Re: [DNSOP] 答复: Fwd: New Version Notification for draft-wkumari-dnsop-multiple-responses-00.txt
Warren Kumari <warren@kumari.net> Tue, 13 January 2015 17:38 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A513D1A6FF7 for <dnsop@ietfa.amsl.com>; Tue, 13 Jan 2015 09:38:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Level:
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5k3o-VZN1tZj for <dnsop@ietfa.amsl.com>; Tue, 13 Jan 2015 09:37:58 -0800 (PST)
Received: from mail-we0-f178.google.com (mail-we0-f178.google.com [74.125.82.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A390F1A6FF5 for <dnsop@ietf.org>; Tue, 13 Jan 2015 09:37:58 -0800 (PST)
Received: by mail-we0-f178.google.com with SMTP id p10so4281028wes.9 for <dnsop@ietf.org>; Tue, 13 Jan 2015 09:37:57 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=2cnMNmTwnJNNsnr76hPWcSvd6+8E8j/lWrTdkfNFvzc=; b=cNeFfEupm4Bob/Nga9wyqIhMdeVwglMIyDxci0wiy/TUMlAYXQesIAgf79BGL+IS5L msyRfsxLJQJsvd9T3kZ/ochVuQwEUmB8gqoz/kpY7EndiYmULHgZaS/rkoftqt95KxK8 i/yfED5SJAxog7njCVCUiR/kUtxfy39YvI4MwUS1JucrBRDS41/bgrrGppPpxpEjXW6d 2XGmoyqFg1HL0Lwpcdzu4W33LxF/cQlM8C1bDUvrmjEzy6FtMiJedrnabrlfZE9WT2H1 glK4K034z7lB94WlrKPiVARxn3q7p2Gl+QqikASoU0JFzQxTTPPzAI9UZ6dUuQxVdsGq BE5A==
X-Gm-Message-State: ALoCoQnDEX0Gl4cWiYA6Yo+JYTlQWp6L5oVGxgnjDyyEB56UHtM+YDqEdPX0GHCVQupAFuDKYCHY
MIME-Version: 1.0
X-Received: by 10.194.63.169 with SMTP id h9mr14548719wjs.23.1421170677064; Tue, 13 Jan 2015 09:37:57 -0800 (PST)
Received: by 10.194.78.77 with HTTP; Tue, 13 Jan 2015 09:37:56 -0800 (PST)
In-Reply-To: <alpine.LFD.2.10.1501130909220.4821@bofh.nohats.ca>
References: <20150111204743.314.71508.idtracker@ietfa.amsl.com> <CAHw9_iL8T9kbo_CNZzL83TGux4Ew3_nKc0DQAQ1ZHht76cFP5w@mail.gmail.com> <005301d02ee9$0a33a9c0$1e9afd40$@biigroup.cn> <alpine.LFD.2.10.1501130909220.4821@bofh.nohats.ca>
Date: Tue, 13 Jan 2015 12:37:56 -0500
Message-ID: <CAHw9_iJhV7g7PG-DkwE=OfS=+rR0evDM+MvxdHcGOTWxWdiKsQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/frhrOIVDGtazk01--r2AIkKkbYY>
Cc: "Davey Song (宋林健)" <ljsong@biigroup.cn>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] 答复: Fwd: New Version Notification for draft-wkumari-dnsop-multiple-responses-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2015 17:38:00 -0000
On Tue, Jan 13, 2015 at 9:13 AM, Paul Wouters <paul@nohats.ca> wrote: > On Tue, 13 Jan 2015, Davey Song (宋林健) wrote: > >> As to the draft itself, there are two questions: >> >> First, for a same transaction, the cost from using TCP may be more than >> the >> gain from the queries you save, which may ultimately let the performance >> become even worse. Do you have any consideration on this? > > > And also, if already doing tcp the the auth server, why not just ask the > 4 questions asynchronously over the TCP channel, instead of waiting to > see if the server will give you a freebie, where you might have to send > another query (After the RTT) for the data? Because you don't *know* all of the questions you need to ask until you get: A: some of the answers and / or B: some of the resources at the answers. If I want to send you mail at nohats.ca I do an MX for nohats.ca. This gives me back the inventively names mx.nohats.ca: wkumari-macbookpro1:tmp wkumari$ dig +short mx nohats.ca 10 mx.nohats.ca. Only *after* I get that back do I know that I need resolve mx.nohats.ca into an address. Similar issues happen with CNAME chains, etc. Before getting back some answers I don't know that I'll need the others. I also hit www.nohats.ca in a webbrowser while running 'tcpdump port 53' and got: 12:16:29.846791 IP 10.2.3.97.31679 > google-public-dns-a.google.com.domain: 49210+ A? www.nohats.ca. (31) 12:16:30.640061 IP 10.2.3.97.36067 > google-public-dns-a.google.com.domain: 22581+ A? nohats.ca. (27) 12:16:31.953095 IP 10.2.3.97.32374 > google-public-dns-a.google.com.domain: 55912+ A? www.paypal.com. (32) 12:16:31.953447 IP 10.2.3.97.39594 > google-public-dns-a.google.com.domain: 