Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Root Name Service Protocol and Deployment Requirements) to Best Current Practice
Mark Andrews <marka@isc.org> Sat, 24 May 2014 23:05 UTC
Return-Path: <marka@isc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D6431A011E for <ietf@ietfa.amsl.com>; Sat, 24 May 2014 16:05:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.552
X-Spam-Level:
X-Spam-Status: No, score=-7.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id puULMbg-jEpD for <ietf@ietfa.amsl.com>; Sat, 24 May 2014 16:05:43 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by ietfa.amsl.com (Postfix) with ESMTP id 652421A029B for <ietf@ietf.org>; Sat, 24 May 2014 16:05:43 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id C5C893493B7; Sat, 24 May 2014 23:05:39 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D8552160056; Sat, 24 May 2014 23:10:35 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id A0960160051; Sat, 24 May 2014 23:10:35 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 83E011686485; Sun, 25 May 2014 09:05:36 +1000 (EST)
To: Paul Hoffman <paul.hoffman@vpnc.org>
From: Mark Andrews <marka@isc.org>
References: <20140520204238.21772.64347.idtracker@ietfa.amsl.com> <6.2.5.6.2.20140521194638.06eaf508@resistor.net> <1111FB79-012A-414B-B8CD-0BBDAE8BD6A8@hopcount.ca> <6.2.5.6.2.20140522095317.0c5fd648@elandnews.com> <5C02BCCA-79D7-40A5-BFB0-26284A667E78@vpnc.org>
Subject: Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Root Name Service Protocol and Deployment Requirements) to Best Current Practice
In-reply-to: Your message of "Sat, 24 May 2014 11:38:13 -0700." <5C02BCCA-79D7-40A5-BFB0-26284A667E78@vpnc.org>
Date: Sun, 25 May 2014 09:05:36 +1000
Message-Id: <20140524230536.83E011686485@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/iYzWWuEBpnSUIc9PdA87jCp7Lys
Cc: IETF discussion list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 May 2014 23:05:45 -0000
In message <5C02BCCA-79D7-40A5-BFB0-26284A667E78@vpnc.org>, Paul Hoffman writes: > | The root name service: > | > | . . . > | > | MUST support IPv4[RFC0791] and IPv6[RFC2460] transport of DNS > | queries and responses. > > This needs an addition: "Some servers in the root name service might not > support IPv4, and some might not support IPv6." Without that, some people > might think that each server must respond on both layer 3 technologies, > but they do not. > > | MUST support UDP[RFC0768] and TCP[RFC0793] transport of DNS > | queries and responses. > > This also needs an addition, but I am not sure what it should say. Must > every server in the service respond correctly on TCP? Yes. > If so, what does > "correctly" mean in the anycast world that most of them live in? It means that they respond to TCP packets they see. > | MUST generate checksums when sending UDP datagrams and MUST verify > | checksums when receiving UDP datagrams containing a non-zero > | checksum. > > If "MUST verify checksums" means that if the request has a broken > checksum, the server should not reply, that needs to be explicit. If > that's the intention, better wording would be: > > MUST generate checksums when sending UDP datagrams. > MUST not respond to UDP datagrams containing a > non-zero checksum if that checksum does not verify. > > If that's not what was intended by "MUST verify checksums", this still > needs clarification. > > | MUST answer queries from any entity conforming to [RFC1122] with a > | valid IP address. > > Joe brought up this question, and it's important. Is this BCP preventing > "the root name service" from rate-limiting during DoS attacks? > > | MAY also serve the root-servers.net zone, and the zone for the > | .arpa top-level domain [ARPAZONE],[RFC3172]. > > A "MAY" is not a requirement, and thus does not belong in this document. > The service "may" do all sorts of things that are not listed here. > > --Paul Hoffman I would also add MUST fragment IPv6 UDP at network MTU (1280). MUST NOT send IPv6 TCP segments bigger than network MTU. Both of these rules are to avoid triggering PMTU discovery in IPv6. For IPv4 MUST NOT set DF. With anycast servers the PTB response may got to the wrong instance. The ORG servers are configured to not send IPv6 UDP EDNS responses bigger than what will fit in a 1280 octet packet. This results in lots of unnecessary TCP connections as the client needs to fallback to TCP. The servers then send maximum sized TCP segments which don't make it through tunnels and the PTB handling is marginal. There is no need to avoid fragmenting UDP packets. If the client's path doesn't let through fragmented packets they will adapt their query or they will fix the path. All it does is penalise clients which have working paths as they then need to fallback to TCP. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… S Moonesamy
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Joe Abley
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… SM
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Paul Hoffman
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Paul Hoffman
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… David Conrad
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Mark Andrews
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Joe Abley
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… David Conrad
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Joe Abley
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Russ Housley
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Russ Housley
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Paul Hoffman
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Paul Hoffman
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Russ Housley
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Michael Richardson
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… David Conrad
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Patrik Fältström
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… manning
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Jari Arkko
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… David Conrad
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Patrik Fältström
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Carlos M. Martinez
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… manning bill
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… David Conrad
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Carlos M. Martinez
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Carlos M. Martinez
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… manning bill
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… manning bill
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Patrik Fältström
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Joe Abley
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Paul Hoffman
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… manning bill
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Carlos M. Martinez
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… manning bill
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… David Conrad
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Carlos M. Martinez
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… David Conrad
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Patrik Fältström
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Carlos M. Martinez
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Russ Housley
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… David Conrad
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… David Conrad
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Russ Housley
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… David Conrad
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… manning bill
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Carlos M. Martinez
- Re: Last Call: <draft-iab-2870bis-01.txt> (DNS Ro… Joe Abley
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Marc Blanchet
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Marc Blanchet
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Barry Leiba
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Marc Blanchet
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Sam Hartman
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Jari Arkko
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Paul Hoffman
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Mark Andrews
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… John C Klensin
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Mark Andrews
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Andrew Sullivan
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Mark Andrews
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Jari Arkko
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Jari Arkko
- last call discussion status on draft-iab-2870bis Jari Arkko
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Mark Andrews
- Re: last call discussion status on draft-iab-2870… Pete Resnick
- Re: last call discussion status on draft-iab-2870… Mark Andrews
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Paul Hoffman
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Mark Andrews
- Re: last call discussion status on draft-iab-2870… Jari Arkko
- Re: last call discussion status on draft-iab-2870… Jari Arkko
- Re: last call discussion status on draft-iab-2870… Paul Hoffman
- Re: last call discussion status on draft-iab-2870… Jari Arkko
- Re: last call discussion status on draft-iab-2870… manning bill
- Re: last call discussion status on draft-iab-2870… Paul Hoffman
- Re: last call discussion status on draft-iab-2870… John C Klensin
- Re: last call discussion status on draft-iab-2870… manning bill
- Re: last call discussion status on draft-iab-2870… Mark Andrews
- Re: last call discussion status on draft-iab-2870… Mark Andrews
- Re: [IAB] last call discussion status on draft-ia… Andrew Sullivan
- Re: [IAB] last call discussion status on draft-ia… Mark Andrews
- Re: [IAB] last call discussion status on draft-ia… Andrew Sullivan
- Re: [IAB] last call discussion status on draft-ia… Mark Andrews
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Lars-Johan Liman
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Jari Arkko
- Re: last call discussion status on draft-iab-2870… Lars-Johan Liman
- Re: last call discussion status on draft-iab-2870… Lars-Johan Liman
- Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (… Paul Hoffman
- Re: [IAB] last call discussion status on draft-ia… manning bill
- Re: [IAB] last call discussion status on draft-ia… manning bill
- Re: last call discussion status on draft-iab-2870… Ted Lemon
- Re: last call discussion status on draft-iab-2870… Marc Blanchet
- Re: last call discussion status on draft-iab-2870… Ted Lemon