Re: [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-requirements
Warren Kumari <warren@kumari.net> Wed, 14 July 2021 23:51 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FDDC3A0E1B for <dnsop@ietfa.amsl.com>; Wed, 14 Jul 2021 16:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WGchtWhNW7Om for <dnsop@ietfa.amsl.com>; Wed, 14 Jul 2021 16:51:10 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1B803A0E14 for <dnsop@ietf.org>; Wed, 14 Jul 2021 16:51:09 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id i5so6616883lfe.2 for <dnsop@ietf.org>; Wed, 14 Jul 2021 16:51:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=786lyyCVwQRTGBvF9utuiiRepWuvadRYXBdzPKRlLIc=; b=Tlk/9AHYE6y1uwnD/XmWcv7PDtBypvK0nHA9SesfoDIfFgiE22zMTWQPZvemR5krcX EdV9jPG7WkD3+aa2jeemywA8Jo0yUQYoiiZK4ysMv/ex28JzmPHeujDbYG1cJO8OSfZD pE0GnDwM68apXO7nrH4K0ran13getKuxQKekl3UYVZLa0jeG5p7cOfc7jyonKDoQ3t8G Q5CmdO+4DCxwJX4MWtXr1gbIssJKLvaHqPdpR8IcTGdurTC5bL3TCX9duC6j66d00fIn 5z3u5EkvUL7zliY9usFNe+btZahbwDHmIsqlgmVYlPxNU5Sh1LuW56l4Jf+4K827pdIw 986g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=786lyyCVwQRTGBvF9utuiiRepWuvadRYXBdzPKRlLIc=; b=pfl3oCkjrERRXNaAr8/6te1MkX9+e0OTo5pdt/mWLOdUhHKDBRCFaZBec47w8gxxxi Gh8n8sauVGjcdiXvNn3wv/XcYv570dWfETOptiuOIQp7QctlJyfGytsccQH7kK6Ysyj0 0R3zzENjhUpk3VRNgSZVhnJGsRwL9IUwVMAsFdLLZNfpuHLtM+IPdSTFBD5nAVBnBNzA LYJumqNEEzvfn/ktlyrvNtOy1j26fyryEacX6ML76nJBzQPb0YNVOqeBasu0T84cZy5a c2bPX6ZMlcNUOeSuDMaSkC7vg7Rx5f1ZoyBNNVNv8zERcrDzj4TuEm9Ns+MNFoxYzgws zI3w==
X-Gm-Message-State: AOAM53101xzJl4sLWuuHtK+VpNg4+OLBsMmY8RjdlpgLcOe5Xf8hAK4v 0q8yilkp4a8+e3kOqJCWsJ32rAwn2+hSCNdeKhC/ZQ==
X-Google-Smtp-Source: ABdhPJyGW85c9kJyoCx9i0xHGXYSC4I3it0PNV+P79nAnv45ETj0H/Ktbu1X9/z9k/wXLFGJElFjnsmtTnReEzIb7AE=
X-Received: by 2002:a05:6512:3886:: with SMTP id n6mr378743lft.419.1626306666921; Wed, 14 Jul 2021 16:51:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAHw9_iJOovKwVcSs_+jNZ5hQE9exWshpESpVmDfLEhB6wY=25A@mail.gmail.com> <3E270EE8-62A5-44E1-B3A5-B0418C018D6D@verisign.com>
In-Reply-To: <3E270EE8-62A5-44E1-B3A5-B0418C018D6D@verisign.com>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 14 Jul 2021 19:50:54 -0400
Message-ID: <CAHw9_iKoPGwj1S-WkeS_mEjrMWfQY8ev3jQ7uMb_N8V0N=X4-w@mail.gmail.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: dnsop <dnsop@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002d94a705c71e0706"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/g_cYLfjstWMKdiZy-HSD5qTa60s>
Subject: Re: [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2021 23:51:15 -0000
On Wed, Jul 14, 2021 at 6:37 PM Wessels, Duane <dwessels@verisign.com> wrote: > Thanks Warren, I made all of your proposed changes. Gadzooks that was fast! Here's a rewrite of the DNS wedgie paragraph: Excellent, thank you, I find that much easier to parse. Please let me know once you are able to submit it. Thanks again, W > > Networks that filter DNS over TCP may inadvertently cause problems > for third-party resolvers as experienced by [TOYAMA]. For example, a > resolver receives queries for a moderately popular domain. The > resolver forwards the queries to the domain's authoritative name > servers, but those servers respond with the TC bit set. The resolver > retries over TCP, but the authoritative server blocks DNS over TCP. > The pending connections consume resources on the resolver until they > time out. If the number and frequency of these truncated-and-then- > blocked queries is sufficiently high, the steady-state of lost > resources as a result is a "DNS wedgie." A DNS wedgie is generally > not easily or completely mitigated by the affected DNS resolver > operator. > > > DW > > > > On Jul 14, 2021, at 2:36 PM, Warren Kumari <warren@kumari.net> wrote: > > > > > > Hi there authors (and WG), > > > > Firstly, thank you very much for this document -- I think that it's a > > useful document, although I'm a bit sad that it's needed :-) > > > > I do have a number of editorial comments/ nits. Addressing these > > before IETF LC and IESG review should make progressing the document > > easier and smoother... > > > > > > 2. History of DNS over TCP > > > > The curious state of disagreement in operational best practices and > > [O] disagreement in operational best practices > > [P] disagreement between operational best practices > > [R] clarity — I *think* this is what’s meant? > > > > guidance for DNS transport protocols derives from conflicting > > messages operators have gotten from other operators, implementors, > > and even the