Re: [DNSOP] 答复: Call for Adoption: draft-song-atr-large-resp

"Ralf Weber" <dns@fl1ger.de> Tue, 22 January 2019 10:23 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28B6E130EBE for <dnsop@ietfa.amsl.com>; Tue, 22 Jan 2019 02:23:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J99vp_xpC1jV for <dnsop@ietfa.amsl.com>; Tue, 22 Jan 2019 02:23:07 -0800 (PST)
Received: from smtp.guxx.net (nyx.guxx.net [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id E0975130EB5 for <dnsop@ietf.org>; Tue, 22 Jan 2019 02:23:06 -0800 (PST)
Received: by nyx.guxx.net (Postfix, from userid 107) id B17525F4003E; Tue, 22 Jan 2019 11:23:05 +0100 (CET)
Received: from [172.19.152.159] (p4FF53CB0.dip0.t-ipconnect.de [79.245.60.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 2BD7E5F4003E; Tue, 22 Jan 2019 11:23:04 +0100 (CET)
From: "Ralf Weber" <dns@fl1ger.de>
To: "Davey Song" <ljsong@biigroup.cn>
Cc: "Petr =?utf-8?b?xaBwYcSNZWs=?=" <petr.spacek@nic.cz>, peter.van.dijk@powerdns.com, dnsop@ietf.org
Date: Tue, 22 Jan 2019 11:23:02 +0100
X-Mailer: MailMate (1.12.3r5579)
Message-ID: <31D728C6-28F0-401D-92DD-791D7AA9B091@fl1ger.de>
References: <BCACF554-8BE6-49BC-B75A-BCED776F5189@NLnetLabs.nl> <4A75C4E3-F74F-46DB-9A8A-879C0BB79190@powerdns.com> <52CC68F4-231A-4002-A615-12F2F044342E@isc.org> <533234C8-A97C-4AA3-8395-0708909444B0@rfc1035.com> <595ae5ba-d92c-5d4d-d62b-293a343bf69b@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rKROn_9UGv-57riwWC-FQ6UwBPc>
Subject: Re: [DNSOP] =?utf-8?b?562U5aSNOiBDYWxsIGZvciBBZG9wdGlvbjogZHJhZnQt?= =?utf-8?q?song-atr-large-resp?=
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jan 2019 10:23:09 -0000

Moin!

On 22 Jan 2019, at 9:50, Davey Song wrote:
> It is not rare. It is just under the water. You cannot run a ship 
> unaware of it, especially towards IPv6-only future. Here are some 
> pointer and number are given:
>
> [1] presents a 28.26% ~ 55.23% packets drop rate for IPv6 fragements. 
> [2] reports 10% of the paths between the vantage points and the 
> experimental setup filter IP fragments. [3] reports 37.45% of 
> endpoints used IPv6-capable DNS resolvers that were incapable of 
> receiving a fragmented IPv6 response. [4] Yeti testbed also observed 
> over 7% failure rate for queries against IPv6-only server during KSK 
> rollover using 100 probes. [5] is a IETF workgroup document of this 
> problem. It is **not** a rare operational problem.
You see on that listing that the more you go to an actual real world 
scenario the lower the impact gets. As soon as you add an IPv4 server 
the problem is gone. Now IMHO we should work on getting these rates 
where fragments are dropped down and not implement yet another 
workaround.

>> Ralf Weber: Having one v6 name server that will respond correct with 
>> fragments also solves the problem. I think the problem space is to 
>> narrow to burden this problem on all resolvers.
>
> Now 389 of v6 tld server including .org reply with large packets, 
> please check [Appendix]. I'm not sure how they can respond correct 
> currently when they need to add more content in answer section. I'm 
> told that a few large DNS operator using certain DNSSEC tool 
> generating a large DNSKEY RRset and RRSIG RRset.
Replying with large packets itself is not the problem. The problem is 
something in between mostly probably to either edge is dropping re 
assembling of fragmented packets. For some of the resolvers I run and my 
client network I just did a spot check and all v6 fragments get re 
assembled and I could used UDP with a large bufsize to get the DNSKEY 
for org. I event tried some of the more crazy ones with ~3k key set 
size. Again no problem. So it is possible to run IPv6 DNS server with 
large packet sizes over UDP.

So long
-Ralf
—--
Ralf Weber

Sample digs

; <<>> DiG 9.12.3-P1 <<>> DNSKEY +dnssec +bufsize=4096 org. +notcp 
@2001:500:48::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36371
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org.				IN	DNSKEY

;; ANSWER SECTION:
org.			900	IN	DNSKEY	256 3 7 
AwEAAcyu1vNojLO1vy6FYAqt3Jne4EGKO5io4MKuTuVYC6POTafpympF 
aRtFfaG3WNmU89psInAyLLy9cpZrf6Zv7H1jxkFHib899GEEIbd8XgW8 
oyHNgH5FrtB2LEGCaVXrPW8p2dASIgQ4EpDTZ8AxX0KWQYCyUtYYoMXD MOTKKKwZ
org.			900	IN	DNSKEY	256 3 7 
AwEAAc5srBkat5T3kAMjJUFqZsmkySlr1UF1sdxTTQ2F6R5zhmbJqYg7 
Y+SekXVi3Y7KgYD8sa14PGHMS0kHGcPTLlYwA7AzMY9U4BuabDYb90ys 
d+8n1PpDtf+BcYe4DuL1pCcOZPSeqko3yWUeu2fNzccBUtE0YazAypCf Sbztq+zT
org.			900	IN	DNSKEY	257 3 7 
AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b 
dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5 
T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU 
ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI 
R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp 
dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU=
org.			900	IN	DNSKEY	257 3 7 
AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw 
9McCw+BoC2YxWaiTpNPuxjSNhUlBtcJmcdkz3/r7PIn0oDf14ept1Y9p 
dPh8SbIBIWx50ZPfVRlj8oQXv2Y6yKiQik7bi3MT37zMRU2kw2oy3cgr 
sGAzGN4s/C6SFYon5N1Q2O4hGDbeOq538kATOy0GFELjuauV9guX/431 
msYu4Rgb5lLuQ3Mx5FSIxXpI/RaAn2mhM4nEZ/5IeRPKZVGydcuLBS8G 
ZlxW4qbb8MgRZ8bwMg0pqWRHmhirGmJIt3UuzvN1pSFBfX7ysI9PPhSn wXCNDXk0kk0=
org.			900	IN	RRSIG	DNSKEY 7 1 900 20190207152537 20190117142537 45404 
org. mme7P7ZpocftnBBra2q00nXAwKMQLg0UwY0eD9a9GMMbP0gw5K3D9/S4 
xluORkBZqSDBmd6FjuRKERT/TmLdET3A3R1hOTEtWLkuTlM92d3Ts4ds 
a31XVsyDGw1qiH1YMTaK2AbA0pOWHUj0GTzCnCdY3viDhquEsB2msDSA Ss8=
org.			900	IN	RRSIG	DNSKEY 7 1 900 20190207152537 20190117142537 9795 
org. NOfHL8wXeetoNN91jjOiET8lu4X/mxrRR4MeDA03oaQIRgNXGgB9Riz/ 
gcHm8hGivuxpaSGxbx4FTm5LO7hYFUuViC6oo06mdjhikmFeUfCqpdhs 
6TZfntaX0GpYGN4JpJBDIeMFlF0LFdDYqtt6r26Cc6zhebFVMUChgG2o 
6Ofvs/UeUppExO1UEeNULRAFqU7AEvxfsHyEhBbo5fKqBDBwz10UZ5bJ 
KSfXOgxI8wQyIR255AbQEwHxWGjTWnKico/Mrs0KnCp6EOCt5UahNKh9 
MxIWiAjjP6IljqHUOHN+XGWsf3Lq1AcGGAH+4GNK+3P6+wJwtVsHt69l rEOeNA==
org.			900	IN	RRSIG	DNSKEY 7 1 900 20190207152537 20190117142537 17883 
org. lYnkcCCWL7cJmtpifhwF7uhL3Aocj/L8Xp8jpqRcv4OBw1V5JcL0v9Lv 
wnWTc53fJzl+/yBTueC2/LMcQ4IbAXlK6+Aq9cePWopeawiTUjYK8LCE 
VK9xsfeYOUomKhTx27/ddIWhazmbfirWwGoC/uC44oirUrX59XCcyjB5 
lcqsilwmSLBjmgVaXY2Y7oWRC/UcDLXwd/uS5Nrnpux45ogtyz+vcBZy 
1UlmiwkDcrXyBxtrskmQwa7hj8nN+oq05qS8tffA+TZR4uss/biii6nS 
GcdILJkg/enXpEQpUKysyC89MekpisUtdwD3jVAhcdp4DHnR0/PxmxoZ CuDRKw==

