IETF Logo Mail Archive

Re: [Gen-art] [DNSOP] Genart last call review of draft-ietf-dnsop-dns-tcp-requirements-12

Petr Špaček <pspacek@isc.org> Thu, 09 September 2021 14:09 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E2093A1349; Thu, 9 Sep 2021 07:09:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=C3VkL74T; dkim=pass (1024-bit key) header.d=isc.org header.b=jDS/p4Zs
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ZQixv2uPaUC; Thu, 9 Sep 2021 07:09:41 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D58593A1342; Thu, 9 Sep 2021 07:09:40 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 08E033AB029; Thu, 9 Sep 2021 14:09:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1631196580; bh=L3rFdTiUABp3fFqt/J2CEyRcYohPJa7vlguPLP/uqoE=; h=Date:To:Cc:References:From:Subject:In-Reply-To; b=C3VkL74TLLbKuoIlLtAbZXTn6ioLT7OYVwDhxH5y3lAcvkKhuLKBvG1gWIV4AZYdX TUqyG4piWRKl/t4el7fbIWJfYwnVRkhMD1tRlMCdv09Nhe/S/fZeYEyATxNUQFkXCc TNmWLvrXGw6ZCaQKF7sADhoffkjBy1TMHETcwTE8=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id EB381EC247D; Thu, 9 Sep 2021 14:09:39 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id C30F6EC247F; Thu, 9 Sep 2021 14:09:39 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org C30F6EC247F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1631196579; bh=J4pniEox8/w4li9JJPfZ1t5NKd6vW525fA2CtJT8/DY=; h=Message-ID:Date:MIME-Version:To:From; b=jDS/p4Zslj9ovxc744B2AAVr2xjt6XJRJv2PQhh8uctGq3FbjooIdMNRskp/3Qw5n eSmZncKvEgJnmnWCaNQCKEb+dC7GLUyBTQI+hhNfYgd3lG1HdjzjtqUJTxJgTZoaaB jDWMLzdK8nYcGRAx4nHFMzmANm4E2FsjODrwWFT4=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ePfWurdXx0Cn; Thu, 9 Sep 2021 14:09:39 +0000 (UTC)
Received: from [192.168.0.157] (ip-86-49-251-95.net.upcbroadband.cz [86.49.251.95]) by zimbrang.isc.org (Postfix) with ESMTPSA id 802EBEC247D; Thu, 9 Sep 2021 14:09:38 +0000 (UTC)
Message-ID: <4bfcc085-76ca-f178-3b08-ebb9c5777e90@isc.org>
Date: Thu, 09 Sep 2021 16:09:35 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.1.0
Content-Language: en-US
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>, Dan Romascanu <dromasca@gmail.com>
Cc: "last-call@ietf.org" <last-call@ietf.org>, "gen-art@ietf.org" <gen-art@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org>
References: <163049116085.32386.13520930346743651891@ietfa.amsl.com> <8EE94D6B-24ED-47FA-A6D0-E79C71E1B154@verisign.com>
From: Petr Špaček <pspacek@isc.org>
In-Reply-To: <8EE94D6B-24ED-47FA-A6D0-E79C71E1B154@verisign.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/OHxfGNr_nP36el8UmxMRWO0z0to>
Subject: Re: [Gen-art] [DNSOP] Genart last call review of draft-ietf-dnsop-dns-tcp-requirements-12
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2021 14:09:46 -0000

On 07. 09. 21 18:46, Wessels, Duane wrote:
> Dan, thanks for the review.  Responses are inline.
> 
> 
> 
>> On Sep 1, 2021, at 3:12 AM, Dan Romascanu via Datatracker <noreply@ietf.org> wrote:
>>
>>
>> Minor issues:
>>
>> 1. In Section 4.1:
>>
>>> DNS clients MAY also enable TFO when possible.
>>
>> Maybe I do not fully understand the intent here, but 'MAY ... when possible'
>> sounds like a SHOULD to me.
> 
> 
> Originally this was "SHOULD ...  when possible" (meaning when
> implemented/supported) but after conversations with tcpm this was changed
> to MAY.  To avoid confusion with "when possible" I suggest we just drop
> it so it will just say "DNS clients MAY also enable TFO."
> 
> 
> 
>>
>> 2.In Section 4.2
>>
>>>   DNS server software SHOULD provide a configurable limit on the total
>>    number of established TCP connections.  If the limit is reached, the
>>    application is expected to either close existing (idle) connections
>>    or refuse new connections.  Operators SHOULD ensure the limit is
>>    configured appropriately for their particular situation.
>>
>>    DNS server software MAY provide a configurable limit on the number of
>>    established connections per source IP address or subnet.  This can be
>>    used to ensure that a single or small set of users cannot consume all
>>    TCP resources and deny service to other users.  Operators SHOULD
>>    ensure this limit is configured appropriately, based on their number
>>    of diversity of users.
>>
>> The lack of recommendations about how these limits should be set would leave
>> less experienced operators in the dark. There is not even a sentence like 'This
>> document does not offer advice on particular values for such a limit' as for
>> other parameters in the same section. From an operators point of view I would
>> prefer a recommendation or one or more examples of how these limits can be set
>> in real life cases.
> 
> Other reviewers called this out as well so I have added some recommended values.
> 
> For the limit on total number of connections: "Absent any other information,
> 150 is a reasonable value for this limit in most cases."

I think this "150" value is fine for plain/unencrypted DNS-over-TCP 
because UDP is still the main transport, but IMHO it is not applicable 
to recursives offering DNS-over-TLS.

Recursives with DoT should allow much more to avoid costly TCP 
handshakes and session resumption. It's perfectly possible to handle 
hundreds of thousands of DoT clients on one resolver (when configured 
appropriately, and yes, I did test this claim.)

Maybe this could use a clarification that 150 is good advice only if you 
_don't_ have any "TCP-only" clients, like e.g. DoT stubs?

Petr Špaček


> 
> For the limit on connections per source address: "Absent any other
> information, 25 is a reasonable value for this limit in most cases."
> 
> For the timeout on idle connections: "Absent any other information, 10
> seconds is a reasonable value for this timeout in most cases."
> 
> 
>>
>> Nits/editorial comments:
>>
>> 1. Sections in the document that are obviously for informational pursposes
>> should be clearly marked so (like 'This section is included for informational
>> purposes only'). For example Section 2.
> 
> Done.
> 
> 
>>
>> 2. In Section 3:
>>
>> Regarding the choice of limiting the resources a server devotes to
>>    queries, Section 6.1.3.2 in [RFC1123] also says:
>>
>>       "A name server MAY limit the resources it devotes to TCP queries,
>>       but it SHOULD NOT refuse to service a TCP query just because it
>>       would have succeeded with UDP."
>>
>>    This requirement is hereby updated: A name server MAY limit the
>>    resources it devotes to queries, but it MUST NOT refuse to service a
>>    query just because it would have succeeded with another transport
>>    protocol.
>>
>> Similar alignment of the old and new text is desirable. Even using the OLD /
>> NEW format.
> 
> Good point.  Section 3 now looks like this:
> 
>     Section 6.1.3.2 in [RFC1123] is updated: All DNS resolvers and
>     servers MUST support and service both UDP and TCP queries.
> 
>     o  Authoritative servers MUST support and service all TCP queries so
>        that they do not limit the size of responses to what fits in a
>        single UDP packet.
> 
>     o  Recursive servers (or forwarders) MUST support and service all TCP
>        queries so that they do not prevent large responses from a TCP-
>        capable server from reaching its TCP-capable clients.
> 
>     Furthermore, the requirement in Section 6.1.3.2 of [RFC1123] around
>     limiting the resources a server devotes to queries is hereby updated:
> 
>     OLD:
> 
>        A name server MAY limit the resources it devotes to TCP queries,
>        but it SHOULD NOT refuse to service a TCP query just because it
>        would have succeeded with UDP.
> 
>     NEW:
> 
>        A name server MAY limit the resources it devotes to queries, but
>        it MUST NOT refuse to service a query just because it would have
>        succeeded with another transport protocol.
> 
> 
> 
> FYI we are tracking this in github at https://github.com/jtkristoff/draft-ietf-dnsop-dns-tcp-requirements/pull/4/files if that is helpful.
> 
> DW

v2.23.0 | Report a Bug | By Email