52512+ A? api.flattr.com. (32) 12:16:32.063993 IP 10.2.3.97.57364 > google-public-dns-a.google.com.domain: 28378+ A? blog.intelligistgroup.com. (43) 12:16:32.064204 IP 10.2.3.97.22750 > google-public-dns-a.google.com.domain: 14230+ A? libreswan.org. (31) 12:16:32.064404 IP 10.2.3.97.43119 > google-public-dns-a.google.com.domain: 42571+ A? heml.is. (25) 12:16:32.265799 IP 10.2.3.97.22719 > google-public-dns-a.google.com.domain: 60101+ A? www.paypal.com. (32) 12:16:32.825883 IP 10.2.3.97.15536 > google-public-dns-a.google.com.domain: 65455+ A? flattr.com. (28) 12:16:32.826109 IP 10.2.3.97.36181 > google-public-dns-a.google.com.domain: 64959+ A? static1.flattr.net. (36) 12:16:32.826273 IP 10.2.3.97.12831 > google-public-dns-a.google.com.domain: 1690+ A? static2.flattr.net. (36) 12:16:32.831187 IP 10.2.3.97.23825 > google-public-dns-a.google.com.domain: 11673+ A? static3.flattr.net. (36) 12:16:32.832103 IP 10.2.3.97.32762 > google-public-dns-a.google.com.domain: 63752+ A? static4.flattr.net. (36) 12:16:32.897722 IP 10.2.3.97.27532 > google-public-dns-a.google.com.domain: 18520+ A? 2.bp.blogspot.com. (35) 12:16:32.930835 IP 10.2.3.97.43140 > google-public-dns-a.google.com.domain: 57738+ A? sharoncol.balkowitsch.com. (43) 12:16:32.986412 IP 10.2.3.97.51562 > google-public-dns-a.google.com.domain: 52486+ A? images.nap.edu. (32) This involved doing 6 separate queries to ns[12].flattr.net - if these servers implemented this new thingie, when I did the first lookup (api.flattr.com) it could have given me the answers for flattr.com, static1.flattr.net., static2.flattr.net., static3.flattr.net., static4.flattr.net. Until I've spoken to api.flattr.com and done some stuff (~800ms) I have no idea that need to get static[1-4].flattr.com. > >> Second, the purpose of using TCP is to mitigate amplify attack as you >> describe in the draft. I notice that there is a draft using DNS cookie to >> counter that problem. But it lacks incentive to deploy. For my concern, >> you >> can consider to combine the two ideas to achieve better result. > > > The cookies wouldn't help much because it per definition introduced > another round trip. > > Also, why hardcode the records on the auth server. I think it is much > better to leave the auth servers as is, and have resolvers figure out > dynamically what is often asked in bundles and see if it can stuff > in an additional record there. hmmm.. that's an interesting idea. This requires changing the stub as well, which feels like lots of work :-P > > While I see a great use of a long term TCP connection between stubs and > resolvers, I am not sure I'm much in favour or doing lots of TCP between > resolver and auth server. > > Paul -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] Fwd: New Version Notification for draft-w… Warren Kumari
- [DNSOP] 答复: Fwd: New Version Notification for dra… Davey Song (宋林健)
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-wk… Paul Hoffman
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Paul Wouters
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Mark Andrews
- Re: [DNSOP] 答复: Fwd: New Version Notification for… George Michaelson
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Mark Andrews
- Re: [DNSOP] 答复: Fwd: New Version Notification for… John Levine
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Warren Kumari
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Warren Kumari
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Paul Vixie
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Evan Hunt
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Guangqing Deng
- Re: [DNSOP] 答复: Fwd: New Version Notification for… Paul Vixie
- Re: [DNSOP] 答复: Fwd: New Version Notification for… John R Levine
- Re: [DNSOP] New Version Notification for draft-wk… Tony Finch
- Re: [DNSOP] New Version Notification for draft-wk… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-wk… Tony Finch