IETF Logo Mail Archive

[tsvwg] Re: [v6ops] Carrying large DNS packets over UDP in IPv6 networks

Suresh Krishnan <suresh.krishnan@gmail.com> Mon, 17 June 2024 10:09 UTC

Return-Path: <suresh.krishnan@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EDDDC14F6A5; Mon, 17 Jun 2024 03:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8yBxa1nlpiU6; Mon, 17 Jun 2024 03:09:58 -0700 (PDT)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7BF2C14E515; Mon, 17 Jun 2024 03:09:53 -0700 (PDT)
Received: by mail-pg1-x536.google.com with SMTP id 41be03b00d2f7-707040e3017so1004824a12.3; Mon, 17 Jun 2024 03:09:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718618993; x=1719223793; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=jSYXyk47JJUtMcrCyDTU/iyv83ytZzeQVhpM/58PTVM=; b=DTvAHCNPKoSz/rfsMNJzKaKKclbY7j/67NZlyDBxcuHEuinG/w8SdoXZm8+IoFhJbO QsJapmjOqY0dUxaXgjQ7d03U+LRgJpneszuFB8WSunq6JkvgBAmWnJ6aMtJrySVKuVjF MIg5inCgG4TpGIhj5Hb3HLhnRZhbUzyfM54fP7i0/YB7d8THB33T5mET3SafFEkTlZFU Y+1uDIXHGwrBAc64vMojvfXXSUIhJ/eSBMGOnQESMgUeirwBr/NYkb8g+BLpcw/+QGDT j6YdsAmmMOgAU+JMy+iMuEQ4llb14AmnAla+ncadB/hT4LfllcDWh3sAr3gLYdMdbDgw CQ3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718618993; x=1719223793; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jSYXyk47JJUtMcrCyDTU/iyv83ytZzeQVhpM/58PTVM=; b=Vte7WT0Y8J/KTRsSBvZ+yvHdAyfFGO4eJeHkqttOgJ+IihbRqrYuh8ncrXlzCYr7S3 mUudZYLPkUhzIb6vbHvHmyUa7MVAD5uWpBiT4kQMy1nDwWMkK7igknvy2B/NEn4Jq8IK TjlB+r0gk9Svk/CdGT0XkVPbFylcq2Jv0jKwEFYhul8xo1xNBIcBjTn12dRT416lHkMU xuGvI4KdwgAxHdSo24xxnqfE9U9rHzO9PQU7q7UYWFKHPf+4ESObl2iIWEivrc20BaHc 6J/pQwmnWzQ2LDmTwuPlV4nsPqw7groLXU5Hv9br9Z8SXx6zNvPLZP7QyLCAROv+Ts2b hBlQ==
X-Forwarded-Encrypted: i=1; AJvYcCUiWmns7l07sq1DHyotBvEvN0pAyVU5M43x37WtSl+PK9ezRTO5/fFmBHQ/yOG/1EoW6x5OMWCQPFCElkkd+Q==
X-Gm-Message-State: AOJu0YxTPsHL6Zz1Sj7OmTJi6FKu5ykoYTwHMQ1UJDlZ3KbBI72KhtE0 8SKh41FYNWJrCA5eP5FQiLa1wTZfCwNCrHYu+ypm4guRjdMMTxEpdrQls8+f
X-Google-Smtp-Source: AGHT+IELphTd3mlEsg4qz9KkSAgt7VSr1vivEogbA/VZ9HcuaFJPADvuRnpwDZRJY33P5qAbPwQB+g==
X-Received: by 2002:a05:6a21:616:b0:1b8:d79:55f6 with SMTP id adf61e73a8af0-1bae7ece8damr9268667637.25.1718618992963; Mon, 17 Jun 2024 03:09:52 -0700 (PDT)
Received: from smtpclient.apple ([2401:4900:1cd1:edb7:5190:fda5:7812:6889]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-705ccb6b1b2sm7082090b3a.156.2024.06.17.03.09.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jun 2024 03:09:52 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Suresh Krishnan <suresh.krishnan@gmail.com>
In-Reply-To: <DU2PR02MB10160CCA998D5A86B9F11F2C388C22@DU2PR02MB10160.eurprd02.prod.outlook.com>
Date: Mon, 17 Jun 2024 06:09:40 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <D231A141-0422-458A-8513-F1C8B719D16C@gmail.com>
References: <E35DC12F-D1CE-4AE5-B155-612C639A348B@gmail.com> <DU2PR02MB10160CCA998D5A86B9F11F2C388C22@DU2PR02MB10160.eurprd02.prod.outlook.com>
To: mohamed.boucadair@orange.com
X-Mailer: Apple Mail (2.3731.700.6)
Message-ID-Hash: BX32UQPPE6AAHL5IFWUO6O6WSMKJCM5M
X-Message-ID-Hash: BX32UQPPE6AAHL5IFWUO6O6WSMKJCM5M
X-MailFrom: suresh.krishnan@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tsvwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "v6ops@ietf.org" <v6ops@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [tsvwg] Re: [v6ops] Carrying large DNS packets over UDP in IPv6 networks
List-Id: Transport Area Working Group <tsvwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/Ww49ih6D4NWVl42CHuZIlpJeJdE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Owner: <mailto:tsvwg-owner@ietf.org>
List-Post: <mailto:tsvwg@ietf.org>
List-Subscribe: <mailto:tsvwg-join@ietf.org>
List-Unsubscribe: <mailto:tsvwg-leave@ietf.org>

Hi Med,

> On Jun 14, 2024, at 10:10 AM, mohamed.boucadair@orange.com wrote:
> 
> Hi Suresh, all,
> 
> (ccing tsvwg)
> 
> FWIW, large DNS packets was the main driver for the FRAG UDP option: https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-udp-options-32#section-11.4. 

Thanks for this pointer. I read the draft based on your message as well as Joe’s mail downthread. It is very interesting and I would love to learn more about the implementations on the client side and whether it would be a viable alternative in the near term.

> 
> On the reco in the draft, I'm not sure how this can be put into effect given that the client does not know whether the reply will be large or not when it reaches out a resolver.

As far as I know, there are two ways by which a client figures this out currently. When the TC bit is set in the response the client can switch to TCP/QUIC as recommended. Also based on the recommendations in the draft-ietf-dnsop-avoid-fragmentation draft, the client can use a timeout as a signal to switch to TCP or use a smaller EDNS UDP payload size to retry. Do you think any additional mechanisms are necessary?

> 
> Also, when you mention "DNS over QUIC" are you referring to DoQ per RFC 9250?

Yes. This is the intention as mentioned in Section 4.2 of the draft.


> If so, I'm afraid that there are many implications (e.g., authentication, compatibility with the presence of local forwarders). Also, if DoQ is recommended, why not DNS over TLS or DNS over HTTPS? You may refer to DNR/DDR (RFC9463/9462) for the discovery matters of whether local resolvers support DoQ, DoH, DoT, etc. + which authentication domain name to be used to authenticate a server.

I am sure these are all possible and we are totally open to discuss these options and fold them in if needed. When we wrote the -00 draft we were mainly focusing on the use of a more complete transport protocol than UDP to avoid IPv6 fragmentation. Hence the recommendation to use TCP or QUIC.

Thanks
Suresh

v2.35.0 | Report a Bug | By Email | System Status