Re: [dnsop] comments on draft-fujiwara-dnsop-bad-dns-auth-01

Sun, 06 Feb 2005 16:53:35 -0800 

> > 2) The recommendation that name servers MUST support EDNS0 if they're
> >    going to send back response messages larger than 512 octets seems
> >    reasonable.  The need for name servers to support TCP as well if
> >    the message size exceeds 1200 octets is less obvious: it seems to
> >    me that EDNS0 is enough.
> 
> I also think EDNS0 is enough if the message size exceeds 1200 octets.
> 
> It should be noted that EDNS0 uses IP fragmentation affirmatively
> which IPv6 specification discuorages.
> 
> >    Part of the reason why the TCP requirement concerns me is that I
> >    suspect that such a requirement would simply be ignored, so if TCP
> >    support really is a requirement, we're going to have to make a very
> >    compelling case for why TCP is the only solution.  Since I'm pretty
> >    sure that EDNS0 is enough, I suspect that we cannot make that
> >    strong a case for TCP.
> 
> So, I will write new I-D for future dns transport till next monday (as
> much as possible).
> 
> 1. EDNS0 is enough for everything
>      OK for DNS anycasting.
>      But may be larger than 4096 octets
>        especially in DNSSEC
>      And There are some misconfigurations which contains 10k octets PTR RRs.
>       -> I think it is not resolved, but it costs much!!! for resolvers.
> 
> 2. anycast vs TCP
> 
>      There are bad cases and good cases.  I think we need protection
>      mechanism or protection specification in cache server
>      implementation/specification.
> 
> 3. Future DNS service
> 
>     Root, TLD case
>     Major site's case
>     (DNSSEC case)
>     resolver server
> 
> --
> Fujiwara, Kazunori    JPRS
> .
> dnsop resources:_____________________________________________________
> web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
> mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

        EDNS is required to get referrals through which contain
        enough glue in a dual stack IPv4/IPv6 world.  DNSSEC will
        just increase the need.  

        TCP is required to get the larger answers application writers
        are requesting from the DNS.

        Both in my opinion are manditory to support in servers and
        interative resolvers.  One an get away w/o EDNS in stub
        resolvers until you require DNSSEC which requires EDNS.  

        Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Reply via email to