Re: [DNSOP] Priming query transport selection

Simon Leinen <> Fri, 15 January 2010 13:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E1C93A68FF for <>; Fri, 15 Jan 2010 05:13:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mVE1YL81zxVw for <>; Fri, 15 Jan 2010 05:13:38 -0800 (PST)
Received: from ( [IPv6:2001:620:0:4:203:baff:fe4c:d751]) by (Postfix) with ESMTP id 557E23A6AAC for <>; Fri, 15 Jan 2010 05:13:35 -0800 (PST)
Received: from (localhost []) by (8.14.3+Sun/8.14.3) with ESMTP id o0FDDSkY007904; Fri, 15 Jan 2010 14:13:28 +0100 (CET)
Received: (from leinen@localhost) by (8.14.3+Sun/8.14.3/Submit) id o0FDDQkU007903; Fri, 15 Jan 2010 14:13:26 +0100 (CET)
X-Authentication-Warning: leinen set sender to using -f
From: Simon Leinen <>
To: Olafur Gudmundsson <>
In-Reply-To: <> (Olafur Gudmundsson's message of "Wed, 13 Jan 2010 13:19:30 -0500")
References: <>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1.91 (usg-unix-v)
X-Face: 1Nk*r=:$IBBb8|TyRB'2WSY6u:BzMO7N)#id#-4_}MsU5?vTI?dez|JiutW4sKBLjp.l7, F 7QOld^hORRtpCUj)!cP]gtK_SyK5FW(+o"!or:v^C^]OxX^3+IPd\z, @ttmwYVO7l`6OXXYR`
Date: Fri, 15 Jan 2010 14:13:26 +0100
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [DNSOP] Priming query transport selection
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Jan 2010 13:13:39 -0000

Olafur Gudmundsson writes:
> Proposed replacement text:
>    A priming query MUST use a QNAME of "." and a QTYPE of NS, QCLASS of IN,
>    with RD bit set to 0, the source port of the query should be randomly
>    selected [RFC5452].

>    A DNSSEC aware resolver SHOULD sent the priming query over TCP.
>    If TCP is refused a different server SHOULD be tried, after 3 tries
>    the resolver SHOULD fall back on UDP.

>    A DNSSEC ignorant but EDNS0 capable, resolver SHOULD issue the
>    priming query over UDP, ENDS0 option MUST be included with buffer
>    size of 1220 or larger.  If the UDP query times out TCP SHOULD be tried.

>    An EDNS0 ignorant resolver MUST issue the priming query over UDP.

> By making this change section 2.4 can be dropped, the one
> on not asking for signed answers.

After reading the entire discussion, I support Olafur's suggestion in
this form.  It's simple enough, and it falls back gracefully if TCP
somehow fails to work.

As for whether we should "encourage more TCP usage of DNS": I really
believe that this is a non-issue.  Priming queries from sane
implementations that follow the specs are NOT what we should be worried
about.  Sure, TCP requires more resources than UDP, especially as
implemented in today's nameservers.  That's why it is important to have
a fallback to UDP for priming: Otherwise it would be too easy for an
attacker to stop resolving nameservers in their tracks during startup.

As to Ed's point that how priming works is not that relevant, especially
with DNSSEC at the root: That's probably true.  But I also sympathize
with Olafur's desire for a warm fuzzy feeling about priming.  Plus, it
would provide a nice opportunity to log issues with TCP queries early
on, with a high chance for server operators to actually notice.