Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-edns-chain-query
"Wiley, Glen" <gwiley@verisign.com> Thu, 12 November 2015 16:25 UTC
Return-Path: <gwiley@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90D841B2A69 for <dnsop@ietfa.amsl.com>; Thu, 12 Nov 2015 08:25:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LG21dW3Q7xqe for <dnsop@ietfa.amsl.com>; Thu, 12 Nov 2015 08:25:40 -0800 (PST)
Received: from mail-qg0-x263.google.com (mail-qg0-x263.google.com [IPv6:2607:f8b0:400d:c04::263]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 881561B2AB6 for <dnsop@ietf.org>; Thu, 12 Nov 2015 08:25:34 -0800 (PST)
Received: by qgea14 with SMTP id a14so3885918qge.2 for <dnsop@ietf.org>; Thu, 12 Nov 2015 08:25:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language:user-agent :content-type:content-id:content-transfer-encoding:mime-version; bh=9CC39nAI4JccU74ua+Pj+tkqBkIKpXuHYwau290V6D4=; b=baRsqMW7msFU+AV5GozdoccUgXoDrNcb+Nc9uh/Ub3P4GLJm3de7omW5GE8iwdSiwp bVxR34VayeVyOvehhSgXfrNodQf0iuDCOQIWTopOgof6kXXixaC65WsPvNz4AJGUOMDF 37qAuzle7tBU2kLanb64SGHCnHdAbeF4H/SUdoIrFKezNRIBzH23VtBhQOvSrkI1bemt 28PX5TIWe0OQRUpFQPKFBWlO8sa3BFsnhkv1FE8g4OH04FPB5yxM6UuNa86ybNao9TAq Or4XzkWbPuZw4voIipQXdPKHGFomJ9wgU5b6G8an4HpgZvmh3KzlCUnxtc18P4OvxrQ0 0XJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:user-agent:content-type:content-id :content-transfer-encoding:mime-version; bh=9CC39nAI4JccU74ua+Pj+tkqBkIKpXuHYwau290V6D4=; b=Zbf9QDivPEc973vMhlTaV7SgNh9Id39lkP9CzGFCcqHvVYdDN8XmkxSb55tzHJ3nP0 TlsRe+5yous5tdRNRXlbHLZ+v7EP4GEJbUczDZu8Y8xY1MYTMwuIbhdCkGczPnXYxE2Z AGS2T0kGvR882GIX4HoQUo8eBsTNOXwP/yfOw8Rjij9w7NoHc3b7qxBDmOBq8+XDK5VE 24qaQ4r0/p0xcZ0tlM0Mef0/3FBvy6sNcGkmSOzGfhyEllPT25cBB9b7ZhXSiBnqFzEv WNc/GffdtHxOAS1l+nvy+v4l2I7MztMK+4O1PcMCQJP0Vr5FVYpGfsgbUgVKb7J+B+r2 vV1w==
X-Gm-Message-State: ALoCoQnud/64Fwgm38YmwxspialJVURioY6ekbrM5NZPS00ABxy06a8N6WRTvfb4iLiEUC7bG3CmhC/int3tCYySeUJTLeQlHA==
X-Received: by 10.140.152.82 with SMTP id 79mr17777303qhy.5.1447345533604; Thu, 12 Nov 2015 08:25:33 -0800 (PST)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id y62sm1184284qka.11.2015.11.12.08.25.33 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 12 Nov 2015 08:25:33 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02 [10.173.152.206]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id tACGPWLw022712 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 12 Nov 2015 11:25:33 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Thu, 12 Nov 2015 11:25:32 -0500
From: "Wiley, Glen" <gwiley@verisign.com>
To: Tony Finch <dot@dotat.at>, Paul Vixie <paul@redbarn.org>
Thread-Topic: [DNSOP] Working Group Last Call for draft-ietf-dnsop-edns-chain-query
Thread-Index: AQHRGu75PQZ6K/jvVEWxvm/CzpCKL56UM68AgAAJHwCAAArdgIAB1AwAgAEfCwCAABZBgIAACF8AgAAEL4CAAASSAIAAVPOAgADgnwA=
Date: Thu, 12 Nov 2015 16:25:32 +0000
Message-ID: <D26A2386.1E6E3%gwiley@verisign.com>
References: <5635CF1A.4030803@gmail.com> <4611426.Grkv5enuug@linux-85bq.suse> <alpine.LSU.2.00.1511111632550.25050@hermes-2.csi.cam.ac.uk> <1610388.9fsJffuA5T@linux-85bq.suse> <alpine.LSU.2.00.1511112130450.9873@hermes-2.csi.cam.ac.uk>
In-Reply-To: <alpine.LSU.2.00.1511112130450.9873@hermes-2.csi.cam.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.9.150325
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <44AE703A36CDED48BB14EE126F54F382@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/yCJEL_A6o4RHkb8lkMkRMoJ6vmM>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-edns-chain-query
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 16:25:42 -0000
On 11/11/15, 5:01 PM, "Tony Finch" <dot@dotat.at> wrote: >Paul Vixie <paul@redbarn.org> wrote: >> On Wednesday, November 11, 2015 04:41:27 PM Tony Finch wrote: >> > Paul Vixie <paul@redbarn.org> wrote: >> > >> > > yes, that's flooding the channel. you're allowed one work-stream per >> > > query, in order that timeouts and other loss are only felt as >> > > backpressure by those apps who caused them. >> > >> > Where is that specified? >> >> it's written in tire tracks down my backside. > >Sounds painful :-) > >> > > i have no objection to multiple parallel outstanding upstream >>queries >> > > over a TCP stream. >> > >> > Why is TCP special? >> >> because it has per-flow congestion control. > >Which is perfectly fair, but there is a big difference between saying that >high-volume DNS clients need congestion control, and saying that they must >have at most one query outstanding at any time. If you say TCP is OK, you >are implicitly saying that it's OK to have a window size greater than one >packet. And that implies there are engineering questions about how that >window size should be managed. > >And this implies it is unreasonable to forbid concurrent queries over UDP. >(And it would be futile to break running code in every browser.) > >The upshot of all this is that how you use concurrent queries to improve >performance without breaking things is a matter of engineering and >implementation quality. > >And since (as far as I know) no-one has done that engineering, I think it >is premature to try to deploy a protocol fix for a hypothetical problem. >(adns's concurrency control is quite simplistic, for example.) > >What edns-chain-query says to DNSSEC users is, DNSSEC still isn't finished >or ready for deployment on edge devices, and you have to wait another 5 or >10 years for another protocol change to be deployed before you can get >decent performance. > >This is wrong! Another way to read the message of edns-chain-query is: DNSSEC has many use cases and operation implications. If you would like an alternate path that may reduce latency under some conditions but not compromise the security of the query/response here is one way to tackle it. > >In order to make edns-chain-query work, validators will need to be >refactored to decouple the validation logic from the network chatter. At >the moment there aren't APIs that let you present a chain of DNSKEY and DS >RRsets to a validator and get an assessment. The current model is >"validate this RRset please" and then wait for a dozen RTTs. At this stage there aren¹t widely deployed validating stub resolvers. This is true of new technology in general - I don¹t think the bar for improvements should be ³has this already been implemented?² There are some budding ideas and implementations out there, but any support for DNSSEC on the client/host currently requires changes to the host APIs. > >But once you have a validator API that works with edns-chain-query you >also have a validator API that works with concurrent queries on the >existing DNS. > >So really we should be trying to make that work first, since it has a much >more compelling deployment story. > >And if well-informed engineering makes it clear that the existing DNS >can't reliably handle 6 ish concurrent queries, then maybe it's time to >think about upgrading everything with a new protocol feature. > >Tony. >-- >f.anthony.n.finch <dot@dotat.at> http://dotat.at/ >Northwest Fitzroy: Southwesterly 5 to 7, occasionally gale 8. Rough or >very >rough, becoming very rough or high. Occasional rain. Good, occasionally >poor. > >_______________________________________________ >DNSOP mailing list >DNSOP@ietf.org >https://www.ietf.org/mailman/listinfo/dnsop
- Re: [DNSOP] Working Group Last Call for draft-iet… Tony Finch
- Re: [DNSOP] Working Group Last Call for draft-iet… Tony Finch
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Bob Harold
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Joe Abley
- Re: [DNSOP] Working Group Last Call for draft-iet… Tony Finch
- Re: [DNSOP] Working Group Last Call for draft-iet… Shumon Huque
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Tony Finch
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Evan Hunt
- Re: [DNSOP] Working Group Last Call for draft-iet… Ólafur Guðmundsson
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last Call for draft-iet… Tony Finch
- Re: [DNSOP] Working Group Last Call for draft-iet… Tony Finch
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Vixie
- Re: [DNSOP] Working Group Last Call for draft-iet… Tony Finch
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Vixie
- Re: [DNSOP] Working Group Last Call for draft-iet… Tony Finch
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Vixie
- Re: [DNSOP] Working Group Last Call for draft-iet… Tony Finch
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Vixie
- Re: [DNSOP] Working Group Last Call for draft-iet… Wiley, Glen
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Wouters
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski