Re: [v6ops] New draft at dnsop a bis for DNS IPv6 Transport Operational Guidelines

Geoff Huston <gih@apnic.net> Sat, 11 November 2023 04:41 UTC

Return-Path: <gih@apnic.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A759CC1CB008 for <v6ops@ietfa.amsl.com>; Fri, 10 Nov 2023 20:41:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJgXuxtOb-nG for <v6ops@ietfa.amsl.com>; Fri, 10 Nov 2023 20:41:23 -0800 (PST)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01on2042.outbound.protection.outlook.com [40.107.108.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1E7CC1CAFF8 for <v6ops@ietf.org>; Fri, 10 Nov 2023 20:41:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TdBo+hVLdr3ngDI5mlE7ioXemxJJqoRFSeyYxc+V93qsPG7Q8lpLwHJ2S/B5WwzMwzUHXAxr1C9Ms/s0tj8FIic5GRzCJsg+7QgGB2pD0RynvO1+G+hEUe8jWxPYCpbKvxKdEq4t3caiukaZ3SRdN527TbCHDFku1ZweSSikhobpc5//eE83gnixy74ci7c24+Lfh2hReHKLkccK7LeJCQKzegqRDTGiMmTGcFzWwRUekVvODoR2C4CKjw0HiAXmMl6eYtm/oPlBVyC2dKwPcnAGPRKCUI4MC5RbegBN2XcbPultoCvQRaAhT1fc+kXwK0baURCcFuEcl/hnXjpuZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GZNCU8HMrGl5JTcveXwUAn9OKaQUKtUepJYbBabKoqc=; b=PU93lYaU9nTSE606UpXg3YV89/0o6Kuk1BSZ6kJzdBlJqP8553wAdfOv55Z1vyyCR/GZJ+MmzTnyhJ+nOVrhsN0u3kSOSOvDyWZmu69MDXlH535/Pk+Tw6KAvf74bCYIWnQru94nAaAtqzUH7KVgX7NrCPhIoVExvrVXdvnZ3WPtqVIhfNgdU+Ig6fQDcUE28T/mmL9foU5w1oDzVuY5NBawOkPptff7NSK1GSvw974iroDRHktMccLwNaY13QsY61OzB7OtRUXDfi2nEziU/G4uZIQjJza8kL9gxE75YQtgoGZrV8N9BL5Wq9C+v+NMdYtEcsbRxnGkN5zdKG9bRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GZNCU8HMrGl5JTcveXwUAn9OKaQUKtUepJYbBabKoqc=; b=Sn8vK5LYhgji0WJBYnsOvEgjxwcAk5fKeZLLOJrwf/VtmiBYvGaK5IJ2oSOTTpPi7dtCgL65FBF70RdMKt+lSdo/ojR4sg52tJPUqmOCms0yRe4Jj7eWWgYs1CVoIZazcB5YLwN3YX78O6Xs5QQt3XobkRIDB0XaKEB3MyFwcfE=
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:176::18) by MEYP282MB1496.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:bb::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.22; Sat, 11 Nov 2023 04:41:20 +0000
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::350c:a749:2801:a711]) by SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::350c:a749:2801:a711%3]) with mapi id 15.20.6977.020; Sat, 11 Nov 2023 04:41:20 +0000
From: Geoff Huston <gih@apnic.net>
To: Gert Doering <gert@space.net>
CC: Nick Buraglio <buraglio@forwardingplane.net>, list <v6ops@ietf.org>
Thread-Topic: [v6ops] New draft at dnsop a bis for DNS IPv6 Transport Operational Guidelines
Thread-Index: AQHaExC9b2onPeoBBkiWl+bgdD+8xbByBSuAgAAuPoCAAdRrgIAAhJ6A
Date: Sat, 11 Nov 2023 04:41:20 +0000
Message-ID: <927959F5-71C8-4488-A52D-2A5A0969A951@apnic.net>
References: <CAD9w2qYhCmkp2bOiGet4DY4AmbGHXj7r_reMibCK18rR8ivbMQ@mail.gmail.com> <CACMsEX8wQB3B1w2TOpPTjZoADYf5ybrKhpOXmo=iuOhUFJbJ5g@mail.gmail.com> <B57D7BFA-ECE9-4F23-9324-7591E91F457B@apnic.net> <ZU6WpbDBJ9lcik_3@Space.Net>
In-Reply-To: <ZU6WpbDBJ9lcik_3@Space.Net>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.200.91.1.1)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SYZP282MB3169:EE_|MEYP282MB1496:EE_
x-ms-office365-filtering-correlation-id: 306866f3-a2eb-46cc-a14f-08dbe2707352
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NJHThlMyu9Ber3+C07bNVljswyMsvPbwdWN5khI+Lu2u0hZHTfNiHODtuqPSNiLX2uVeiLHz491z2Eo/g/XXzHdZspuNWorNLJKPvu0cqrW23RTLJmqifAdktKqOIjPRCRylioRDeBgjtLdxF+oYIddWN5t85rDgiPu41s6/SrJ6i4El+puoXpVPbvhsJhU/dU0ULdq2uyQOqmeXyUpwMTckYSKAwaryoaT9x+ECuWURQy/nO0L+sPEaRlYQ0XlHq1f5vD0LK8UYraQQ84TNq4RHmKrrn59QxAPk2+NvBwo7odfoB+XFRrqERw2QoJctdVOs3YEZ6xtVrQ5r1LTocTs3nWeY5v/feYGRie4w6umyjX9OV8obO1Lx7iLhn92FVDgZTM1G1mJmkHyEhbg8Mf+Fnzx6xXRa+D/E/ceqzYHZJaGkL+9Lue3j/CmNTjlXeYO8mhAfLBRPPieswkz5DhQBUDmW5q0MYSuYc5eTHOZZP2kztzkl7G2gQcAwLqIPyc6UIKOah6Nqu6xKteGiDCsPaW7gfuwBRnmRK8yiiO1uQKW/LcxcH5904e9PdLBzaOLZCIS/244I+HuVoC5OJj6iHUEfkr6GvpvwQVJmup8eZ6Mx1LNtqUWp06dDhsdCro5RjExK+kcLDESe34rwaA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376002)(39840400004)(346002)(366004)(136003)(396003)(230922051799003)(64100799003)(1800799009)(186009)(451199024)(83380400001)(5660300002)(86362001)(6506007)(71200400001)(53546011)(33656002)(2616005)(36756003)(6512007)(38070700009)(26005)(6486002)(478600001)(2906002)(91956017)(41300700001)(38100700002)(66556008)(66476007)(66946007)(66446008)(76116006)(54906003)(64756008)(6916009)(316002)(122000001)(8676002)(8936002)(4326008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: CVERE3zsm3kBoqLuOgd9m5qPt0RFp+xyrgf69kIgoZCmbOmiAnGfCvqH3TOeTIdXAjlVhlmN2KFwDkg+aZIpeXgfCqllfSrZoDr3gzaaQPeQVEyMpxHCZxz7qHU1w2ppG2CSJoX+cskdLofadpmgWah20mN4ABGWZRjHLBsVAF4tNYsMvsUEXCHppFEeuvjAuRsXFeL42D3GYhtOFh5MbToPc416+jo02xEDGyXx1wHb7bYh9DccUPz/jg8ytlKY+n0vdgvpywW8a7FMAuFdvpG+YxX8tGpTgT05VcyK4vD+yLhq5D2ldtWMeWDp/Qa4Rc7Sr4nNTbvLEYP6Zo5CYDTIID5uCvT28fthsFu6nlPwoeR4AsugzWN056Pzlk/sptATjaVYuSbTYxWlI7Ucod5K9A9frxA18IvDOwylFeJnHpsx6kpD3+flRd6gPgQn6W4EZJtRcaTyLfUDd6n91ZUhOySwV1XEMneG20g0pZMRedEzhXXiiFRgxFyQD8ns/pzXXkzvaac79sMaSXT6yTmuwExclh8by9qOyg8HgRlSjgyZb7KKcLVmKTncxlBJCtC4/enrBIk6AOxZvA00DO9kXBBzwb7f7x1+b4IQjCFULLGNh7K5CDLJXC1sGwUI0THW3sEqkWso08O/Pc0cZN2Su7tWT4O8Df6h202SkQP0RXv3w/9ZQr0UqCtHsaIX7n47X1Z9Lmz7R17tkFpIyHMNYiP2Z9xxx5lgdP2p6UiglXVdgXxYoP07LZhZVR8ncjUH8GKv8HRntG0Lp1gjZnqrlMQFxj2Wye87jMxWlbhfJ37hptU7VLm+LmFyYjderVbihEZjJKE+LHYrQAxZBwM/Us1AIxmlIPNDWB/PcGu3onmUTC9dnxdMu1M2d8fSaNBxk7ztwxVel4/0eYNqhytehJYmsVwvkQQA4KP/GSSAoPU6CClBqvSib5Z9hVPJvHdVeiTWUlp8Nd0ImVZPXY2Ju7dza6bUgd/CwVGC41qgbEQ5aRQ27OlknYA8bdzZvAR8B3bwRDuiyzilXq2ni1NxsmjnOZo/svaiwV4fDT+iKPCI7t9LTnouSkeSDkUjfnHex3L5pTM3hlwc7h0kHAntkoexQrPI0xa7Q+xsc0xm0na+eblYMun+ZdW6T6E07qmG8rD8NThIk34vx4+PqV+aXN1Ng3fWJXBKtiKXJNiy44Vhhh8or7+ZmGNVhlZHNrSfSgyxGKruWPkrxWWJk/NmK2gpCeVWlhM9XhTFiRs0GBA8GjBycshrEZHh/6SnZrBGS7K/t6wG5oB9nEpvPuvDKJXsLHZyn0L/Wz6o+VyALAv1WASPvGScmyTUdBHy6FOVBzMOGX1Xdyoci88fi8YMDjtoubiWvgD+7s7HabPaC5g7gQX7g0itS5IBfAssLUxjJlJzHCI9ht6evDOFxVSh55UuINmRfLJiXlWcAPWcrR3WOZDr4Awqezow6GuHX4o+2l6kYNWN5xt4j5L9cKopkf/CKUwF+2NpqJlRUARWAbmUM+07S/GM+H4f3Fdfoa6V3RaMTY+So1goHxFlkIUrR4DOmY/IuPJROhgT1c+QqjLA0L3ieDn/Ip/4pzCw
Content-Type: text/plain; charset="utf-8"
Content-ID: <FC815429A81AF94099EEB6248F618E05@AUSP282.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 306866f3-a2eb-46cc-a14f-08dbe2707352
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2023 04:41:20.1782 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: q1Ev7Z/OaSknKvd9A6Wiy4nO7zc9e5Cnhx0M3I9oaL4+jy6jC/nbCQszCzL+vbyB
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEYP282MB1496
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/mFqiHpP0Ws4D3cKnFBHz1KtM804>
Subject: Re: [v6ops] New draft at dnsop a bis for DNS IPv6 Transport Operational Guidelines
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Nov 2023 04:41:28 -0000