;; Query time: 19 msec
;; SERVER: 2001:500:48::1#53(2001:500:48::1)
;; WHEN: Tue Jan 22 11:17:33 CET 2019
;; MSG SIZE  rcvd: 1625

; <<>> DiG 9.12.3-P1 <<>> bg. DNSKEY +dnssec +notcp 
@2a02:6a80::192:92:129:99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33260
;; flags: qr aa rd; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bg.				IN	DNSKEY

;; ANSWER SECTION:
bg.			3600	IN	DNSKEY	256 3 8 
AwEAAbXpGD+h+TW6apP80SyHGOBV31FC/Lp42tdfC/iHJwOa+ZP7tmPz 
e2kyG1GMIum6jLPlbc0b1GCKE8sToxVKnRbCAQhWMPCCKrkdLTBy2bRa 
kH83v1ppYYceJ3krKgo0fTQyf2kQM5nl/K50wVD11oRzVnnCEBDLKFkk khxucPPj
bg.			3600	IN	DNSKEY	256 3 8 
AwEAAc6p7Y3Ifw/8yPRGKYczPSyE4cqY+UNdHmt4Cn8YwOiCCGg/0Y9v 
KsyTJAMes8O2tB+7vSpV/5taL5EuifQr10lS5B8S5BlDUthUTq+9CECl 
LwFsBYOoZo49VsoiREbIgaesq21yG02JTt4s/QpClOlHWxu3Y3RhNPWP qH2lB8Wv
bg.			3600	IN	DNSKEY	257 3 8 
AwEAAbxtdZBrxUDnwczEYSDmiI7lMDDxsNB+OWGxldJYiVB5D/zQRqPb 
Og2qKGTYMqJ6jI1Dx2q1EWGSG3axrY/Sne9ja24p1FoKh6BTGz/QvbTn 
Q+DGnhamgBb26QN5zs89siGS9uft/8E/+2uK/5NcMBJFCtY1YbdoWBPg 
2TM2OLVDuY4kjIJHj/EUi9NsAYHaYQO1SKHcRVT4hsJ+sDypA3KnLRIp 
yHooo6rygpb1RmegRAM5cF1l4RwUwK1MTP4VemK5btsUZrRa2pOuhO24 
xHKvly7j08vx7MuW0kBEQwJDHZzwa+Z8+GN6DwxWdeAzdP3WdbCBMf6k 
Jsur+9+U+9PcbmTELOsRszDzEQhsTClnTRpoafdNDrTCBjEwhdcEKwM1 
fRXR1ig8GdCSCPevz0i9WYklN/bLte7uifPI+5yV7O+1B7Af7EUnDj7F 
ammyzA6joD6iy0FbKIkILae6FeqglS0SqYl6AX0tomUXQS8zwMFqd3b6 
OOLpbD1rfvGhBNNO/sRs0l+mgCx9xAvdHgRaUq/eijGiT0kJ4oaX6jgP 
ChoVrLMMhk2kyQ21pdYI9JXjjldjVqXxQWp2BpNyntWCKo8p6Qhb4kPq 
hndO3nBVj2bAtPFEx5vCXMYowUiPJ4G/0OUl7S3DTGBOXEoCRK8g8nSE 
a0pTIz17DUn376Kj
bg.			3600	IN	DNSKEY	257 3 5 
AwEAAblV90SQjp4rI9ZLQs3pwcvkmlEt0OogfuI5cm4l+b3fHGA3YtVU 
