> On Feb 22, 2016, at 8:04 AM, Shane Kerr <[email protected]> wrote: > > Duane, > > At 2016-02-18 22:18:14 +0000 > "Wessels, Duane" <[email protected]> wrote: > >>> Personally I think TCP for root priming makes complete sense, since root >>> priming traffic is a small fraction of a percent of both root server >>> traffic and resolver queries. (In fact this is a subset of the general >>> set of queries where "if you expect truncation, just start with TCP". >>> That's a possibly useful optimization that probably nobody has bothered >>> with because truncation is very rare.) >> >> >> I took a look at some data to see if priming queries truly are a small >> fraction. From what I see, about 3.5 to 4.0% of root server traffic is >> priming queries. I have a "second opinion" analysis running at DNS-OARC >> but that is taking longer, so if it indicates anything different I'll >> follow up. > > Just for clarification, does this mean 3.5% to 4.0% of all root server > traffic or 3.5% to 4.0% of "non-junk" root server traffic?
Of all root server traffic. > > I ask because I am assured that 90% of root server traffic is junk. If > you are talking about 3.5% to 4.0% of all root traffic, then this means > that more than 1/3 of "real" traffic is root priming, which seems > really high to me. I think some priming queries could also be considered junk. For example, repeated within a short amount of time, or within the amount of time that you'd expect the response to be cached. Unfortunately I don't have numbers to report at this time. > > If you're talking bout 3.5% to 4.0% of non-junk traffic, then it's > something like 0.4% of all traffic, which is still more than I would > expect, but not shockingly so. > >> I guess I'm a little hesitant here because in an earlier discussion >> on this document we talked about saying "resolvers SHOULD send DO >> when priming" and if we add "SHOULD use TCP when DO is set" then TCP >> sort of becomes the default for all priming queries. Unless and >> until the root-servers.net zone is signed, the priming response >> doesn't really need TCP because it can entirely fit in an >> unfragmented UDP packet. > > Let me turn this around... why would you not use TCP for root priming? > > One concern might be that root servers are easier to DoS via TCP > exhaustion, causing priming to fail. Are there other issues? Noting that the "you" in your question is sort of ambiguous, the reasons people give for "why not" are just the usual ones that we're all pretty well aware of. On the client side: latency and middleware blockage. On the server side: additional state. Again, I feel like we're only considering to suggest TCP as a default for priming because root-servers.net *might* be signed, but to me there is a lot of uncertainty around that and we shouldn't necessarily recommend TCP by default at this time. But if we do end up recommending TCP for root priming, I think we need input from the root server operators first. DW _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