> On 11 Nov 2023, at 12:46 am, Gert Doering <gert@space.net> wrote:
> 
> Hi,
> 
> On Thu, Nov 09, 2023 at 04:50:11PM +0000, Geoff Huston wrote:
>> The issue of the way that IPv6 handles fragmentation, the use of DNS over UDP and the use of DNSSEC which creates large responses conspire together to make the recommendation in this draft, namely that "Every authoritative DNS zone SHOULD be served by at least one IPv6-reachable authoritative name server??? questionable.
>> 
>> In fact I would say that such a SHOULD is operationally highly unwise.
> 
> So, you are saying that those networks that run dual-stack today 
> (including their DNS infrastructure) should turn off IPv6 again?
> 

No, that is not what I said. I said that a recommendation that all auth servers SHOULD be served by at least one IPv6-reachable authoritative name server is operationally unwise at this time.  I did not say “turn off IPv6 if you are already running it”

> I'd much rather prefer to fix the problems, as measured, and get rid
> of IPv4.


I can’t help but wonder if, after thirty years of tolerating such problems where the momentum to fix these issues might be. I see little evidence such remediation activities in the periodic measurements of IPv6 resolution failure in IPv6.

> 
> But if you think that IPv6 should be turned off, globally, because it's
> beyond repair, maybe this should be stated clearly.  I might concur.

You appear to be reading a lot in the white spaces between the words in my note!.
> 
> 
> Seriously: having ONE nameserver v6-reachable, as suggested, is not the
> same thing as "if this IPv6 thing is not working, DNS resolution will
> fail" - there's more than one nameserver, and DNS is good at failing 
> over.  Nameservers fail all the time.

Failure takes time. If a server is serving large responses over IPv6 it may take longer and may take some time to conclude that a response cannot reach the querier over IPv6. To recommend that this extended time SHOULD be the default seems to me to lack adequate operational motivation and lack some cohesion elsewhere in this space to shave off delay elements. TLS 1.3, QUIC, etc.. It we are all for a slower DNS then lets be upfront with that desire! ( :-) )


> 
> OTOH, having sufficient authoritative name servers on v6 (and v4) gives
> a much broader plattform measuring where it still fails, and possibly
> fixing the paths in between, or the software in use.

Failure takes time to resolve. See above.

Geoff