Re: [Doh] [Ext] DNS Camel thoughts: TC and message size

bert hubert <> Fri, 08 June 2018 21:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1F225130DC2 for <>; Fri, 8 Jun 2018 14:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DKi0HVLWbcuO for <>; Fri, 8 Jun 2018 14:58:45 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 776CE130DC1 for <>; Fri, 8 Jun 2018 14:58:44 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTPS id 5B9719FB55; Fri, 8 Jun 2018 21:58:41 +0000 (UTC)
Received: by (Postfix, from userid 1000) id CB321AC102C; Fri, 8 Jun 2018 23:58:41 +0200 (CEST)
Date: Fri, 8 Jun 2018 23:58:41 +0200
From: bert hubert <>
To: Dave Lawrence <>
Cc: =?iso-8859-1?Q?=D3lafur_Gu=F0mundsson?= <>, Mark Nottingham <>, DoH WG <>, Patrick McManus <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [Doh] [Ext] DNS Camel thoughts: TC and message size
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Jun 2018 21:58:48 -0000

On Fri, Jun 08, 2018 at 05:31:24PM -0400, Dave Lawrence wrote:
> Ólafur Guðmundsson writes:
> > Actually I think what DNS people are concerned about is:
> >  Query over DNS ==> DoH ==> Auth server generates big answer ==> Doh
> >  Reply => Answer over DNS fails due to size limit.
> I'm a DNS person and I don't have a concern about this.  The software

First, we should be clear no one has identified a usecase for "megabyte size
DNS messages" that can't be solved today already.  So the question is, for
no identified upside, what is the downside?

The downside is that if we do this, "large DNS messages" are a thing.  They
can happen over DOH transport.  Please realize nothing in the draft says
anything about this being restricted to resolvers.  Authoritative Servers
can start talking DOH, and they well might.  Resolvers can then speak it to
them. DNS has fundamentally changed.

And legally, auths can emit these 32 bit sized DNS messages now, so we'll
have to be able to store them in resolvers, and also serve them up when

Next up, someone writes a testsuite for this and complains to all resolvers
and authoritative servers that they are not compliant.  Anyone implementing
a DOH-proxy (which seems to be common) is now also stymied since resolvers
can't communicate 32 bit sized DNS messages over any transport they do

Whenever someone creates a new DNS feature, it turns into a requirement. And
it starts showing up in RFPs and mandatory feature lists. And we all have to
do it, or spend valuable time arguing with users and customers why they
don't actually need this. 

So with one sentence in a draft about a new transport format, for a feature
no one has yet found a usecase for, all DNS implementations will eventually
have to change or spend time arguing with their users.

Next up, we will have standards action work to determine the semantics of TC
on TCP/IP, because this will start to happen once authoritative servers
emit megabyte sized answers. This requires another new RFC and all resolvers
and stubs will have to learn how to deal with this. We may also have to
write a 32-bit TCP protocol perhaps so we at least have a lightweight way of
sharing large DNS answers.

Dave, you mention you aren't worried over this change. I assume this means a
strong commitment to implementing the changes in your software and working
on the drafts that specify the TC behaviour on TCP? 

Finally, I want to echo the remarks of Andrew that if we are going to change
30 years of DNS, it is a big thing.  And it should not come out of a privacy
enhancing transport format that is being rushed into service.

And frankly, for the people that do want to see a DOH RFC in 2018, I would
strongly suggest sticking to being a transport format that does not change
the rest of DNS.  Because I expect we'll be working on this well into 2019
if this WG wants to overhaul DNS as part of DOH.