Re: [Doh] [Ext] DNS Camel thoughts: TC and message size

bert hubert <> Thu, 07 June 2018 21:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 156D2130FAC for <>; Thu, 7 Jun 2018 14:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id n6LqQaCNscQ3 for <>; Thu, 7 Jun 2018 14:58:56 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 939BE130DDB for <>; Thu, 7 Jun 2018 14:58:56 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTPS id CE4D29FB55; Thu, 7 Jun 2018 21:58:51 +0000 (UTC)
Received: by (Postfix, from userid 1000) id 433FBAC5B1B; Thu, 7 Jun 2018 23:58:51 +0200 (CEST)
Date: Thu, 7 Jun 2018 23:58:51 +0200
From: bert hubert <>
To: Patrick McManus <>
Cc: Dave Lawrence <>, DoH WG <>
Message-ID: <>
References: <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [Doh] [Ext] DNS Camel thoughts: TC and message size
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Jun 2018 21:58:58 -0000

On Thu, Jun 07, 2018 at 11:39:16PM +0200, Patrick McManus wrote:
> > "Sort of".  Wire format itself does not have the limitation.  Its use
> > on certain transports does.  This distinction needs to keep being
> > made.
> tale has convinced me of this point.

In the interest of reaching consensus, can we park this discussion until
another message type is invented and standardised that is not a DNS message
in "wire format"?

Whenever we make life harder on the whole DNS implementation community, we
had better have a very good reason for that. 

To put it bluntly, a significant part of the DNS implementation community
(ISC, NLNetLabs, CZNIC, PowerDNS) has voiced that the 2^16 byte limit is
here to stay for now, so I don't see a viable consensus for expanding DNS -
especially given the lack of concrete usecases.

Finally, I note that the DOH charter contains the following:

"The working group will coordinate with the DNSOP and INTAREA working groups
for input on DNS-over-HTTPS's impact on DNS operations and DNS semantics,

In particular, DNSOP will be consulted for guidance on the operational
impacts that result from traditional host behaviors (i.e., stub-resolver to
recursive-resolver interaction) being replaced with the specified mechanism.

Specification of how DNS-formatted data may be used for use cases beyond
normal DNS queries is out of scope for the working group."

It may be good to point out that 'normal DNS queries' have never involved
getting >64KB responses. We might also have to consult DNSOP about changing
DNS semantics, an activity they aren't stimulated to explore. 

Finally, I do really understand how much fun it would be to liberate DNS
from its pedestrian 64KB shackles. It is an arbitrary limitation, and
perhaps one day we'd love to put gigantic post-quantum cryptographical keys
in DNS. But given the amount of developer cycles in DNS, please also
understand my (our) reticence in overhauling this ancient protocol.