IETF Logo Mail Archive

Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming

"Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com> Fri, 16 October 2015 22:12 UTC

Return-Path: <kevin.darcy@fcagroup.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4B3A1B344A for <dnsop@ietfa.amsl.com>; Fri, 16 Oct 2015 15:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B6DZ_xdnUIzj for <dnsop@ietfa.amsl.com>; Fri, 16 Oct 2015 15:12:11 -0700 (PDT)
Received: from odbmap07.extra.chrysler.com (odbmap07.out.extra.chrysler.com [129.9.107.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 672C51A21A3 for <dnsop@ietf.org>; Fri, 16 Oct 2015 15:12:11 -0700 (PDT)
Received: from shbmap09.shdc.chrysler.com (Unknown_Domain [151.171.73.109]) by odbmap07.extra.chrysler.com (Symantec Messaging Gateway) with SMTP id 7F.EC.06707.A3671265; Fri, 16 Oct 2015 18:12:10 -0400 (EDT)
X-AuditID: 81096b23-f79046d000001a33-cf-5621763ae417
Received: from MXPA3CHRW.fgremc.it (Unknown_Domain [151.171.20.19]) by shbmap09.shdc.chrysler.com (Symantec Messaging Gateway) with SMTP id 03.A4.17818.93671265; Fri, 16 Oct 2015 18:12:10 -0400 (EDT)
Received: from mxph3chrw.fgremc.it (2002:97ab:152b::97ab:152b) by MXPA3CHRW.fgremc.it (2002:97ab:150f::97ab:150f) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Fri, 16 Oct 2015 18:12:09 -0400
Received: from mxph4chrw.fgremc.it (151.171.20.48) by mxph3chrw.fgremc.it (151.171.20.47) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Fri, 16 Oct 2015 18:11:48 -0400
Received: from mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701]) by mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701%18]) with mapi id 15.00.1076.000; Fri, 16 Oct 2015 18:11:48 -0400
From: "Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com>
To: dnsop WG <dnsop@ietf.org>
Thread-Topic: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming
Thread-Index: AQHRB6Z/CasCtm+RykqVWUGsztxrvJ5ubtKAgAAVggCAABR2AP//vmQwgABJKYCAAAvOAIAADE0AgAAG7gCAABS7AP//vdnQgABSGID//70y0A==
Date: Fri, 16 Oct 2015 22:11:47 +0000
Message-ID: <e5655df022644b64a83b124c4bb10d21@mxph4chrw.fgremc.it>
References: <8149BC4D-F11E-4E4F-BBB8-C38D865A4184@vpnc.org> <20151016161831.58bdf78d@pallas.home.time-travellers.org> <56211942.20206@redbarn.org> <CAJE_bqcxjC=zS8tj6tKGX18UeEFm6GHcyRhjC7AFdh3x9-L=vA@mail.gmail.com> <d2f5212cbf9b4f46a5cae9f3af3f1f50@mxph4chrw.fgremc.it> <A7B11A56-A66F-4E13-9675-56344E25C403@vpnc.org> <BCE894DC-01B6-42C4-9589-1C19CA395250@hopcount.ca> <20151016204202.677f3be3@pallas.home.time-travellers.org> <8D54A560-B4A8-457C-8883-7C2B04394C0F@hopcount.ca> <20151016222102.50590900@pallas.home.time-travellers.org> <78e1865f9d794271aeddac4e8f2bb986@mxph4chrw.fgremc.it> <77A9ADD7-7198-4547-B257-EBD607990D0E@hopcount.ca>
In-Reply-To: <77A9ADD7-7198-4547-B257-EBD607990D0E@hopcount.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [151.171.20.222]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrEIsWRmVeSWpSXmKPExsUyfbVnrq5VmWKYwbLnQhZ331xmcWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxs2bh5gKdopXTN93grGBsUO4i5GDQ0LAROLgX/MuRk4gU0zi wr31bF2MXBxCApcYJTa8fcIOkTCRuHqhgRUicZJRYuKaHcwgCSGBY4wSn/q1IBLrGCV2nfgK VbWTUeJmwxxWkCo2oPaFV+4yg6wTEZCV2Ps6CiQsLOAjMWf2fbANIgK+EiefNbBB2HUST7df ZwQpZxFQlZi3igUkzCvgJPGnv5kRYvwMVokPB++DjecUsJfYNnkF2EGMQC98P7WGCcRmFhCX uPVkPhPEBwISS/acZ4awRSVePv7HCmEbSGxduo8FEhJKEk+f2kO06kgs2P2JDcLWlli28DUz xA2CEidnPmGB+F1Von/tS3aQeyQEZnJILL8+l20Co8wsJKtnIZk1C8msWUhmLWBkWcUonZ+S lJtYYGCul1pRUpSol5xRVFmck1qkl5yfu4kRGMmNnNnKOxinzLU8xCjAwajEwzslWzFMiDWx rLgy9xCjNAeLkjiv10/5MCGB9MSS1OzU1ILUovii0pzU4kOMTBycUg2MVWe8f+fGlq7hvszW wxExoeyHhPqqdDa7hpL/yhweuTdOPopTnbJd/85HK8kb1xcYtpg53Q//oKDE9MvpjvPdSt05 qQevzrXcPH/Lw8ITmunyC1xfFT2at/fxyuPNXb/+tdmd+BiQtjWkzah82+rnDnw1sqEvN70+ t+Tystiv92TTjqustmo1UmIpzkg01GIuKk4EANvwf+rFAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrEKsWRmVeSWpSXmKPExsUyfbWIsK5VmWKYwZWPzBZ331xmcWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxs2bh5gKdopXTN93grGBsUO4i5GTQ0LAROLqhQZWCFtM4sK9 9WxdjFwcQgInGSUmrtnBDJIQEjjGKPGpXwsisY5RYteJr6wQzk5GiZsNc8Da2YBGLbxyF6iD g0NEQFZi7+sokLCwgI/EnNn32UFsEQFfiZPPGtgg7DqJp9uvM4KUswioSsxbxQIS5hVwkvjT 38wIMX4Gq8SHg/fBxnMK2Etsm7wC7CBGoEu/n1rDBGIzC4hL3HoynwniAwGJJXvOM0PYohIv H/+D+sxAYuvSfSwguyQElCSePrWHaNWRWLD7ExuErS2xbOFrZogbBCVOznzCAvG7qkT/2pfs ExglZyHZNgtJ+ywk7bOQtC9gZFnFKFWckZSbWGBgqVeckZKsl5xRVFmck1qkl5yfu4kRHH2e OTsY/y+0PMQowMGoxMOrnqsYJsSaWFZcmXuIUZKDSUmUt70IKMSXlJ9SmZFYnBFfVJqTWnyI UYKDWUmE93AUUI43JbGyKrUoHyYlzcGiJM6rUuAQKCSQnliSmp2aWpBaBJOV4eBQkuDVKAVq FCxKTU+tSMvMKUFIM3FwggznARp+ogRkeHFBYm5xZjpE/hSjrpQ473uQhABIIqM0D65XSUhI QIFp+mpRbQYwALFeMYoDvSXM+w6kgweYcOEmvQJawgS0ZM9/WZAlJYkIKakGxsCjMn4p4kZ1 BSWn1tzIyCp59CTjJN+epRfY/n4+cJ33g5fS1eLajVu1dvFLntd97WkZ2bVD/1a6yuNH0z4c mWVbME/+l/Xkdh0nDsaZsgycrMGbwrn3CtUu7v8V83eHlSxnyqk6KYdGr87QG1L8i5xlmrxl m1wzpd6o2ZyN2J1f8mLX4evdSizFGYmGWsxFxYkAHisD0XUDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/gCCgwoLj6_MZK07hZdvNGxVjud8>
Subject: Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 22:12:12 -0000