Tz8j6SzpMQR/psx5KzFzqIJc8YRdLJSFhiBaLxDYPltcjFSie71Ln2U0 
+PPn5NHqUzCYTysLtRG0sl8FHmFGEY4OmkevpDZCX9sscDdt0MfiVwoN 
23Ni3nHuSrGewgr0RI4nBrcrBWII7oAfhyZ9XKWmlZpRM8aNHA6hijix 
ZsSzTNYAfr9r+s/lpiDG2ybiju1H6sKhL/jY02UdMTFiLFdRZ6yuOzxw 
FXWQE/d7cSe5dSCYMU5EmD2Qy0nbGG0YSD9e0iehw01Fr70HfIV9uNXM 
zqHrrTyajMtlft/z9aUug5qIVxFSczNSRCyJedcJU+9OZUMj90yXQLeG 
2soa6QOfAUyYZLs9OgOIKoE0c7hQRIicPM5bK0ycUM3NTcIYUzDV8zZZ 
Fo0xaM1QEIMdXz4kCfFS6V4lUleufTCDTI0CkTq9g14ia464HFXb4WKD 
6eHl0hvnXAviPAqrma0K1iX9efjxiDumyAIJlm/plBL39CMuX/ENyER8 
XXqv9aXAAcdlN2EYsbejGJ262SjvGIMzEVoUKd9UqrnSe44w/2+lzL6a 
WYqFz6njejH6rbzcof2MoEt1QC47G80gZzFk/tn1mMIKKMbQyvMy7+6K 
HaTKSHnJCXr27klR
bg.			3600	IN	DNSKEY	256 3 5 
AwEAAatvnBmra+7zeBm9l13suknlkqymM+dxrFdopER/atXEXpeKon1l 
B9rWXtPTizfXo3UIXugeIF7sL0oLNeaNHmBe4pgvEIZCpokDOQ45Eqk+ 
VgAdskXSlF0X8QhxE1c24wX4lhyIm3hvd5KgOGtKT8OcX3kzol+iBjC4 JGFXWDqD
bg.			3600	IN	DNSKEY	256 3 5 
AwEAAepb8tfII3+xijlGEESRLxW9hDpBHjtqaO0dKLowX6Iz17s1Yrby 
d0EZc8NjuF251KDvixkm54F7mKI8rA5PBo9JCsvXQh9rbekEV3EDhOU8 
Eg/hIrVVCtHR5qWLVe1JEfBvicyUUQSZapQWVPP7MYXb2aZzB+jRIVsr ngGHmzD9
bg.			3600	IN	RRSIG	DNSKEY 5 1 3600 20190221090009 20190122090009 40422 
bg. hwC0VCeV6KQGyefOO1RBeurhXZX182lhA+bVfK62RCMiIXkABSJbMM5v 
qfX3RpaCb/WYW9d4g6eVVaH+oZ2swDpXSY1DVc7fH7vQ7zNsW8yDh2Bt 
dN+5F6H+pFFYhxwsa1NjnlwhKVfK/ips0ogoh5OA0zjzbjztQYzagS4R 3ik=
bg.			3600	IN	RRSIG	DNSKEY 5 1 3600 20190221090009 20190122090009 46846 
bg. UfaFw11jtqaajb9VkVpS1VyAXxKCGec74D2qI0ulCa8EdeT5I0+A7JoI 
FhbigNmUGNER9iC91Var+CygqmYRfjIsi82jRTVYzuVVd1hWPM4VJiQX 
BWjZ5tneeNo9qOQlow1MSqgB7USYMta3XVe6Qyxp6XEna1cGxZjB8h/V 
NQWsiTnnLYdVfCTJEd8nStLqeo4fibsHB9NgOkK+bpD8LApLVUFun1sE 
