Re: [Doh] [Ext] DNS Camel thoughts: TC and message size

Mukund Sivaraman <> Sat, 09 June 2018 08:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 444BB130E1C for <>; Sat, 9 Jun 2018 01:19:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Uvzz8u7Ai1Vc for <>; Sat, 9 Jun 2018 01:19:04 -0700 (PDT)
Received: from ( [IPv6:2a01:4f8:140:644b::225]) by (Postfix) with ESMTP id 2E59812777C for <>; Sat, 9 Jun 2018 01:19:03 -0700 (PDT)
Received: from jurassic (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id DAE6C32C09D5; Sat, 9 Jun 2018 08:18:59 +0000 (UTC)
Date: Sat, 9 Jun 2018 13:48:52 +0530
From: Mukund Sivaraman <>
To: Dave Lawrence <>
Cc: =?utf-8?Q?=C3=93lafur_Gu=C3=B0mundsson?= <>, Mark Nottingham <>, DoH WG <>, Patrick McManus <>, bert hubert <>
Message-ID: <20180609081852.GA21347@jurassic>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.2 (2017-12-15)
Archived-At: <>
Subject: Re: [Doh] [Ext] DNS Camel thoughts: TC and message size
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 09 Jun 2018 08:19:07 -0000

On Fri, Jun 08, 2018 at 05:31:24PM -0400, Dave Lawrence wrote:
> Any software that is taking a DoH answer from an HTTPS channel is
> brand new software, not some legacy problem that we have to worry
> about.  If it imposes size limits before passing it on to whatever
> legacy code it wants to pass it on to, so be it.  The new software
> shouldn't be just blindly passing whatever data it gets into some
> legacy parser anyway, especially if the draft comes with an
> admonishment to be wary of that very thing.

Dave, I don't understand all the ways DoH will be used yet.

I have concerns about use of messages that come via this transport into
traditional DNS software [let's not call it legacy yet ;)].

There are current implementations that will parse a single message as a
"whole" in memory (i.e., not as a stream, in parts). With a 64k message
limit, there is an upper limit on derived objects from a single message.
Such code will have to be reviewed and rewritten when messages are
several megabytes or even gigabytes in size (such as a whole AXFR).

I understand that the >64kB message sizes need not apply to traditional
DNS software, but if we're retrofitting support for DoH into such
products, programmers are going to try to re-use a lot of the existing
code. This code is written with assumptions for traditional DNS, and it
may be very hard to do this based on the design.

On retrofitting, I'll give you an example - take pipelining (and out of
order processing) of queries over TCP. It is a *simple* concept to
describe, requiring not more than a page of text.  But if you wanted to
fit it into existing designs of resolvers (their client-side to auth
code) and authoritative servers, it takes a large amount of effort due
to the design. E.g., I know of a popular resolver that even now doesn't
implement pipelining completely.

Sometimes the benefits outweigh the effort, but as you say for the
opposing opinion, we should not hand wave it in as the effort has a

A DoH intermediate may not be able to split up a single large message
into multiple pieces, esp. when things like TSIG are involved, e.g., for
a large single AXFR message. It may also not be able to combine several
small ones into a large message. Do you envision such a large-message
AXFR to travel exclusively over DoH?

I'm all for a new protocol if the goal is to not worry about backwards
compatibility and work on something for the current age. Is this the
goal? If so, why even bother with the suboptimal DNS message format?