I agree, the priming volume for a private enterprise is on a much smaller scale than the public Internet. But, at the same time, a notable difference between priming and normal DNS traffic (or mDNS, or ARP, etc.) is that priming traffic is more likely to traverse WAN links (because, unlike the public Internet, the root-server pool is typically a fairly *centralized* subset of all the published nameservers in the enterprise, since root servers generally only live in datacenters or "major" sites). WAN bandwidth cost-efficiencies haven't kept pace with other areas of information technology. This can, of course, be optimized using techniques like authoritative-nameserver Anycast, but, to be honest, not all organizations have the technological wherewithal to implement that.

As for how much priming traffic... what if an organization wanted to implement full-service resolvers on all of its endpoints (e.g. to provide "end-to-end" DNSSEC coverage)? Endpoints reboot or restart *a*lot*. When you have tens of thousands, or hundreds of thousands of endpoints that could prime several times a day, and priming is TCP instead of UDP, that might make such an approach cost-prohibitive. IMO, the desire to achieve some artificial "parity" between transport protocols, for priming, shouldn't displace security-enhancing approaches like end-to-end DNSSEC, into the "economically infeasible" category.

I admit, I haven't worked out the economics of this down to the last penny. I'm still more of a technologist than a businesscritter. But I see a lot of potential downside in allowing TCP priming and, frankly, the arguments for it, seem to be rather fluffy (parity, really?)

										- Kevin

-----Original Message-----
From: Joe Abley [mailto:jabley@hopcount.ca] 
Sent: Friday, October 16, 2015 5:18 PM
To: Darcy Kevin (FCA)
Cc: dnsop WG
Subject: Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming



On 16 Oct 2015, at 16:36, Darcy Kevin (FCA) wrote:

> It would be wise to get a clear statement of preference from the 
> Internet root operators on this, but don't forget that whatever gets 
> defined in IETF standards, and implemented in leading DNS software 
> packages, also affects private enterprises too. Many of us run 
> internal roots and I, for one, don't want to see an influx of traffic 
> and/or spiky saturation of bandwidth, because priming suddenly morphed 
> from UDP to TCP in the latest software update.

Let's make sure we put this in perspective, though -- how often do your resolvers restart? If it's once per few months to apply a kernel patch, then we're talking about far less traffic than your printers, phones and laptops are spewing every second onto the network with mDNS (or ARP, even :-)

Real root servers deal with internet-scale numbers of resolvers. It seems unlikely you have that problem in your campus network.


Joe

v2.39.1 | Report a Bug | By Email | System Status