Re: [DNSOP] WGLC: "Considerations for the use of DNS Reverse Mapping"

[Edward Lewis <Ed.Lewis@neustar.biz>]

At 7:55 +1100 4/1/08, Mark Andrews wrote:

>	Multiple PTR records scale worse than multiple A records.

That sentence is hard to parse.

I looked at the draft again and this thread.

The issue is not clear.  Yes, you can have multiple PTR records. 
Yes, there is a limit on how many records of any type can be in an 
RRset while fitting into the maximum DNS message size.

The doc says you should consider the consequences, which is about as 
accurate a statement as can be given.  However maybe more detail 
should be in the document.

Such as:

Multiple PTR records can be stored in a single PTR RRset.  If a 
device at an IP address (v4 or v6) has multiple identities with 
domain names, it would be good to have a PTR for each.  However, this 
is not always practical.  In some operational situations, an address 
may have thousands of domain names holding an address record (A or 
AAAA) with the address as the value.

The number of address records in an PTR set before tripping the upper 
limit on what can fit on even a TCP carried DNS message is 
approximately 4000 for A RR only and about 2000 for AAAA RR only.

If an address has just a few corresponding forward map records, it is 
worth entering them all.  If an address has many, a better strategy 
is to enter a few as is needed, adding more only when there is an 
operational request.

>	each address records needs a corresponding PTR record.  The
>	only reason we don't see more problems is that people have
>	been saying that it is a waste of time to have multiple PTR
>	records.

No, I don'tFrom dnsop-bounces@ietf.org  Tue Apr  1 07:37:43 2008
Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@optimus.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 88A7D3A6EC1;
	Tue,  1 Apr 2008 07:37:43 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 0935D3A6EC1
	for <dnsop@core3.amsl.com>; Tue,  1 Apr 2008 07:37:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5
	tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id p4mXUvBwHuVv for <dnsop@core3.amsl.com>;
	Tue,  1 Apr 2008 07:37:42 -0700 (PDT)
Received: from ogud.com (hlid.ogud.com [66.92.146.160])
	by core3.amsl.com (Postfix) with ESMTP id CD9843A6ECB
	for <dnsop@ietf.org>; Tue,  1 Apr 2008 07:37:41 -0700 (PDT)
Received: from [10.31.68.58] (ns.md.ogud.com [10.20.30.6])
	by ogud.com (8.13.1/8.13.1) with ESMTP id m31EbRS5028093;
	Tue, 1 Apr 2008 10:37:28 -0400 (EDT)
	(envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06240801c417f486db4d@[192.168.1.100]>
In-Reply-To: <200803312055.m2VKtQvt039221@drugs.dv.isc.org>
References: <200803312055.m2VKtQvt039221@drugs.dv.isc.org>
Date: Tue, 1 Apr 2008 10:36:28 -0400
To: Mark Andrews <Mark_Andrews@isc.org>
From: Edward Lewis <Ed.Lewis@neustar.biz>
X-Scanned-By: MIMEDefang 2.63 on 10.20.30.6
Cc: Peter Koch <pk@DENIC.DE>, bmanning@vacation.karoshi.com,
	Edward Lewis <Ed.Lewis@neustar.biz>, IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] WGLC: "Considerations for the use of DNS Reverse
 Mapping"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

At 7:55 +1100 4/1/08, Mark Andrews wrote:

>	Multiple PTR records scale worse than multiple A records.

That sentence is hard to parse.

I looked at the draft again and this thread.

The issue is not clear.  Yes, you can have multiple PTR records. 
Yes, there is a limit on how many records of any type can be in an 
RRset while fitting into the maximum DNS message size.

The doc says you should consider the consequences, which is about as 
accurate a statement as can be given.  However maybe more detail 
should be in the document.

Such as:

Multiple PTR records can be stored in a single PTR RRset.  If a 
device at an IP address (v4 or v6) has multiple identities with 
domain names, it would be good to have a PTR for each.  However, this 
is not always practical.  In some operational situations, an address 
may have thousands of domain names holding an address record (A or 
AAAA) with the address as the value.

The number of address records in an PTR set before tripping the upper 
limit on what can fit on even a TCP carried DNS message is 
approximately 4000 for A RR only and about 2000 for AAAA RR only.

If an address has just a few corresponding forward map records, it is 
worth entering them all.  If an address has many, a better strategy 
is to enter a few as is needed, adding more only when there is an 
operational request.

>	each address records needs a corresponding PTR record.  The
>	only reason we don't see more problems is that people have
>	been saying that it is a waste of time to have multiple PTR
>	records.

No, I don think that's the reason.  I think we don't see "more 
problems" is that "it isn't that much of a problem" and possibly 
"where it could be a problem, people just don't put many in."

I don't think it is a waste of time.  The two downsides - the very 
real cap on the number of possible records (as mentioned above) and 
applications that aren't written correctly enough to handle the 
situation.

>>  	and apparently you can't have A records for them either.

The confusing element here is that this is a case of having -

5000 domains with one A record versus 1 domain with 5000 PTR records

It's not 1 domain with 5000 AAAA's => 1 domain with 5000 PTR's.  The 
problem is not symmetric.

>>  	so the actual spec limit is any mixture of RR types that
>>  	will fit into a 64k DNS message on TCP.  Right?

I suppose so.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


't think that's the reason.  I think we don't see "more 
problems" is that "it isn't that much of a problem" and possibly 
"where it could be a problem, people just don't put many in."

I don't think it is a waste of time.  The two downsides - the very 
real cap on the number of possible records (as mentioned above) and 
applications that aren't written correctly enough to handle the 
situation.

>>  	and apparently you can't have A records for them either.

The confusing element here is that this is a case of having -

5000 domains with one A record versus 1 domain with 5000 PTR records

It's not 1 domain with 5000 AAAA's => 1 domain with 5000 PTR's.  The 
problem is not symmetric.

>>  	so the actual spec limit is any mixture of RR types that
>>  	will fit into a 64k DNS message on TCP.  Right?

I suppose so.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop