Re: [v6ops] New draft at dnsop a bis for DNS IPv6 Transport Operational Guidelines

Geoff Huston <gih@apnic.net> Thu, 09 November 2023 16:50 UTC

Return-Path: <gih@apnic.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE9EC17DC04 for <v6ops@ietfa.amsl.com>; Thu, 9 Nov 2023 08:50:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fNY28kqjUbYs for <v6ops@ietfa.amsl.com>; Thu, 9 Nov 2023 08:50:17 -0800 (PST)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01on2064.outbound.protection.outlook.com [40.107.108.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E72DC17DBE3 for <v6ops@ietf.org>; Thu, 9 Nov 2023 08:50:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a1NmybDgfHwafLMEod8UsbAXfw5z2ylZb/LPH+usf74LXJw2/Nnjw9JvN34DBhL4FiObBC8e/pS20hPJux+XsHLyRAUMUJoWUMWqiSS/FXE999Qq/QzNgKekbj0j95zE7ERQSjJX6KnZQtbZ1E++DVeXz/0CJjCOf2Tz/p/UvF37oEhyiOo7slAyv21zbh0QapIWhwgCukh+aezRkbof2oj19AB1wWfWcrXEu4dG/3hoqhtvZ6fw3Su9alRAEjYonC5+08tTgVMj1dCr9qqOsS1y1+uixIxeQ9ZGh01LyHiTM3ib07IazxBPhUv4XhAWLdexIumxUj8JTw8HAmaBeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CYmqAIlE/aS2x4wLEBiUP0Rnh5AZyeyGbk6T4/lGjPc=; b=fAhgPhPSEjiYCsxYh/R+CRWQtQiy7WhLqMQ7yuTY3ZI0JxDA1JnrkAwFBrQ7p2SRUeVy/QmGH7Pk/07cLfVA5SotVx3QmY/BOI0t0zuswbn/JKGIobIVvVCMYJnOZwflkeO2sXuFR3J9jAt3VqO9HYOzAbe3ANW1jq8WXWNee7rdyJG/+SUCZipukem/7H7LrPHE7lGBHWabCVgEKDjpmoa1/n8yK9gGeb90zrMqgupC7TyIl7uYpRzsuGshUBux7T8bVuYVyeix3BriqJ88u5YOuT86EHCOBUHNz8aVPU6txKBgUqwQne/UWy5Tpy5h5pxPrME681DfbPNLjJDkvQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CYmqAIlE/aS2x4wLEBiUP0Rnh5AZyeyGbk6T4/lGjPc=; b=G1CRU3DGL8nVmG39hMmg/15ZOJgadu9ZJcuGYfPPFlngijkoExKgGj+96ttP6+SpHV9Nx7XVeoXN4J+ESbPZlslCUCDxyOJxmmmN6rhZt4/J6EypPjqvsK6YwGK7GGoIM+U2EuyixIDksLCB93y0nJyGf4j+CcFIPMreLjrtf/k=
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:176::18) by ME3P282MB1523.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:a1::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.19; Thu, 9 Nov 2023 16:50:11 +0000
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::350c:a749:2801:a711]) by SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::350c:a749:2801:a711%3]) with mapi id 15.20.6977.018; Thu, 9 Nov 2023 16:50:11 +0000
From: Geoff Huston <gih@apnic.net>
To: Nick Buraglio <buraglio@forwardingplane.net>
CC: Momoka Yamamoto <momoka.my6@gmail.com>, list <v6ops@ietf.org>
Thread-Topic: [v6ops] New draft at dnsop a bis for DNS IPv6 Transport Operational Guidelines
Thread-Index: AQHaExC9b2onPeoBBkiWl+bgdD+8xbByBSuAgAAuPoA=
Date: Thu, 09 Nov 2023 16:50:11 +0000
Message-ID: <B57D7BFA-ECE9-4F23-9324-7591E91F457B@apnic.net>
References: <CAD9w2qYhCmkp2bOiGet4DY4AmbGHXj7r_reMibCK18rR8ivbMQ@mail.gmail.com> <CACMsEX8wQB3B1w2TOpPTjZoADYf5ybrKhpOXmo=iuOhUFJbJ5g@mail.gmail.com>
In-Reply-To: <CACMsEX8wQB3B1w2TOpPTjZoADYf5ybrKhpOXmo=iuOhUFJbJ5g@mail.gmail.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.200.91.1.1)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SYZP282MB3169:EE_|ME3P282MB1523:EE_
x-ms-office365-filtering-correlation-id: 3fe5ff2c-00bf-413d-746f-08dbe143f07a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: N34GpMUgNWTbpKEtJLdqq/nSLYs1bP3xDm1I7nvfsBwOY9wecrX39YgkZmYfNHJTftaUfy0Gn/vawr6F/VASmdjQ/X+YM365jALL/svOqhG30ZMYz9Svt3mJ60HNpBV5EOunkIpVjqWXGcWj+fY6rjzW+7vMVigKOgs4p0pxgs0T5MU+8WkLhkuWvEaQGHGJFcSFqzpqGWFlIpZiV7noWqn322csHKGo+3ER9go4QZSWyhltGqh+kxWV9RC17ELxavy75HjrNX48Cdqd4gQy0pGu5x3O9uj7NCSyUgQFCNnumiOV55aS/LPusdzB7XLJtIh9e3tpDSjMKtxP2FhYP5/VDv1NUi+Xmo/sCXHElSVAm7KCRlhLYOU8z2QZ0lIbP7f7iEmhOwX3QDVEANwPEQb7ZxQkSBIqOSJ3i3zTG1fxUJIXRB/K7UDR0r4pPDZ/NR3G+EbKUtRtRlbGvXMDGszAxxoNc/XCmqBsu1oNi0Q6dIcUTIi0Etilu+sBtwuY6y5Z62X3VDgyVxDiVfsXAT3n55ZJpCy5SIyd4SOSnsPB8QgLhIpX1FBo45EPwvHgLr3Ogjg4xqMrPxTZcQJCOB/OqZihJiOybKBuwdj1pHUgWIjC2wIZWVjBXF57BlRPJHAxYlvviTi4LPIjHFhFjA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(396003)(136003)(366004)(376002)(39840400004)(346002)(230922051799003)(451199024)(64100799003)(1800799009)(186009)(2906002)(33656002)(41300700001)(8676002)(4326008)(8936002)(21615005)(5660300002)(86362001)(38070700009)(36756003)(83380400001)(6486002)(966005)(478600001)(53546011)(6506007)(6512007)(71200400001)(2616005)(122000001)(54906003)(64756008)(316002)(6916009)(91956017)(66946007)(66446008)(66476007)(76116006)(66556008)(166002)(38100700002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5i3mUlaWtfpTcjS3P9Ftad/bIssQYBKMHPqwQXgOQWU67HH6NYPvTZk6A6hayF8gexKn1pNx21zRgi9yX9D1uIMJb6RDzRYofwjP4800l1Wzd43soZ6euuxR7F4h3qUpzrCF89IiQv/Pa5hvZjJae7jNOXc1NKWYWtu4BBumfw22JLTlOwIQF08G+qtSnZzkkp+6qHeMANWCvZT38ehA3VoME9MpI2eWmny7M6DAcWRAdHwwoml56cL6bBLBcpqHy2IcyYLq+WPk7gKhefbnGIbZa8Ds69PP478/mgIleiPDU4OXHpPSul0S+jYyk42M8+slngLRnfnJ2I65BPfynTruf/r1MypeIGvkaANzEgJgpvvZoax+L5dCRBBwjKmghzMuW4sfSJ73ZIGZLa5w4w/hxJW9nFFre/2nsZ/JOVrnL6Y2JjT/GpQqngU/Xp7QeqqGq9EmEhJfpMMtXch2iViTEUXQiN1xicx4q2VNaS0bNxJVb+4MaCm7LIHflJV+f1AXBKFjywg1fBFVPR1ocEosCYmiGT8rP0kEL0Fk3mHn8xrN21oM6R51fcOzWJDlOH3aEKfu3IiGq45IY/ysehgYR762E7iezB3yYG/TE9mFRMfH4vvXXxybPFNDcJ65upNVuoEHWQm0YlFwKNUn//+8C+SHGoS9wjoVcBgW3TMbUzG5x23r0OpYoXQWcamir79dmaErwXieezqAdGlq1RmCexJxQGFJfqQ5Ufdplo/Egv6pCw+bToNLH6auhljMJw+mTGXSBaOR4NZEYSYJ40ixw+GVH1YNq+Po5ry7CsRfEF6XW3vxJLM04wr/t0JK+aAj/8KHGeNZ60FOTq/WEgDXOSyvEYPjbQQbl2lI+TZTZZFu4HXe0GMFdQB999R3aYQaVmEWvgOlili8nh6jFU9mEAwaH4kB4aEHd6m4WeZ84OcdGmgDUj6Udy1h0GjPa02KrhUG2HL2TwbgD21cYnoB1hCYUfY1cbKT/8DmyasC26OegKjodUrUeqZFZasqYlZbY47bKFCfv5DICoB4nziPOvs0PLcQE3fc2gpgekjeM/bu30PZ7BsAkBL0iHEfxuE0N0YCtR6xV5i+RcTPNYoj40TJdl8wBnyvV7i/vAvziG2mKSd+E07HCLDI6ZqzSVnNGCmqAq66TKIEY/6Uc52NOmMJv8TLvvf5sntumvWsfx7f+8BuloA0fQMyoIJJQlQBYNUQzRHGCiAebAdoAQ9SNbHwDdq2i+87ekxvPD+QkRnezZs5gJDkcSwsjYXlFT2QAK/nveoDwOnQBVMJExPblniJXM1r2rsSlAU6Y1xEJPvReEWfy6CCN7h65laDc6reiYe2S1mLGnPiS0/ZqckflHa35et1kuvOm7y3mTcbYHJe2R2tEzqrzZeyFHRM5SDVCaxYxgzl8gyRlPAh0UmtKuMugeRgYulV0HQnZ2ZMoMSaC0dSx8SqSjJKw6wUnWxUq20hZkYR8j5Gh+sQVFPWuHCID6xpYAiaLiQo2xpLKCB9vZETR1e0XU5HxchMIjkpgNOsJphctIp2PRgiiPvfLS1YM+/kJRB+A+Jz2QAuuEkIbcY/IEFDwiB0/KSDOkCCU+zxTNxE/eZespXMxVA2H7sB/ItaxriCrjv1k0X8781XMm0+t1eQu6HCNyhb
Content-Type: multipart/alternative; boundary="_000_B57D7BFAECE94F2393247591E91F457Bapnicnet_"
MIME-Version: 1.0
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3fe5ff2c-00bf-413d-746f-08dbe143f07a
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2023 16:50:11.6377 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: al1ScsSUE2C2h5+GiUZhF5hvUHrtVy+FtTF5k9rGTVU3ViT8ZUenaJc2X6sVL1js
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME3P282MB1523
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/5mdRI6f90OV35L1YUSWpCphipTQ>
Subject: Re: [v6ops] New draft at dnsop a bis for DNS IPv6 Transport Operational Guidelines
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 16:50:22 -0000

