Re: [DNSOP] Priming query transport selection
Jim Reid <jim@rfc1035.com> Wed, 13 January 2010 21:16 UTC
Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 83A253A683C for <dnsop@core3.amsl.com>; Wed, 13 Jan 2010 13:16:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.974
X-Spam-Level:
X-Spam-Status: No, score=-2.974 tagged_above=-999 required=5 tests=[AWL=-0.975, BAYES_00=-2.599, J_CHICKENPOX_35=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id shJMJLrXcYNj for <dnsop@core3.amsl.com>; Wed, 13 Jan 2010 13:16:54 -0800 (PST)
Received: from hutch.rfc1035.com (hutch.rfc1035.com [195.54.233.70]) by core3.amsl.com (Postfix) with ESMTP id 8D17F3A67FA for <dnsop@ietf.org>; Wed, 13 Jan 2010 13:16:54 -0800 (PST)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jim) by hutch.rfc1035.com (Postfix) with ESMTPSA id 104F2154283B; Wed, 13 Jan 2010 21:16:50 +0000 (GMT)
Message-Id: <E87EE584-97B5-4FE8-B47D-21048A702B51@rfc1035.com>
From: Jim Reid <jim@rfc1035.com>
To: Alex Bligh <alex@alex.org.uk>
In-Reply-To: <CDE7E0414BC50C42E4FCC54F@Ximines.local>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 13 Jan 2010 21:16:49 +0000
References: <201001131823.o0DINxYv068180@stora.ogud.com> <555CFB98-BB21-4AD4-9D4A-3AF3BD98E4B2@rfc1035.com> <D9CCEA0D18D9D5B457A90853@Ximines.local> <631E7931-47D4-4AAF-B2C6-62DA6DA5A4CA@rfc1035.com> <CDE7E0414BC50C42E4FCC54F@Ximines.local>
X-Mailer: Apple Mail (2.936)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Priming query transport selection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2010 21:16:55 -0000
On 13 Jan 2010, at 20:49, Alex Bligh wrote: > Current operational practice would result in DO clear packets > fitting within 4096 bytes, so no need for TCP when DO is clear. I don't think that's always the case Alex. See the lengthy discussion in this list about datagram fragmentation and broken middleware boxes that don't grok EDNS0. [Or do EDNS0 with a 512 byte buffer size. Sigh.] Mind you, some of those boxes will also barf on TCP DNS traffic. > I thought it might be an error as the section title in your > proposed text doesn't match the section text, but that's > actually because two section titles are the same which > I think is the problem. Indeed: a stupid cut&paste error. Sorry. > Thinking about it, a total prohibition (at MUST level) of using TCP > is probably a bit harsh given we don't even know they have UDP > connectivity. Perhaps "MUST issue the priming query *first* > over UDP", or use a SHOULD. SHOULD is more appropriate than a MUST IMO. If the resolver has a priori knowledge that UDP/EDNS0 will fail for some reason, forcing them to do that and then revert to TCP or whatever would be a Bad Thing. The preferred approach might probably be along these lines: [1] EDNS0 + DO with a buffer of 5-8K (ish) [2] TCP + DO when [1] fails [3] EDNS0 + DO + 1.5K (ish) buffer if [2] fails [4] EDNS0 (no DO) with a 1.5K (ish) buffer [5] Vanilla UDP (no EDNS0) if [4] fails I think it would be helpful if the guidance on priming queries was split into 3 categories: resolvers that speak DNSSEC, those that are not DNSSEC-aware but speak EDNS0 and resolvers that are ignorant of both protocols. They'd start at [1], [4] and [5] respectively in the scenario above. The optimal priming behaviour for each may well be different, particularly wrt EDNS0 buffer minima and maxima. It would be good to give an explanation for those buffer sizes too in case we've all forgotten about that when revisiting the issue 5-10 years from now. Perhaps the recommended resolver behaviour should apply to all queries and not just the priming query?
- [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Alfred Hönes
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Edward Lewis
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
- Re: [DNSOP] Priming query transport selection Nicholas Weaver
- Re: [DNSOP] Priming query transport selection Ray.Bellis
- [DNSOP] RSA cracking Jim Reid
- Re: [DNSOP] Priming query transport selection Patrik Fältström
- Re: [DNSOP] Priming query transport selection bmanning
- Re: [DNSOP] Priming query transport selection Nicholas Weaver
- Re: [DNSOP] Priming query transport selection Patrik Fältström
- Re: [DNSOP] Priming query transport selection Sebastian Castro
- Re: [DNSOP] Priming query transport selection Ray.Bellis
- Re: [DNSOP] Priming query transport selection Simon Leinen
- Re: [DNSOP] Priming query transport selection Florian Weimer
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Florian Weimer
- Re: [DNSOP] Priming query transport selection George Barwood
- Re: [DNSOP] Priming query transport selection George Barwood
- [DNSOP] signing glue and additional data Jim Reid
- Re: [DNSOP] signing glue and additional data George Barwood
- Re: [DNSOP] Priming query transport selection Sebastian Castro
- [DNSOP] on what glue is (was: signing glue and ad… Andrew Sullivan
- Re: [DNSOP] on what glue is (was: signing glue an… Roy Arends
- Re: [DNSOP] [dnsext] Re: Priming query transport … Danny Mayer
- Re: [DNSOP] [dnsext] Re: Priming query transport … Alfred Hönes
- Re: [DNSOP] [dnsext] Re: Priming query transport … Olafur Gudmundsson