Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-11.txt
Kazunori Fujiwara <fujiwara@jprs.co.jp> Tue, 04 July 2023 04:39 UTC
Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FACDC14CE31 for <dnsop@ietfa.amsl.com>; Mon, 3 Jul 2023 21:39:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4cMSXEYr1tQT for <dnsop@ietfa.amsl.com>; Mon, 3 Jul 2023 21:39:23 -0700 (PDT)
Received: from off-send41.osa.jprs.co.jp (off-send41.osa.jprs.co.jp [IPv6:2001:218:3001:17::50]) by ietfa.amsl.com (Postfix) with ESMTP id 0B159C15107A for <dnsop@ietf.org>; Mon, 3 Jul 2023 21:39:22 -0700 (PDT)
Received: from off-sendsmg31.osa.jprs.co.jp (off-sendsmg31.osa.jprs.co.jp [172.23.8.161]) by off-send41.osa.jprs.co.jp (Postfix) with ESMTP id E9F024058CE; Tue, 4 Jul 2023 13:39:19 +0900 (JST)
Received: from off-sendsmg31.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss91 (Postfix) with ESMTP id DA1B26025EF2; Tue, 4 Jul 2023 13:39:19 +0900 (JST)
Received: from localhost (off-cpu08.osa.jprs.co.jp [172.23.4.18]) by off-sendsmg31.osa.jprs.co.jp (Postfix) with ESMTP id C28646025EF0; Tue, 4 Jul 2023 13:39:19 +0900 (JST)
Date: Tue, 04 Jul 2023 13:39:19 +0900
Message-Id: <20230704.133919.1763690097933000731.fujiwara@jprs.co.jp>
To: muks@mukund.org
Cc: dnsop@ietf.org
From: Kazunori Fujiwara <fujiwara@jprs.co.jp>
In-Reply-To: <ZJl4mlRP3Ur59o6A@w2>
References: <167411598212.43743.13566955247338354332@ietfa.amsl.com> <ZJl4mlRP3Ur59o6A@w2>
X-Mailer: Mew version 6.8 on Emacs 24.5.1
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSS-9.1.0.1373-9.0.0.1002-27730.004
X-TM-AS-Result: No--28.811-5.0-31-10
X-imss-scan-details: No--28.811-5.0-31-10
X-TMASE-Version: IMSS-9.1.0.1373-9.0.1002-27730.004
X-TMASE-Result: 10--28.810500-10.000000
X-TMASE-MatchedRID: ptYjalPuamJCXIGdsOwlUu5i6weAmSDKZggZX8gYmrW3CLdtdG1oCPCY Kqf93u4XixTOqH3npyUrTIIq3G50vz4Pcn5OGAtGrmLeMrcoM6hF5qVUCGhwTztMi3DI7t4fOXB 2cqV0mCLARsULoJDWyeaH6uAOPynTeAWB4z8NEW/LLIlHfuipHTqu3dM+YhFRR6RHdVK85hXEn7 tMc32baLYWjF770JXhgOMI3Btml7fX54Vmcx7RYBqkhv3OdF4DIfyQNHR2nabkMnUVL5d0E8UNI L4qyZJQKgvPefRUaGhHPmHy6OeVI8BGPJVbO3LVKsurITpSv+N4X4X0tP2REt9RlPzeVuQQdNwq GXNyMWH9cVVmVNDqVnOfJ1JWnwz2BmCqtety7J2hLSC6hXpJl2P/IYHnyZ+wnr4oKU6nK6Negzi aHeR7JwGRC3bBIF8oNDPEea3mEpkuOe9PG0ys5b928T84h7p3lNnJT1Rqg3a7Iv2OMTayQbAeJq 60hJFLFgAFrvBpOx/TxiW+CpZ3UMIjPjNxy7A/AD5jSg1rFtCDwLTbOQjvDnYdkYOuyxVSOrTV1 pt7yWIDTbb5HAvoIJhCh8+WImJU/Hg2g27gprcZca7SN08UZJIONJNyvJzU7lLGlTAoyS3Nx+fa m7AGSLXaGfEBiYuQTi4y4PWzRemB3AuymGAHRLi7edL7cQQOrthpnZXZolBxMr29w11YROOj4Df nnaWNHlp3bTM1FepMpzNWd962t7l/NE0vQj9WkCThXPqsqiv+wg8hpFeKgMlk/SMg0CpQo8WMkQ Wv6iV95l0nVeyiuD3qzHKAhsUYRjjVhf+j/wrrpxhAaj4pfqRJiL+iL2tOC24oEZ6SpSk+Mqg+C yrtwA==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tfKoQIB0epn-XMtzEOGxQcKaDz8>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-11.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2023 04:39:24 -0000
Mukund-san, Thanks very much. I updated my local version. http://member.wide.ad.jp/~fujiwara/avoid-fragmentation.html -- Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp> > From: Mukund Sivaraman <muks@mukund.org> > Fujiwara-san, Vixie-san, > > On Thu, Jan 19, 2023 at 12:13:02AM -0800, internet-drafts@ietf.org wrote: >> >> A New Internet-Draft is available from the on-line Internet-Drafts directories. >> This draft is a work item of the Domain Name System Operations WG of the IETF. >> >> Title : Fragmentation Avoidance in DNS >> Authors : Kazunori Fujiwara >> Paul Vixie >> Filename : draft-ietf-dnsop-avoid-fragmentation-11.txt >> Pages : 10 >> Date : 2023-01-19 >> >> Abstract: >> EDNS0 enables a DNS server to send large responses using UDP and is >> widely deployed. Large DNS/UDP responses are fragmented, and IP >> fragmentation has exposed weaknesses in application protocols. It is >> possible to avoid IP fragmentation in DNS by limiting response size >> where possible, and signaling the need to upgrade from UDP to TCP >> transport where necessary. This document proposes techniques to >> avoid IP fragmentation in DNS. > > Is there still time to mention some editorial nits? If so, please see > the following; I am sorry I did not review the recent revision earlier. > > >> 1. Introduction > >> DNS has an EDNS0 [RFC6891] mechanism. It enables a DNS server to >> send large responses using UDP. EDNS0 is now widely deployed, and >> DNS (over UDP) relies on on IP fragmentation when the EDNS buffer > > I suggest removing the brackets around "(over UDP)", and fix the typo of > two "on"s: > > i.e, write it as "... and DNS over UDP relies on IP fragmentation..." > >> This document proposes that implementations set the "Don't Fragment >> (DF) bit" [RFC0791] on IPv4 and not using the "Fragment header" > > "... and not use the \"Fragment header\"..." > >> [RFC8200] on IPv6 in DNS/UDP messages in order to avoid IP >> fragmentation, and describes how to avoid packet losses due to DF bit > > "... fragmentation. It also describes..." > >> 2. Terminology > >> "Requestor" refers to the side that sends a request. "Responder" >> refers to an authoritative, recursive resolver or other DNS component > > "... to an authoritative server, recursive resolver or..." > >> 3. Proposal to avoid IP fragmentation in DNS > >> These recommendations are intended for nodes with global IP addresses >> on the Internet. Private networks or local networks are out of the >> scope of this document. > >> The methods to avoid IP fragmentation in DNS are described below: > >> 3.1. Recommendations for UDP responders > >> * UDP responders SHOULD send DNS responses without "Fragment header" >> [RFC8200] on IPv6. > >> * UDP responders are RECOMMENDED to set IP "Don't Fragment flag (DF) >> bit" [RFC0791] on IPv4. > > I suggest using the RFC 2119 term SHOULD here as well (synonymous with > RECOMMENDED), so that when reading the text, the recommendation doesn't > appear of a different severity from the other items. > > "UDP responders SHOULD set the IP \"Don't Fragment flag (DF)..." > >> * UDP responders SHOULD compose response packets that fit in both > > "both" implies 2, whereas there are 3 things suggested. I suggest > deleting the word "both" and keeping the rest of the text. > >> the offered requestor's maximum UDP payload size [RFC6891], the >> interface MTU, and the RECOMMENDED maximum DNS/UDP payload size >> 1400. > >> * If the UDP responder detects an immediate error that the UDP > > "... immediate error indicating that the..." > >> packet cannot be sent beyond the path MTU size (EMSGSIZE), the UDP >> responder MAY recreate response packets fit in path MTU size, or >> TC bit set. > > "... recreate response packets to fit in the path MTU size, or with the > TC bit set." > >> * UDP responders SHOULD limit response size when UDP responders are > > "... SHOULD limit the response size..." > >> located on small MTU (<1500) networks. > >> 3.2. Recommendations for UDP requestors > >> * UDP requestors SHOULD limit the requestor's maximum UDP payload >> size to the RECOMMENDED size of 1400 or smaller size. > > "... or a smaller size." > >> * UDP requestors MAY drop fragmented DNS/UDP responses without IP >> reassembly to avoid cache poisoning attacks. > >> * DNS responses may be dropped by IP fragmentation. Upon a timeout, >> to avoid name resolution fails, UDP requestors MAY retry using TCP > > "... to avoid resolution failures, ..." > >> or UDP with a smaller requestor's maximum UDP payload size per > > "... smaller EDNS requestor's maximum UDP payload size..." > >> local policy. > > >> 4. Recommendations for zone operators and DNS server operators > >> Large DNS responses are the result of zone configuration. Zone >> operators SHOULD seek configurations resulting in small responses. >> For example, > >> * Use a smaller number of name servers (13 may be too large) > > Haha :) > >> * Use a smaller number of A/AAAA RRs for a domain name > >> * Use 'minimal-responses' configuration: Some implementations have a >> 'minimal responses' configuration that causes DNS servers to make > > "Use minimal responses configuration: Some implementations have a > "minimal-responses" configuration option that..." > >> response packets smaller, containing only mandatory and required >> data (Appendix C). > >> * Use a smaller signature / public key size algorithm for DNSSEC. >> Notably, the signature sizes of ECDSA and EdDSA are smaller than >> those for RSA. > > "... those usually used for RSA." > >> 7. Security Considerations > >> If a UDP respone packet is dropped (for any reason), it increases the > > s/respone/response/ > >> attack window for poisoning the requestor's cache. > > >> Appendix A. Weaknesses of IP fragmentation > >> A DNS message receiver cannot trust fragmented UDP datagrams >> primarily due to the small amount of entropy provided by UDP port >> numbers and DNS message identifiers, each of which being only 16 bits >> in size, and both likely being in the first fragment of a packet, if >> fragmentation occurs. By comparison, TCP protocol stack controls >> packet size and avoid IP fragmentation under ICMP NEEDFRAG attacks. > > s/avoid/avoids/ > >> In TCP, fragmentation should be avoided for performance reasons, >> whereas for UDP, fragmentation should be avoided for resiliency and >> authenticity reasons. > >> Appendix B. Details of requestor's maximum UDP payload size discussions > >> There are many discussions for default path MTU size and requestor's >> maximum UDP payload size. > >> * The minimum MTU for an IPv6 interface is 1280 octets (see >> Section 5 of [RFC8200]). Then, we can use it as the default path > > s/Then,/So,/ > >> MTU value for IPv6. The corresponding minimum MTU for an IPv4 >> interface is 68 (60 + 8) [RFC0791]. > > >> * In order to avoid IP fragmentation, [DNSFlagDay2020] proposed that >> the UDP requestors set the requestor's payload size to 1232, and >> the UDP responders compose UDP responses fit in 1232 octets. The > > "... compose UDP responses so they fit in 1232 octets." > >> size 1232 is based on an MTU of 1280, which is required by the >> IPv6 specification [RFC8200], minus 48 octets for the IPv6 and UDP >> headers. > >> * [Huston2021] analyzed the result of [DNSFlagDay2020] and reported >> that their measurements suggest that in the interior of the >> Internet between recursive resolvers and authoritative servers the >> prevailing MTU is at 1,500 and there is no measurable signal of >> use of smaller MTUs in this part of the Internet, and proposed >> that their measurements suggest setting the EDNS0 Buffer size to > > Here, does "EDNS Buffer size" mean the EDNS requestor's UDP payload size > (RFC 6891 section 6.2.3) or EDNS UDP response datagram's size? > >> IPv4 1472 octets and IPv6 1452 octets. > > " .. 1472 octets for IPv4, and 1562 octets for IPv6. > > >> Appendix C. Minimal-responses > >> Some implementations have a 'minimal responses' configuration that > > "... have a \"minimal-responses\" configuration setting/option..." > >> causes a DNS server to make response packets smaller, containing only >> mandatory and required data. > >> Under the minimal-responses configuration, A DNS server composes the > > s/A/a/ > >> response message using only the RRSet corresponding to the query. In > > This is not exactly correct (consider a CNAME response). It's better to > write it as: > > "... a DNS server composes responses containing only necessary RRs." > >> the case of delegation, see [I-D.ietf-dnsop-glue-is-not-optional]. > > s/In the case of delegation, see.../For delegations, see .../ > >> In case of a non-existent domain name or non-existent type, the >> authority section will contain an SOA record and the answer section >> is empty. (defined in Section 2.1 and 2.2 of [RFC2308]). > > "... is empty (defined in..." (remove period after empty) > > Mukund
- [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragme… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fr… Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fr… paul
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fr… Kazunori Fujiwara