IETF. Sometimes these mixed signals have been explicit, > > on other occasions they have been suspiciously implicit. This > > [O] explicit, > > on other occasions they have been suspiciously implicit. > > [P] explicit; on other occasions, conflicting messages have been > implicit. > > [R] semicolon for grammar (otherwise it’s a run on sentence). Consider > > dropping “suspiciously” — feels odd/awkward in this context. > > > > Section 2.2 > > "[...] it is also clear that some new DNS record types defined in > > the future will contain information exceeding the 512 byte limit > > that applies to UDP, and hence will require TCP. > > [R]: Nit - please add closing quote... > > > > > > > > Section 2.3. > > EDNS(0) became widely deployed over the next > > several years and numerous surveys ([CASTRO2010], [NETALYZR]) have > > [O] several years and numerous surveys > > [P] several years, and numerous surveys > > [R] grammar > > > > While a non-negligible population of DNS systems lacked > > EDNS(0) or fell back to TCP when necessary, DNS clients still > > strongly prefer UDP to TCP. For example, as of 2014 DNS over TCP > > > > [O] For example, as of 2014 DNS > > [P] For example, as of 2014, DNS > > [R] clarity > > > > > > Section 2.4. Fragmentation and Truncation > > > > For IPv6, the situation is a little more complicated. First, IPv6 > > headers are 40 bytes (versus 20 without options in IPv4). Second, it > > seems as though some people have mis-interpreted IPv6's required > > > > [O] mis-interpreted > > [P] misinterpreted > > > > > > 2.5. "Only Zone Transfers Use TCP" > > > > "A popular meme has also held the imagination of some: that > > DNS over TCP is only ever used for zone transfers and is generally > > unnecessary otherwise, with filtering all DNS over TCP traffic even > > described as a best practice." > > [R]: I find the phrasing of this odd -- do memes hold people's > > imagination? Perhaps just "A popular meme is..."? Or even "Many people > > erroneously believe ..." ? > > > > > > However modern > > standards and implementations are nearing parity with the more > > > > [O] However modern > > [P] However, modern > > [R] grammar/readability > > > > sophisticated TCP management techniques employed by, for example, > > HTTP(S) servers and load balancers. > > > > 3. DNS over TCP Requirements > > > > An average increase in DNS message size (e.g., due to DNSSEC), the > > continued development of new DNS features (Appendix A), and a denial > > of service mitigation technique (Section 9) show that DNS over TCP > > > > [O] (Section 9) show that DNS > > [P] (Section 9), all show that DNS > > [R] readability > > > > > > 4.2. Connection Management > > > > This can be used to ensure that a single or small set of users can > > not consume ... > > [O] can not > > [P] cannot > > [R] spelling/clarity > > > > 5. DNS over TCP Filtering Risks > > > > Therefore, filtering of DNS over TCP is considered harmful > > and contrary to the safe and successful operation of the Internet. > > This section enumerates some of the known risks known at the time of > > [O] known risks known at the time > > [P] known risks as of the time > > [R] readability > > > > this writing when networks filter DNS over TCP. > > > > > > 5.1. DNS Wedgie > > > > [O] If, for > > instance, a resolver receives a truncated answer from a server, but > > when the resolver resends the query using TCP and the TCP response > > never arrives, not only will a complete answer be unavailable, but > > the resolver will incur the full extent of TCP retransmissions and > > timeouts. > > [R] is it possible to break this into multiple sentences? It's a > > little hard to parse.... > > > > > > > > Thank you very much - we are during posting cutoff, so please SHOUT > > LOUDLY once you've posted a new version and I'll progress it.... > > W > > > > > > -- > > Perhaps they really do strive for incomprehensibility in their specs. > > After all, when the liturgy was in Latin, the laity knew their place. > > -- Michael Padlipsky > > -- Perhaps they really do strive for incomprehensibility in their specs. After all, when the liturgy was in Latin, the laity knew their place. -- Michael Padlipsky
- [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-requi… Warren Kumari
- Re: [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-r… Wessels, Duane
- Re: [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-r… Warren Kumari
- Re: [DNSOP] AD review: draft-ietf-dnsop-dns-tcp-r… Warren Kumari