Re: [DNSOP] Priming query transport selection
Simon Leinen <simon.leinen@switch.ch> Fri, 15 January 2010 13:13 UTC
Return-Path: <simon.leinen@switch.ch>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E1C93A68FF for <dnsop@core3.amsl.com>; Fri, 15 Jan 2010 05:13:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mVE1YL81zxVw for <dnsop@core3.amsl.com>; Fri, 15 Jan 2010 05:13:38 -0800 (PST)
Received: from diotima.switch.ch (diotima.switch.ch [IPv6:2001:620:0:4:203:baff:fe4c:d751]) by core3.amsl.com (Postfix) with ESMTP id 557E23A6AAC for <dnsop@ietf.org>; Fri, 15 Jan 2010 05:13:35 -0800 (PST)
Received: from diotima.switch.ch (localhost [127.0.0.1]) by diotima.switch.ch (8.14.3+Sun/8.14.3) with ESMTP id o0FDDSkY007904; Fri, 15 Jan 2010 14:13:28 +0100 (CET)
Received: (from leinen@localhost) by diotima.switch.ch (8.14.3+Sun/8.14.3/Submit) id o0FDDQkU007903; Fri, 15 Jan 2010 14:13:26 +0100 (CET)
X-Authentication-Warning: diotima.switch.ch: leinen set sender to simon.leinen@switch.ch using -f
From: Simon Leinen <simon.leinen@switch.ch>
To: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <201001131823.o0DINxYv068180@stora.ogud.com> (Olafur Gudmundsson's message of "Wed, 13 Jan 2010 13:19:30 -0500")
References: <201001131823.o0DINxYv068180@stora.ogud.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1.91 (usg-unix-v)
X-Face: 1Nk*r=:$IBBb8|TyRB'2WSY6u:BzMO7N)#id#-4_}MsU5?vTI?dez|JiutW4sKBLjp.l7, F 7QOld^hORRtpCUj)!cP]gtK_SyK5FW(+o"!or:v^C^]OxX^3+IPd\z, @ttmwYVO7l`6OXXYR`
Date: Fri, 15 Jan 2010 14:13:26 +0100
Message-ID: <aabpgvfr49.fsf@switch.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Priming query transport selection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2010 13:13:39 -0000
Olafur Gudmundsson writes: > Proposed replacement text: > A priming query MUST use a QNAME of "." and a QTYPE of NS, QCLASS of IN, > with RD bit set to 0, the source port of the query should be randomly > selected [RFC5452]. > A DNSSEC aware resolver SHOULD sent the priming query over TCP. > If TCP is refused a different server SHOULD be tried, after 3 tries > the resolver SHOULD fall back on UDP. > A DNSSEC ignorant but EDNS0 capable, resolver SHOULD issue the > priming query over UDP, ENDS0 option MUST be included with buffer > size of 1220 or larger. If the UDP query times out TCP SHOULD be tried. > An EDNS0 ignorant resolver MUST issue the priming query over UDP. > By making this change section 2.4 can be dropped, the one > on not asking for signed answers. After reading the entire discussion, I support Olafur's suggestion in this form. It's simple enough, and it falls back gracefully if TCP somehow fails to work. As for whether we should "encourage more TCP usage of DNS": I really believe that this is a non-issue. Priming queries from sane implementations that follow the specs are NOT what we should be worried about. Sure, TCP requires more resources than UDP, especially as implemented in today's nameservers. That's why it is important to have a fallback to UDP for priming: Otherwise it would be too easy for an attacker to stop resolving nameservers in their tracks during startup. As to Ed's point that how priming works is not that relevant, especially with DNSSEC at the root: That's probably true. But I also sympathize with Olafur's desire for a warm fuzzy feeling about priming. Plus, it would provide a nice opportunity to log issues with TCP queries early on, with a high chance for server operators to actually notice. -- Simon.
- [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Alfred Hönes
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Edward Lewis
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
- Re: [DNSOP] Priming query transport selection Nicholas Weaver
- Re: [DNSOP] Priming query transport selection Ray.Bellis
- [DNSOP] RSA cracking Jim Reid
- Re: [DNSOP] Priming query transport selection Patrik Fältström
- Re: [DNSOP] Priming query transport selection bmanning
- Re: [DNSOP] Priming query transport selection Nicholas Weaver
- Re: [DNSOP] Priming query transport selection Patrik Fältström
- Re: [DNSOP] Priming query transport selection Sebastian Castro
- Re: [DNSOP] Priming query transport selection Ray.Bellis
- Re: [DNSOP] Priming query transport selection Simon Leinen
- Re: [DNSOP] Priming query transport selection Florian Weimer
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Florian Weimer
- Re: [DNSOP] Priming query transport selection George Barwood
- Re: [DNSOP] Priming query transport selection George Barwood
- [DNSOP] signing glue and additional data Jim Reid
- Re: [DNSOP] signing glue and additional data George Barwood
- Re: [DNSOP] Priming query transport selection Sebastian Castro
- [DNSOP] on what glue is (was: signing glue and ad… Andrew Sullivan
- Re: [DNSOP] on what glue is (was: signing glue an… Roy Arends
- Re: [DNSOP] [dnsext] Re: Priming query transport … Danny Mayer
- Re: [DNSOP] [dnsext] Re: Priming query transport … Alfred Hönes
- Re: [DNSOP] [dnsext] Re: Priming query transport … Olafur Gudmundsson