Re: [Doh] [Ext] DNS Camel thoughts: TC and message size

Ólafur Guðmundsson <olafur@cloudflare.com> Fri, 08 June 2018 20:31 UTC

Return-Path: <olafur@cloudflare.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CEE7131036 for <doh@ietfa.amsl.com>; Fri, 8 Jun 2018 13:31:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.031
X-Spam-Level:
X-Spam-Status: No, score=-1.031 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ChZilG2rSdYg for <doh@ietfa.amsl.com>; Fri, 8 Jun 2018 13:31:56 -0700 (PDT)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61E58131024 for <doh@ietf.org>; Fri, 8 Jun 2018 13:31:55 -0700 (PDT)
Received: by mail-wr0-x233.google.com with SMTP id w7-v6so14548058wrn.6 for <doh@ietf.org>; Fri, 08 Jun 2018 13:31:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=EPSw9mfIV0u8o0cRDclpNlffiLxtoDv2w2oQh3qoCBY=; b=kVigl+tyPEH5zhZ1sSpoO6AgpKT+/l5VAlisLOL3BmPXr7G2WWDF4+B6buYt2sbG5r QRP+Wyzm+tHu9BqSXDRnpHEQOqinx9iC+A4uTVabgTA9jpTVWnfMjWPgyur7ihNGSPdk 23yx0ZdbqDc48gogl6GYs2Q8sL0abt5/B+gLw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=EPSw9mfIV0u8o0cRDclpNlffiLxtoDv2w2oQh3qoCBY=; b=tKOtQ8awg7gGEhvyXQAYsnQCm0sQwda2jflgpPpIfdZ9615IBGJL1hRUuOo7AlMKrq vD7+jqMUNdlDBHB+A+CZDaJqUyFsZ2A6Yctm63njUcXvbkUfFSza3kClBvxT8z/tiPxI o+YPHkHVJh+V+ealE6RHc148cPlaWKmZxRAnhcmZjk/T5WXUNNpEuQjUP6wokQgFxYkl EpDP1tScyScrFniWQvfblpASQD/5yRwSWjxMZvY5XIIB0KTVVSt1VHIwBXLHo6aEVXis MaJblKqaP8NABtPUMHL6d9AOsHKRHaEZuhrY4LMK9mK0t3NxPnF6RsSfjP7/JyCvkDVm TGmQ==
X-Gm-Message-State: APt69E1N8CpqM8HOsKtCRb/H68BUulqXAM+VThzSOQtv9bjFAz4KfgyG ozpNtM653JzJS4I3SOF8eL4OUFfXB1RWoWWG80Zkwgw5
X-Google-Smtp-Source: ADUXVKKIgiRfAHh18oZtoDPN3Sud2xwo+H2yM68zI3mY3/ZCB9RKwVuCTQOypslNM+C65KYVEXFxOXd3yhEZkGrzyxo=
X-Received: by 2002:adf:a645:: with SMTP id k63-v6mr6511283wrc.231.1528489913741; Fri, 08 Jun 2018 13:31:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:af56:0:0:0:0:0 with HTTP; Fri, 8 Jun 2018 13:31:53 -0700 (PDT)
In-Reply-To: <9381B529-B2F4-459A-88EB-4410A4C4DB6F@mnot.net>
References: <20180606093212.GA23880@server.ds9a.nl> <alpine.DEB.2.11.1806061501340.10764@grey.csi.cam.ac.uk> <F5774061-35B9-477F-ADDA-8BB3472F30EF@icann.org> <CAOdDvNq9g3ghbg9fkfhP+ZA4-6E5oDNFCGo6NN9bydqUX76cLA@mail.gmail.com> <20180607093647.GB32326@server.ds9a.nl> <CAOdDvNriZDjU9yqUQjqN4fO84ENPWO3si-QePiKRgt+7VJVK0g@mail.gmail.com> <23321.27027.73356.94056@gro.dd.org> <CAOdDvNr=kLHPCtCHRx4=rpA1oDogQqdAJ0nR156BWABiFP_bzA@mail.gmail.com> <20180607215851.GA32738@server.ds9a.nl> <CAOdDvNqNpZ8fKPCO5sEqjROBHjg4wx-GGPMYSSynode10jeC0Q@mail.gmail.com> <9381B529-B2F4-459A-88EB-4410A4C4DB6F@mnot.net>
From: =?UTF-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= <olafur@cloudflare.com>
Date: Fri, 8 Jun 2018 13:31:53 -0700
Message-ID: <CAN6NTqxA4PcrtS_3umwGERLt9WPoX4p0a0u8pL-O2=CKKTBfyA@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Patrick McManus <pmcmanus@mozilla.com>, DoH WG <doh@ietf.org>, bert hubert <bert.hubert@powerdns.com>, Dave Lawrence <tale@dd.org>
Content-Type: multipart/alternative; boundary="0000000000005a04fe056e274a99"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/sHZAq1mHjffwpdmyS5BID15sjoY>
Subject: Re: [Doh] [Ext] DNS Camel thoughts: TC and message size
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2018 20:32:00 -0000

On Fri, Jun 8, 2018 at 5:46 AM, Mark Nottingham <mnot@mnot.net>; wrote:

> AFAICT there are two of situations that might be relevant here:
>
> 1. A DOH request is gatewayed to "normal" DNS
> 2. A DOH response is gatewayed to "normal" DNS
>
> Could the folks who are concerned about this explain if there are any
> others (with detail)?

