Re: [DNSOP] draft-wkumari-dnsop-dist-root-01.txt

[Joe Abley]

Hi Paul, Warren,

On 4 July 2014 at 16:50:08, Paul Hoffman (paul.hoff...@vpnc.org) wrote:

 Greetings. Warren and I have done a major revision on this draft, narrowing 
 the design  
 goals, and presenting more concrete proposals for how the mechanism would 
 work. We welcome  
 more feedback, and hope to discuss it in the WG in Toronto.

I think there is much in the language of this draft that could be tightened up, 
but this is an idea for discussion so I'll avoid a pedantic line-by-line 
dissection. But I can give you the full pedantry if you like :-)

On the pros and cons, however (crudely pasted below), see below.

TL;DR: there are way more cons than pros to this proposal. The pros listed are 
weak; the cons listed are serious. I don't see a net advantage to the DNS (or 
to perceived performance of the DNS for any client) here. This proposal, if 
implemented, would represent non-trivial additional complexity with minimal or 
no benefit. I am not in favour of it, if that's not obvious.

As noted previously, I am not against documenting and discussing the merits of 
slaving the root zone on resolvers (in some fashion). My preference would be 
for a draft called something like 
draft-ietf-dnsop-slaving-root-on-resolvers-harmful, which could borrow much 
of your section 5.1 and 5.2 to make its argument.

I remain very much *not* in favour of making changes to the DNS specification 
that don't have a clear benefit to balance their costs.

---

5.1.  Pros

   o  Junk queries / negative caching - Currently, a significant number
      of queries to the root servers are junk queries.  Many of these
      queries are TLDs that do not (and may never) exist in the root
      Another significant source of junk is queries where the negative
      TLD answer did not get cached because the queries are for second-
      level domains (a negative cache entry for foo.example will not
      cover a subsequent query for bar.example).

I think a better way to accommodate the second point is to implement qname 
minimisation in recursive server logic.

I don't know that the first point is much of a pro. Root server operators need 
to provision significant spare capacity in order to accommodate flash crowds 
and attack traffic, and compared to that spare capacity the volume of junk 
queries is extremely small. There's no obvious operational benefit to root 
server operators in reducing their steady-state query load (in fact, it would 
make it harder in some cases to obtain the exchange point capacity you need to 
accommodate flash crowds, on exchanges where higher-capacity ports are reserved 
for those that have demonstrable need based on steady-state traffic.)

I'm also a little concerned about the word junk. It's a pejorative term that 
implies assumptions about the intent of the original query. If my intent is to 
confirm that a top-level label doesn't exist, then BLAH/IN/SOA is a perfectly 
reasonable query for me to send to a root server. We might assume that a query 
Joe's iPhone/IN/SOA sent to a root server is not reasonable, but we're only 
assuming; we don't actually have a way of gauging the actual intent with any 
accuracy.

   o  DoS against the root service - By distributing the contents of the
      root to many recursive resolvers, the DoS protection for customers
      of the root servers is significantly increased.  A DDoS may still
      be able to take down some recursive servers, but there is much
      more root service infrastructure to attack in order to be
      effective.  Of course, there is still a zone distribution system
      that could be attacked (but it would need to be kept down for a
      much longer time to cause significant damage, and so far the root
      has stood up just fine to DDoS.

If I was to paraphrase this advantage with malicious intent :-), you mean that 
we don't have to rely upon the root server system to continue to perform under 
attack, because we don't need the root server system any more, although we do 
need the new bits of the root server system we are specifying, and if those 
bits are not available we do need the conventional root server system after 
all, but that's probably ok because the root server system is pretty 
resilient. That sounds a bit circular.

   o  Small increase to privacy of requests - This also removes a place
      where attackers could collect information.  Although query name
      minimization also achieves some of this, it does still leak the
      TLDs that people behind a resolver are querying for, which may in
      itself be a concern (for example someone in a homophobic country
      who is querying for a name in .gay).

There's an implication here that a recursive resolver sending a query to a root 
server is potentially impinging upon the privacy of its anonymous clients. I 
find that a bit difficult to swallow.

I'm surprised not to see improves performance for clients in this list, on 
the general principle that every cache miss 

Re: [DNSOP] draft-wkumari-dnsop-dist-root-01.txt

[Paul Vixie]

Joe Abley wrote:
 Hi Paul, Warren,

 On 4 July 2014 at 16:50:08, Paul Hoffman (paul.hoff...@vpnc.org) wrote:

 Greetings. Warren and I have done a major revision on this draft, narrowing 
 the design  
 goals, and presenting more concrete proposals for how the mechanism would 
 work. We welcome  
 more feedback, and hope to discuss it in the WG in Toronto.

 I think there is much in the language of this draft that could be tightened 
 up, but this is an idea for discussion so I'll avoid a pedantic line-by-line 
 dissection. But I can give you the full pedantry if you like :-)

 On the pros and cons, however (crudely pasted below), see below.

 TL;DR: there are way more cons than pros to this proposal. The pros listed 
 are weak; the cons listed are serious. I don't see a net advantage to the DNS 
 (or to perceived performance of the DNS for any client) here. This proposal, 
 if implemented, would represent non-trivial additional complexity with 
 minimal or no benefit. I am not in favour of it, if that's not obvious.

 ...


i am +1 to joe's comments above and analysis elided. i consider joe's
response to be at least as good as the because i owe DRC after my
first short answer to the -00 version of this draft. however, i want to
add two other countervailing points.

first, this approach was tried in freebsd, when doug barton (then
freebsd's BIND9 maintainer) made it the default. all hell broke loose
due to changes in firewall config. debugging cost was maximized, and the
debugging skills were minimized. this config was removed with prejudice.
this experience, where freebsd users are actually among the smartest of
all dns users, should serve as a warning sign to others: abandon hope
all ye who enter here. so, joe's recommendation that this draft be
retitled and rekerned to be
draft-ietf-dnsop-slaving-root-on-resolvers-harmful resonates very
strongly with me.

second, this approach asks millions or tens of millions of rdns servers
to change their config in order to actually scale the capacity of the
root. (so, high cost and low benefit, as joe said.) the reason i
proposed a radically different solution in my ICANN ITI contribution
(now described at
http://tools.ietf.org/html/draft-lee-dnsop-scalingroot-00) is to allow a
few dozen to a few hundred self selected highly skilled and motivated
network-level admins to scale the capacity of the root for everyone.
it's a plain hierarchical solution allowing the operators of any
loopback network on any host, or any LAN segment, or any campus,
corporate, or ISP network to add root name service as a local
capability; it also allows unlimited scale at the global BGP layer. it
is patterned after the success of AS112. it is apolitical since existing
rootops are also expected to participate.

vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] various approaches to dns channel secrecy

[Paul Vixie]

Matthäus Wander wrote:
 * Paul Vixie [7/5/2014 5:04 AM]:
 datagram level channel secrecy (for example, DTLS or IPSEC) offers a
 solution which matches the existing datagram level UDP transport used
 primarily by DNS. however, the all-pervasive middleboxes (small plastic
 CPE devices installed by the hundreds of millions by DSL and Cable and
 other providers) have been shown to be more powerful than IPv6, DNSSEC,
 and EDNS -- we could expect them to prevent any new datagram level
 channel secrecy protocol we might otherwise wish to employ.

 DTLS works on top of UDP (among others) and thus can pass CPE devices.

no, it cannot. DTLS does not look something that the CPE was programmed
to accept; thus in many cases it is silently dropped.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop