 PM Warren Kumari <warren@kumari.net> wrote: > > > On Wed, Jul 14, 2021 at 6:37 PM Wessels, Duane <dwessels@verisign.com> > wrote: > >> Thanks Warren, I made all of your proposed changes. > > > Gadzooks that was fast! > > > Here's a rewrite of the DNS wedgie paragraph: > > > > Excellent, thank you, I find that much easier to parse. > > Please let me know once you are able to submit it. > A reminder to publish a new version when able. W > > Thanks again, > W > > >> >> Networks that filter DNS over TCP may inadvertently cause problems >> for third-party resolvers as experienced by [TOYAMA]. For example, a >> resolver receives queries for a moderately popular domain. The >> resolver forwards the queries to the domain's authoritative name >> servers, but those servers respond with the TC bit set. The resolver >> retries over TCP, but the authoritative server blocks DNS over TCP. >> The pending connections consume resources on the resolver until they >> time out. If the number and frequency of these truncated-and-then- >> blocked queries is sufficiently high, the steady-state of lost >> resources as a result is a "DNS wedgie." A DNS wedgie is generally >> not easily or completely mitigated by the affected DNS resolver >> operator. >> >> >> DW >> >> >> > On Jul 14, 2021, at 2:36 PM, Warren Kumari <warren@kumari.net> wrote: >> > >> > >> > Hi there authors (and WG), >> > >> > Firstly, thank you very much for this document -- I think that it's a >> > useful document, although I'm a bit sad that it's needed :-) >> > >> > I do have a number of editorial comments/ nits. Addressing these >> > before IETF LC and IESG review should make progressing the document >> > easier and smoother... >> > >> > >> > 2. History of DNS over TCP >> > >> > The curious state of disagreement in operational best practices and >> > [O] disagreement in operational best practices >> > [P] disagreement between operational best practices >> > [R] clarity — I *think* this is what’s meant? >> > >> > guidance for DNS transport protocols derives from conflicting >> > messages operators have gotten from other operators, implementors, >> > and even the IETF. Sometimes these mixed signals have been explicit, >> > on other occasions they have been suspiciously implicit. This >> > [O] explicit, >> > on other occasions they have been suspiciously implicit. >> > [P] explicit; on other occasions, conflicting messages have been >> implicit. >> > [R] semicolon for grammar (otherwise it’s a run on sentence). Consider >> > dropping “suspiciously” — feels odd/awkward in this context. >> > >> > Section 2.2 >> > "[...] it is also clear that some new DNS record types defined in >> > the future will contain information exceeding the 512 byte limit >> > that applies to UDP, and hence will require TCP. >> > [R]: Nit - please add closing quote... >> > >> > >> > >> > Section 2.3. >> > EDNS(0) became widely deployed over the next >> > several years and numerous surveys ([CASTRO2010], [NETALYZR]) have >> > [O] several years and numerous surveys >> > [P] several years, and numerous surveys >> > [R] grammar >> > >> > While a non-negligible population of DNS systems lacked >> > EDNS(0) or fell back to TCP when necessary, DNS clients still >> > strongly prefer UDP to TCP. For example, as of 2014 DNS over TCP >> > >> > [O] For example, as of 2014 DNS >> > [P] For example, as of 2014, DNS >> > [R] clarity >> > >> > >> > Section 2.4. Fragmentation and Truncation >> > >> > For IPv6, the situation is a little more complicated. First, IPv6 >> > headers are 40 bytes (versus 20 without options in IPv4). Second, it >> > seems as though some people have mis-interpreted IPv6's required >> > >> > [O] mis-interpreted >> > [P] misinterpreted >> > >> > >> > 2.5. "Only Zone Transfers Use TCP" >> > >> > "A popular meme has also held the imagination of some: that >> > DNS over TCP is only ever used for zone transfers and is generally >> > unnecessary otherwise, with filtering all DNS over TCP traffic even >> > described as a best practice." >> > [R]: I find the phrasing of this odd -- do memes hold people's >> > imagination? Perhaps just "A popular meme is..."? Or even "Many people >> > erroneously believe ..." ? >> > >> > >> > However modern >> > standards and implementations are nearing parity with the more >> > >> > [O] However modern >> > [P] However, modern >> > [R] grammar/readability >> > >> > sophisticated TCP management techniques employed by, for example, >> > HTTP(S) servers and load balancers. >> > >> > 3. DNS over TCP Requirements >> > >> > An average increase in DNS message size (e.g., due to DNSSEC), the >> > continued development of new DNS features (Appendix A), and a denial >> > of service mitigation technique (Section 9) show that DNS over TCP >> > >> > [O] (Section 9) show that DNS >> > [P] (Section 9), all show that DNS >> > [R] readability >> > >> > >> > 4.2. Connection Management >> > >> > This can be used to ensure that a single or small set of users can >> > not consume ... >> > [O] can not >> > [P] cannot >> > [R] spelling/clarity >> > >> > 5. DNS over TCP Filtering Risks >> > >> > Therefore, filtering of DNS over TCP is considered harmful >> > and contrary to the safe and successful operation of the Internet. >> > This section enumerates some of the known risks known at the time of >> > [O] known risks known at the time >> > [P] known risks as of the time >> > [R] readability >> > >> > this writing when networks filter DNS over TCP. >> > >> > >> > 5.1. DNS Wedgie >> > >> > [O] If, for >> > instance, a resolver receives a truncated answer from a server, but >> > when the resolver resends the query using TCP and the TCP response >> > never arrives, not only will a complete answer be unavailable, but >> > the resolver will incur the full extent of TCP retransmissions and >> > timeouts. >> > [R] is it possible to break this into multiple sentences? It's a >> > little hard to parse.... >> > >> > >> > >> > Thank you very much - we are during posting cutoff, so please SHOUT >> > LOUDLY once you've posted a new version and I'll progress it.... >> > W >> > >> > >> > -- >> > Perhaps they really do strive for incomprehensibility in their specs. >> > After all, when the liturgy was in Latin, the laity knew their place. >> > -- Michael Padlipsky >> >> -- > Perhaps they really do strive for incomprehensibility in their specs. > After all, when the liturgy was in Latin, the laity knew their place. > -- Michael Padlipsky > -- The computing scientist’s main challenge is not to get confused by the complexities of his own making. -- E. W. Dijkstra
- [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-requi… Warren Kumari
- Re: [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-r… Wessels, Duane
- Re: [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-r… Warren Kumari
- Re: [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-r… Warren Kumari