Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)
Dave Lawrence <tale@dd.org> Wed, 13 June 2018 04:10 UTC
Return-Path: <tale@dd.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED9A0130DD8 for <doh@ietfa.amsl.com>; Tue, 12 Jun 2018 21:10:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7w-QFg1GpRA8 for <doh@ietfa.amsl.com>; Tue, 12 Jun 2018 21:10:38 -0700 (PDT)
Received: from gro.dd.org (gro.dd.org [207.136.192.136]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B387130DD0 for <doh@ietf.org>; Tue, 12 Jun 2018 21:10:38 -0700 (PDT)
Received: by gro.dd.org (Postfix, from userid 102) id 0CB0B2F692; Wed, 13 Jun 2018 00:10:35 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23328.39227.27444.258030@gro.dd.org>
Date: Wed, 13 Jun 2018 00:10:35 -0400
From: Dave Lawrence <tale@dd.org>
To: "doh@ietf.org" <doh@ietf.org>
In-Reply-To: <1E183D79-5716-47E5-8604-A4F5DC7588C2@icann.org>
References: <20180606093212.GA23880@server.ds9a.nl> <20180608170744.GY11227@mx4.yitter.info> <03DC5A73-4BAD-45FE-AC60-C8BC82FD5690@mnot.net> <23326.43186.501116.977750@gro.dd.org> <20180611202130.GA26355@server.ds9a.nl> <23326.61211.72657.945633@gro.dd.org> <1E183D79-5716-47E5-8604-A4F5DC7588C2@icann.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/LFWpHDRS0fcxTO53seelr3j2Ids>
Subject: Re: [Doh] [Ext] Are we missing an architecture? (was Re: DNS Camel thoughts: TC and message size)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2018 04:10:43 -0000
Paul Hoffman writes: > On Jun 11, 2018, at 2:52 PM, Dave Lawrence <tale@dd.org> wrote: > > If there were even one solid example of how this impacts the rest of > > the DNS, I'd certainly be willing to reconsider my position. > > Great! Let me try again. > > The DNS message format is defined specifically for two > transports. Looking at the format without looking at the transports, > one can imagine a message that cannot be carried in either > format. However, the original specifications and all the ones since > have always treated the message format as being handled in one of > the two transports. > > When we define a new transport that allows messages different than > the ones we have always assumed, gatewaying those different messages > will be different than gatewaying between the two current transports > and thus have an impact on the rest of the DNS. We appear to be two technical geeks separated by a common language. I'm not sure where either my phrasing has gone wrong or I have not understood yours. In either case I apologize for my failing. What I am looking for is a concrete example of how any pre-DoH clients or servers are is going to have any sort of problem if a DoH DNS wire format message exceeds 64k -- a specific mechanism for specific old software that will react badly to an unexpectedly large message being fed to it, where it hasn't gotten there as a result of new code that could easily prevent it. This is the sort of concern that we've had to worry about in the past with the DNS and for which we did have concrete answers about implementations that would have issues with a non-zero ADCOUNT in a request or the semantics of a KEY RR changing or using compressible names in rdata of new types or so on. All of those things impacted messages that existing servers would see. As far as I can tell there is no way that the pre-DoH DNS/UDP and DNS/TCP world can even be aware of the existence of DoH and its potentially 64k+1 messages because nothing at all is being changed for the messages that the existing code sends and receives. You could spin up a BIND 4 instance in a world of unlimited-DoH and it would still work just as it always did. The generalized gateway examples you give don't challenge this. The DNS/UDP an DNS/TCP network are still not impacted; they weren't able to carry messages greater than 64k before, and they still won't after. No change to their inputs, their outputs, or their behaviour. I believe that makes not imposing a 64k limit on DNS fall within the bounds of the charter. In fact, I could make a case that it goes right to the first paragraph: This working group will standardize encodings for DNS queries and responses that are suitable for use in HTTPS. This will enable the domain name system to function over certain paths where existing DNS methods (UDP, TLS [RFC 7857], and DTLS [RFC 8094]) experience problems. ... in addressing cases where existing methods experience problems. I'm not going to get too hung up on rules-lawyering that argument though, it's a sideshow. Per our out-of-band conversation, I will later this week (new $dayjob intrudes) be offering text for the proposal I made in another message about using two mandatory-to-implement media types right out of the gate, differing only in that one has a Content-Length limit. Implementers can then choose to make it plainly explicit that they are sticking to legacy TCP limits.