The issue of the way that IPv6 handles fragmentation, the use of DNS over UDP and the use of DNSSEC which creates large responses conspire together to make the recommendation in this draft, namely that "Every authoritative DNS zone SHOULD be served by at least one IPv6-reachable authoritative name server” questionable.

In fact I would say that such a SHOULD is operationally highly unwise. In a 2020 measurement study (https://www.potaroo.net/ispcol/2020-07/dns6.html) we had the following result:

"In a measurement performed at the end of April 2020 we performed this experiment some 27M times and observed that in 11M cases the client’s DNS systems did not receive a response. That's a failure rate of 41%. … . How well does IPv6 support large DNS responses? Not well at all, with a failure rate of 41% of user experiments.”

So trying to shift the DNS to use an IPv6 substrate is at best foolhardy at this point in time. I wish that folk would actually conduct careful measurements, look at behaviours and understand how the protocols interact with the network before proposing broad mandates that every server SHOULD use IPv6. We just look silly and irresponsible when we propose such actions when the measured reality says something completely different.


On 9 Nov 2023, at 3:04 pm, Nick Buraglio <buraglio@forwardingplane.net> wrote:

Thanks for writing this, I found it to be well written and clear. I agree and support this, "promoting" IPv6 to the same level as legacy IP is probably a bit overdue in some guidance documents, and this is an important one to address.
One off-the-cuff thought, take it or leave it:
It is briefly mentioned it in the draft, but I would emphasize the transition technologies and the part they play in masking problems. This is becoming more and more exposed as we start stripping away IPv4 and exposing where those tools are hiding gaps in plain sight. This is not likely to change, especially as we get further down the transition path, but the more of those gaps we can fill with simple things like dual stacking a resolver the less technical debt we have to dig out of later. And, as we all probably know, when DNS is broken or slow, it looks like the network is broken or slow, which often leads to things like "IPv6 is breaking the network, turn it off" and we definitely do not want that.

Thanks,

nb




On Thu, Nov 9, 2023 at 7:28 AM Momoka Yamamoto <momoka.my6@gmail.com<mailto:momoka.my6@gmail.com>> wrote:
Hi,

I've submitted a draft to the dnsop wg
DNS IPv6 Transport Operational Guidelines
draft-momoka-dnsop-3901bis
https://datatracker.ietf.org/doc/draft-momoka-dnsop-3901bis/

It has been 20 years since this RFC was published and I think it is time for an update to have IPv6 to a SHOULD for DNS servers.

I will be presenting this draft tomorrow morning at dnsop wg so I would be very grateful if you could give me feedback on this draft.

Best,

Momoka
_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops
_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops