Re: [Doh] special meta QTYPEs

Tony Finch <dot@dotat.at> Fri, 08 June 2018 13:38 UTC

Return-Path: <dot@dotat.at>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B93DA130EA7 for <doh@ietfa.amsl.com>; Fri, 8 Jun 2018 06:38:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aRlAbfVnWwBS for <doh@ietfa.amsl.com>; Fri, 8 Jun 2018 06:38:34 -0700 (PDT)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A39F5130EA6 for <doh@ietf.org>; Fri, 8 Jun 2018 06:38:34 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:39897) by ppsw-33.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1fRHb6-0005NI-gT (Exim 4.91) (return-path <dot@dotat.at>); Fri, 08 Jun 2018 14:38:32 +0100
Date: Fri, 8 Jun 2018 14:38:32 +0100
From: Tony Finch <dot@dotat.at>
To: Dave Lawrence <tale@dd.org>
cc: doh@ietf.org
In-Reply-To: <23321.25626.316926.975797@gro.dd.org>
Message-ID: <alpine.DEB.2.11.1806081429030.10764@grey.csi.cam.ac.uk>
References: <alpine.DEB.2.11.1806061519020.10764@grey.csi.cam.ac.uk> <23321.25626.316926.975797@gro.dd.org>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/nRS3D0b-m_tAHptkonFT0QdtT0c>
Subject: Re: [Doh] special meta QTYPEs
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2018 13:38:37 -0000

Dave Lawrence <tale@dd.org>; wrote:
> Tony Finch writes:
> > I don't think it's possible to fit AXFR or IXFR into
> > DoH because their responses involve multiple DNS messages.
>
> Adding my comment about *XFR from a different thread to this thread
> too, for tracking.
>
> Strictly speaking, that's not fully accurate.  I have plenty of zones
> that fit in a single DNS/TCP message when sent over AXFR, and
> DNS/HTTPS would cover the rest quite easily if left in its current
> form.  Adding a restriction on message lengths would make this more
> complicated.

I was speaking in general terms, of course :-) An AXFR client has to be
prepared to handle multiple messages in a response, regardless of the size
of the zone, so a DoH proxy that tries to support AXFR cannot avoid
learning how to cope with multi-message answers from its upstream DNS
server. And it isn't always possible to de-fragment an AXFR response: e.g.
it will break any TSIG authentication.

And as Robert Edmonds pointed out, even if you lift the 64K byte message
size limit, there is still a limit of 64K records (the zone contents are
transferred using the answer section only), and I have plenty of zones
which are bigger than that :-)

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>;  http://dotat.at/
North Hebrides: Easterly 4 or 5. Moderate. Fair. Good occasionally moderate.