- Re: [Doh] Are we missing an architecture? (was Re… Patrick McManus
- Re: [Doh] [Ext] Are we missing an architecture? (… Paul Hoffman
- Re: [Doh] [Ext] Are we missing an architecture? (… Mukund Sivaraman
- Re: [Doh] [Ext] Are we missing an architecture? (… Puneet Sood
- Re: [Doh] [Ext] Are we missing an architecture? (… Paul Hoffman
- Re: [Doh] [Ext] Are we missing an architecture? (… Ted Lemon
- Re: [Doh] [Ext] Are we missing an architecture? (… Ted Lemon
- Re: [Doh] [Ext] Are we missing an architecture? (… Paul Hoffman
- Re: [Doh] [Ext] Are we missing an architecture? (… Ted Lemon
- Re: [Doh] [Ext] Are we missing an architecture? (… Paul Hoffman
- Re: [Doh] [Ext] Are we missing an architecture? (… Mateusz Jończyk
- Re: [Doh] [Ext] Are we missing an architecture? (… Paul Hoffman
- Re: [Doh] [Ext] Are we missing an architecture? (… Sara Dickinson
- Re: [Doh] [Ext] Are we missing an architecture? (… Daniel Stenberg
- Re: [Doh] [Ext] Are we missing an architecture? (… Sara Dickinson
- Re: [Doh] [Ext] Are we missing an architecture? (… Daniel Stenberg
- Re: [Doh] [Ext] Are we missing an architecture? (… Mukund Sivaraman
- Re: [Doh] [Ext] Are we missing an architecture? (… Mukund Sivaraman
- Re: [Doh] [Ext] Are we missing an architecture? (… Ray Bellis
- Re: [Doh] [Ext] Are we missing an architecture? (… Patrick McManus
- Re: [Doh] [Ext] Are we missing an architecture? (… Mukund Sivaraman
- Re: [Doh] [Ext] Are we missing an architecture? (… Ben Schwartz
- Re: [Doh] [Ext] Are we missing an architecture? (… Mukund Sivaraman
- Re: [Doh] [Ext] Are we missing an architecture? (… Mukund Sivaraman
- Re: [Doh] [Ext] Are we missing an architecture? (… Ben Schwartz
- Re: [Doh] [Ext] Are we missing an architecture? (… Petr Špaček
- Re: [Doh] [Ext] Are we missing an architecture? (… Ray Bellis
- Re: [Doh] [Ext] Are we missing an architecture? (… bert hubert
- Re: [Doh] [Ext] Are we missing an architecture? (… Ray Bellis
- Re: [Doh] [Ext] Are we missing an architecture? (… Dave Lawrence
- Re: [Doh] [Ext] Are we missing an architecture? (… Dave Lawrence
- Re: [Doh] [Ext] Are we missing an architecture? (… Paul Hoffman
- Re: [Doh] [Ext] Are we missing an architecture? (… Tom Pusateri
- [Doh] DNS Camel thoughts: TC and message size bert hubert
- Re: [Doh] DNS Camel thoughts: TC and message size Petr Špaček
- Re: [Doh] DNS Camel thoughts: TC and message size Tony Finch
- Re: [Doh] DNS Camel thoughts: TC and message size Hewitt, Rory
- Re: [Doh] DNS Camel thoughts: TC and message size Benno Overeinder
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Andrew Sullivan
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Andrew Sullivan
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… George Michaelson
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Paul Hoffman
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Patrick McManus
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Tony Finch
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… bert hubert
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Paul Hoffman
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Martin J. Dürst
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Patrick McManus
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Paul Hoffman
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Tony Finch
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Dave Lawrence
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Dave Lawrence
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Patrick McManus
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Ray Bellis
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Ray Bellis
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… bert hubert
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Andrew Sullivan
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Dave Lawrence
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Dave Lawrence
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Robert Edmonds
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Dave Lawrence
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Dave Lawrence
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Mateusz Jończyk
- [Doh] AXFR as several messages Re: [Ext] DNS Came… bert hubert
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… John Dickinson
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Ray Bellis
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Mukund Sivaraman
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Mukund Sivaraman
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Patrick McManus
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Tony Finch
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Martin Thomson
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Mark Nottingham
- [Doh] DNS Camel thoughts: TC and message size Patrick McManus
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Ólafur Guðmundsson
- [Doh] Are we missing an architecture? (was Re: DN… Andrew Sullivan
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Dave Lawrence
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Andrew Sullivan
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… bert hubert
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Dave Lawrence
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Patrick McManus
- Re: [Doh] Are we missing an architecture? (was Re… Mark Nottingham
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Mukund Sivaraman
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Dave Lawrence
- Re: [Doh] Are we missing an architecture? (was Re… Andrew Sullivan
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Andrew Sullivan
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Patrick McManus
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Andrew Sullivan
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Patrick McManus
- Re: [Doh] [Ext] DNS Camel thoughts: TC and messag… Dave Lawrence
- Re: [Doh] Are we missing an architecture? (was Re… Dave Lawrence
- Re: [Doh] Are we missing an architecture? (was Re… bert hubert
- Re: [Doh] Are we missing an architecture? (was Re… Dave Lawrence
- Re: [Doh] [Ext] Are we missing an architecture? (… Ray Bellis