+ykdTJrf/FZjPtEJn4qVo1EVrJa2NjKnFOMza4bYENYYI4w0LK3zCgQY 
TqbXYKJqbL0EIr8r7OkDG8wzI3Mx2iZ3sl1JaYRDpM/LYHqGbKaDnOkv 
scxh1i7GBu2oCUlL0l++klMQJxUG4jMeaQF5w9MYOJB2xDfPxw3Kq5sF 
YQKyMGIE5IaeT1hjTwqQk/DTXoqxC/ZLSLFVw+Bd9CzkcPEfERupzCn9 
mtAZOaAZwj0E7rM1NdcKHXplkvYTijpGmHKpPMdjUBU+d0DCzHvvyKRZ 
Zo+r59+rfQPcki2RRtphPKIxIgShlZeWJA6cfp2bf75rpybRWQKlT72h 
gWDd57s+ba4+Nj9/9vnDkhDuf6tucpaNlkaLAAudQGsf+zsWWufneWGR 
Y6vlEYSH8a3mUZ0ygk6Xp1Jh3JBclL4lyb0E284afAfF+mIQrXggoBIV 1/Kk0gkH88E=
bg.			3600	IN	RRSIG	DNSKEY 8 1 3600 20190221090009 20190122090009 15660 
bg. W8+IsXooVBp4ZL91L70Uz+nhWGl1UfK6cNj7BXWak7Esc+60Vx7xRqg9 
C06O+CKu7CDBdYD39tn/hScsmA850y76aI0CukEAjRqSEO7ptUl3D7Xf 
UvDoygRycFQNqZYrJuC8JwaUP/FX6DPpezSEIyjojHpRw3ld6TeKEZea Ftk=
bg.			3600	IN	RRSIG	DNSKEY 8 1 3600 20190221090009 20190122090009 58606 
bg. KnSPMb/6HNJsJXpfb0gftGV5e4FFSSGHaf2Zeb4b0g7+bFgmDqYNv0Em 
9oI1T38aem49Cg8VU97KdZdcf4hbB3ugprMjaa00A2k128uvMSRud/zI 
MPPL/8FUfMuC8BkaMoJTt2aSaq+D2uuWlhJOOCD2+uDh3czFBq4zCBGV 
R1uAtvVt5iP4xRXNAsyctJmGrK0Xks4LL0CdytUdoKWTtj6y+8j6KNvy 
Yn27+9Q08/lmQmWFgHtfKWCAFdFclXzNn0BjTNekP3WinIF0iHlWUeQl 
OTg0gErsguzzEU48JaWazhz7nrKN8U+OsPwH+KTuqx9VmElazssDfIp/ 
h3QoOHMfKX4/t8Na3UAWmNPbq6V4eQkBbGuYgX5bVaiAV3DvRQfvRGAU 
URBF2xWwrqG8Vfd9oghXyRt7qyRLQXlM4irdNb3kbv1mLuRQZxNd2bJs 
AZV6aNEizUwXftf8aWxYj62tnMMsgPu426kXpXA2YHaIn1NyE9kFOZCr 
VNfUv5MzIGDB4cXkyJld86pqo7HgpovWBGrXqptwbvU5vTqdsb14R4nG 
M6gOf648w4qKOBqeoLsCCTL+EoBa+n0d23cNtSfMk5WuzNdPDslNkPhz 
W9TAGOpvGZ+Vm4CyA2o++/G6VDT3/jBPlXlKu3OnI8mwQ5UFFXRmoQdW 9t5Msp47WYY=

;; Query time: 54 msec
;; SERVER: 2a02:6a80::192:92:129:99#53(2a02:6a80::192:92:129:99)
;; WHEN: Tue Jan 22 11:20:04 CET 2019
;; MSG SIZE  rcvd: 3103