Actually I think what DNS people are concerned about is
 Query over DNS ==> DoH ==> Auth server generates big answer ==> Doh Reply
=> Answer over DNS  fails due to size limit.
so the fundamental problem is when different transports have different size
"limitations"
In my mind 64K is fine size and if any entity is STUPID enough to give out
888K answer on DNS port they will learn quickly.

The issue with encoding formats is that 1K DNS wire format is not 1K Jason
or 1K compressed Jason (not saying which one is going to be the biggest)
So if there is any rule needed it that answer should fit in 64K DNS
wireformat with Name compression enabled.
===> from this my assertion is that any given transport format can have its
own limit that reflects the "compactness" of the encoding and compression
but a general rule is not possible
The guiding light is "do not be stupid" but that does not work in practice
.......

so we are stuck with artificial limits.

>


> For #1, the DOH gateway should know the limitations of the protocol it's
> gatewaying (in this case, DNS over UDP), and can generate a 413 or 414
> status code as appropriate (see <https://httpwg.org/specs/
> rfc7231.html#status.413>). That's the correct way to express "that
> request is too big" in HTTP. Some non-normative advice in the spec about
> DOH servers generating appropriate status codes and clients understanding
> them might help here.
>
+1


>
> For #2, it seems like people are claiming that a client library is going
> to implement DOH but *not* update itself to take arbitrary-sized responses.
> Is anyone actually saying that's their implementation strategy, or is this
> just "what if"-ism?
>

+1


>
> If it's necessary to support those clients, it would be easy enough to
> define a preference <https://tools.ietf.org/html/rfc7240> that allows
> them to say "please give me small* responses", and require DOH servers to
> honour that preference.
>
> +1

Olafur

Cheers,
>
> * Where "small" is defined as "able to be expressed in less than N bytes
> in the UDP wire format" or similar. Limiting *all* DOH messages using
> Content-Length is not what we want to do here.
>
>
> > On 8 Jun 2018, at 11:34 am, Patrick McManus <pmcmanus@mozilla.com>;
> wrote:
> >
> > I'm not on board with limiting a 2018 protocol to 64KB variants because
> some parser of some some format might have a bug. At the very least we need
> to be more specific so we can assess the scope of the interoperability
> issue. DoH opens up new things - that's a good property. Not everything
> will be gatewayed back and forth into wireformat, and the wireformat isn't
> inherently limited to 16bit either. AXFR is an especially interesting case
> for DoH because it supports multiplexing and priority between streams, it
> might actually be the best way to carry it.
> >
> > as for other formats they are coming. Paul has an informational draft
> that has been sent to the IESG: https://datatracker.ietf.org/
> doc/draft-hoffman-dns-in-json/ and I've heard rumors of others in the
> works - even from the dns community :)
> >
> > If there is a known problem with gatewaying between formats, that's
> worth some non normative text to mention - but the notion that 64KB is
> enough for anybody is one I want to push back on. Even for that I would
> appreciate a citation of where the problem lays - there isn't agreement
> that wireformat actually has such a limit (though its existing transports
> do and maybe that's what should be noted), and no particular implementation
> choices, much less widely deployed and hard to upgrade implementations,
> have been cited (again - I'm not saying they don't exist.).
> >
> > -Patrick
> >
> > On Thu, Jun 7, 2018 at 11:58 PM, bert hubert <bert.hubert@powerdns.com>;
> wrote:
> > On Thu, Jun 07, 2018 at 11:39:16PM +0200, Patrick McManus wrote:
> > > > "Sort of".  Wire format itself does not have the limitation.  Its use
> > > > on certain transports does.  This distinction needs to keep being
> > > > made.
> > > tale has convinced me of this point.
> >
> > In the interest of reaching consensus, can we park this discussion until
> > another message type is invented and standardised that is not a DNS
> message
> > in "wire format"?
> >
> > Whenever we make life harder on the whole DNS implementation community,
> we
> > had better have a very good reason for that.
> >
> > To put it bluntly, a significant part of the DNS implementation community
> > (ISC, NLNetLabs, CZNIC, PowerDNS) has voiced that the 2^16 byte limit is
> > here to stay for now, so I don't see a viable consensus for expanding
> DNS -
> > especially given the lack of concrete usecases.
> >
> > Finally, I note that the DOH charter contains the following:
> >
> > "The working group will coordinate with the DNSOP and INTAREA working
> groups
> > for input on DNS-over-HTTPS's impact on DNS operations and DNS semantics,
> > respectvely.
> >
> > In particular, DNSOP will be consulted for guidance on the operational
> > impacts that result from traditional host behaviors (i.e., stub-resolver
> to
> > recursive-resolver interaction) being replaced with the specified
> mechanism..
> >
> > Specification of how DNS-formatted data may be used for use cases beyond
> > normal DNS queries is out of scope for the working group."
> >
> > It may be good to point out that 'normal DNS queries' have never involved
> > getting >64KB responses. We might also have to consult DNSOP about
> changing
> > DNS semantics, an activity they aren't stimulated to explore.
> >
> > Finally, I do really understand how much fun it would be to liberate DNS
> > from its pedestrian 64KB shackles. It is an arbitrary limitation, and
> > perhaps one day we'd love to put gigantic post-quantum cryptographical
> keys
> > in DNS. But given the amount of developer cycles in DNS, please also
> > understand my (our) reticence in overhauling this ancient protocol.
> >
> >         Bert
> >
> > _______________________________________________
> > Doh mailing list
> > Doh@ietf.org
> > https://www.ietf.org/mailman/listinfo/doh
>
> --
> Mark Nottingham   https://www.mnot.net/
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>



-- 
Ólafur Gudmundsson | Engineering Director
www.cloudflare.com blog.cloudflare.com