'Re: [dnsext] EDNS0 fallback "revisited"'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       namedroppers
Subject:    Re: [dnsext] EDNS0 fallback "revisited"
From:       Eric Osterweil <eoster () CS ! UCLA ! EDU>
Date:       2009-08-31 21:05:10
Message-ID: 7CD8A493-FCFA-4135-91AC-BC1800BDDF3F () CS ! UCLA ! EDU
[Download RAW message or body]


Sorry for the Johnny-come-lately response:

On Aug 25, 2009, at 11:44 AM, Olafur Gudmundsson/DNSEXT chair wrote:

>
> Dear colleagues,
>
> After reading all the messages on EDNS0 buffer sizes and fallback
> your chairs have huddled and tried to agree on an approach to go  
> forward
> and what/if protocol work is needed.
>
> For the sake of argument we want to limit the discussion to
>       "ENDS0 capable entities"
> and their behavior.  The goal is to minimize fallback.
> By decreasing fallback cases we speed up DNS resolution for everyone.
>
> We think that the current evidence suggests three main problems:
>   - inability or refusal to handle UDP packets larger than 600 bytes.
>   - inability or refusal to handle UDP fragments.
>   - failure to set the advertised EDNS0 buffer sizes correctly given
>     the actual network conditions
>
> Model:
> A is the issuer of a DNS query
> B is the target server of the query
>
>       A <---pipe1---> INTERNET <----pipe2----> B
>
> If A advertises a ENDS0 buffer size that is larger than will go  
> through
> "pipe1" then B may send back an answer that is larger than fits  
> through the
> pipe. Then A will time-out and do a fallback.
>
> If B attempts to put an answer into "pipe2" that is larger than fits  
> into
> it A will not get an answer and will do a fallback.
>
> If both A and B know the "width" of their LOCAL pipes fallback
> between them is rare and if B has an answer that does not fit, it will
> set the TC bit.
>
> If the problem is actually in the INTERNET part of the diagram,
> fallback is needed no matter what.  We can put of evaluation of how
> much of the problem is in fact in the middle, because we know for sure
> right now that there are problems at the end points.  Since those are
> under the control of the affected parties, we can tackle this problem
> first.
>
> The assumption here is A and B can detect the "width" of their local  
> pipes
> and either fix them or set UDP-buffersize parameters to values that  
> their
> local pipe will pass. If either A or B have multiple paths to the  
> Internet
> they should set their buffer sizes to the smallest pipe width.
> In particular B should NEVER provide an answer to a normal (i.e. non  
> ANY and
> non RRSIG) query that does not pass through "Pipe2".
>
> Work to be done:
> -  Provide tools that measure local pipes and provide configuration  
> hints

We presented dnsfunnel for this at IETF 75, and I think it would be  
great for people to download it and try it out to see this for  
themselves:
	http://www.vantage-points.org/

You can point dnsfunnel at any zone and it will tell you if there is a  
problem and what sizes fit.  This has the benefit of testing the path  
from _your_ stub to each name server in whichever zone you aim it at.

Eric
é

>
> -  Educate users to use the tools, where to look for problems and how
>       to update configurations.
> -  Make the firewall community aware that firewall's are causing DNS  
> problems
>  and educate them in how to update their configurations, to allow well
>  formed UDP fragments to pass. (i.e. non overlapping fragments)
> -  ditto for DNS proxy vendors.
> -  Improve EDNS0 fallback strategies.
>
> Only the last one is a protocol work that DNSEXT can undertake, all  
> the others
> are external educations activities that are outside the scope of the  
> working
> group.
>
> As DNS is not the only UDP based protocol that is affected by the  
> restrictions on
> UDP packets, modifying DNS to work around misbehaving middle boxes  
> is counter
> productive to making the Internet better in the long run.
> Adding complexity to DNS to handle the misbehaving units is a wasted  
> effort
> as the educational tasks will still have to be undertaken and  
> provide a
> quicker return on investment.
>
>       Olafur & Andrew


["PGP.sig" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic