Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt
Paul Wouters <paul@nohats.ca> Tue, 10 March 2015 14:58 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96A901A8953 for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2015 07:58:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nyTcYeByVvPV for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2015 07:58:11 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F5211A8965 for <dnsop@ietf.org>; Tue, 10 Mar 2015 07:58:11 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3l1fg55MKpz1J0; Tue, 10 Mar 2015 15:58:09 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=F2vW7A7Q; dkim-adsp=pass
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id bcEeUN157HOX; Tue, 10 Mar 2015 15:58:08 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 10 Mar 2015 15:58:08 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 5CCAC82A1E; Tue, 10 Mar 2015 10:58:07 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1425999487; bh=tE38kM0q1JnpMGNw5zISWyDB6N832qoGuNn0JmU7Ueg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=F2vW7A7QV/3FL9Tld7nlKlCF3m+s419+zX4zHogZhUujkU+Ig3tagzHxanIExX2tX oqfi/77PsT6hvtLEXbWPdTXC9n9v7blL17aB/cCzlwqe3IJNYXKMDXJV5zhXChZxwZ wYzaQzTiAFgKJofob9GfzXonCz9rQdzWRt0TVdqs=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t2AEw6qQ007609; Tue, 10 Mar 2015 10:58:06 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 10 Mar 2015 10:58:06 -0400
From: Paul Wouters <paul@nohats.ca>
To: Tony Finch <dot@dotat.at>
In-Reply-To: <alpine.LSU.2.00.1503101017390.10193@hermes-1.csi.cam.ac.uk>
Message-ID: <alpine.LFD.2.10.1503101027590.1870@bofh.nohats.ca>
References: <20150309181620.6735.40863.idtracker@ietfa.amsl.com> <alpine.LSU.2.00.1503091825470.23307@hermes-1.csi.cam.ac.uk> <alpine.LFD.2.10.1503091454110.31683@bofh.nohats.ca> <alpine.LSU.2.00.1503101017390.10193@hermes-1.csi.cam.ac.uk>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/zJlegBsE0BHDZa7drMMkQVf-nw4>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 14:58:14 -0000
On Tue, 10 Mar 2015, Tony Finch wrote: Tony, >>> Without this extension the typical number of RTTs required is 1, so this >>> isn't a reduction. >> >> When you have nothing of nohats.ca in your cache, and you ask for the >> A record of www.nohats.ca, you will normally get back the A record >> and the RRSIG. Then you need to query for the DS, DNSKEY, etc etc. And >> then for the DS, DNSKEY et all of the parent, the parents parent, etc. >> All of those require round trips. > > No they do not. Please stop repeating this falsehood. paul@bofh:~$ sudo unbound-control flush_zone nohats.ca paul@bofh:~$ dig a +dnssec www.nohats.ca @127.0.0.1 ; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-16.P2.fc19 <<>> a +dnssec www.nohats.ca @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60716 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.nohats.ca. IN A ;; ANSWER SECTION: www.nohats.ca. 86400 IN A 193.110.157.102 www.nohats.ca. 86400 IN RRSIG A 8 3 86400 20150318104211 20150304194202 29800 nohats.ca. HrYIKv7AJE8XL7TihxgWEMtZGTJ7LEqxtXOJf3NCbG5vNdvtrusoQF+6 2ife0nc08FkDSypt8Xe9TbpyTrBg2HNwUx7XvVJs88IfWiK8tg8L6Kl6 aPMxvE8gvS2a4tjlrir041fMXZU4Ib3SCtqXftSCGkC9ZZASu6um2a4h FIsri06hlzD7umgZadZbaPnia69GGYznfSkEQEhGCm16tIejfZYn14Nz 3Pc8oyZauhm4BpsyfnYnXRzVvBwUr2Etc89bJV5UYd5ErHJ0o2tfvO61 p+k+B3RnsunrbGM+jU05Nu8AjBMfJSv52WIbUp9JH9olwo1OVgyUf2UX 7tFgPg== ;; Query time: 148 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 10 10:47:45 EDT 2015 ;; MSG SIZE rcvd: 355 >> Yes you can blindly send a bunch of parallel udp queries on every dot >> and hope the last one you need didn't take too long or drop. > > Or you can use TCP and send the whole lot in a single packet. Yes, that is what this draft recommends. Are you agreeing with me? Without the EDNS option, how does the server decide whether or not to say add the DS record for nohats.ca and the DS record for ca. ? Do you suggest the server decides this without signaling from the client? Should they above query have contained those DS records for every request for www.nohats.ca ? > In most cases the number of queries required is about the same number of > packets as a TCP initial window, so if your network can't cope with that > you are not going to have a happy time. Sending a number of queries, and then when finding out you are still lacking some information, sending out another number of queries, is not the same as sending 1 query and getting a dns answer packet back that in itself completely validates. This can be used by any application that does not want to rely on a DNSSEC validating server running on localhost that only knows about the DNSSEC rootkey, to obtain a fully validatable (and discardable) set of records for a particular query. This is very much a desired feature on cloud and container deployments where a container does not want to relay on the AD bit received outside the container/VM and where running 10000 containers shouldn't require running 10000 validating caching servers on a single piece of hardware. >> I'm happy to add a section of recommendations for adding common "related >> records" such as IPSECKEY, TLSA, SSHFP or what not. It does mention >> CNAME/DNAME and I'm happy to add an entry about SRV and MX. Would that >> address your concerns? > > Well, it would fix an omission. Should the draft list those RRTYPEs it should consider including? If so, should the draft list these in weighted order? Does this include _prefix locations? (eg like for TLSA) Which records do you think should be considered? > There is also the question of how the server should decide whether to > include the target validation chain or not, and if that depends on whether > the target is under the last known name or not. Is it entirely at the > server's discretion? The server should always have a say to reject a certain (malicious) chain. The server should also take into account the transport. It might not want to make an eastlake protected UDP packet too large, but can include a lot more when using TCP. If the chain has too many entries outside the path of last known name to qname, then it has no idea how much data to send, and performing a lot of work to build the query might not be worth it, especially if the client already has most of this information but couldn't know its question would trigger those in its answers. Should the draft include text on avoiding some of the potentially less useful type of chains? >>> It occurs to me that you could get a lot of edns-chain-query's bandwidth >>> saving with a simple "minimal responses please" query flag. >> >> This is not about bandwidth saving. > > But that is all it does. I fail to be convinced by your statements. Paul
- [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-q… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Tony Finch