Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-31 Thread Joseph S D Yao
On 2013-08-21 19:36, Geoff Huston wrote: ... truncated TCP. 0.4% of them appear to have some inbound TCP-blocking firewall/filter. ... ... I may have missed this in the original posting and this thread, but this is the first time I've seen this brought up here. This is a particular problem

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-29 Thread Ray Bellis
On 21 Aug 2013, at 11:00, Geoff Huston g...@apnic.net wrote: Yes, our goal was to test out the asserting in RFC5966 that: The majority of DNS server operators already support TCP and we wanted to see if we could quantify what that majority actually was. [I've been on holiday, so apologies

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-22 Thread Wolfgang Nagele
+1 I would love to see more discussion on the implication of it's findings than the semantics of how they were presented. There is a lot to learn from the information the measurement has delivered. On 8/22/13 2:14 PM, Fred Morris m3...@m3047.netmailto:m3...@m3047.net wrote: On Wed, 21 Aug

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread George Michaelson
Thanks for the clarification. We did in fact detect initial configuration issues with the default TCP 3 backlog, but once we'd put this up to 2000 we only had one brief window of RST congestion as detected by a simple TCP filter. This test was for a domainspace which serves around 250,000

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Geoff Huston
Yes, our goal was to test out the asserting in RFC5966 that: The majority of DNS server operators already support TCP and we wanted to see if we could quantify what that majority actually was. What we found out was that of the DNS resolvers that were visible to the authoritative name server,

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Randy Bush
http://www.circleid.com/posts/20130820_a_question_of_dns_protocols/ them aussies certainly know how to do a nice bit of wide-scale measurement. now we can descend into the religions un-asserted implications violate. randy ___ dns-operations mailing

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Jon Lewis
On Wed, 21 Aug 2013, Dobbins, Roland wrote: http://www.circleid.com/posts/20130820_a_question_of_dns_protocols/ I didn't even get far enough to get to the parts Vixie seems to object to. It was too painful to read. It's in desperate need of proof-reading and copy editing. Was this

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Randy Bush
http://www.circleid.com/posts/20130820_a_question_of_dns_protocols disappointed me with this characterization of RRL: There is a conversation thread that says that resolvers should implement response rate limiting (RRL), and silently discard repetitive queries that exceed some

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Vernon Schryver
From: Geoff Huston g...@apnic.net On the other hand its no more serious than any other form of small TCP transaction based services that are subjected to massive volumes, such as, say, a search engine front end. Isn't that why HTTP, SMTP, and other TCP transaction services have been changed

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Jared Mauch
BTW, The goal of OpenResolverProject was to have an inventory so folks could measure against attacks and determine what % of attacks utilized them. The list is available in weekly format to security teams to download in bulk so they can use tools like GrepCidr to perform this cross-reference.

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Andrew Sullivan
On Wed, Aug 21, 2013 at 03:14:59PM +, Vernon Schryver wrote: HTTP, SMTP, ando other TCP transaction applications? Could the gTLD roots exist in anything like their current forms if DNS transactions cost as many CPU and stable storage computrons as an HTTP GET of a purely static page

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Ralf Weber
Moin! On 21.08.2013, at 08:18, Jared Mauch ja...@puck.nether.net wrote: The unexpected results of the data were knowing that ~46% are just a broken CPE device that does something weird with DNS packets. Well they mostly proxy that query to their ISPs resolver, who as it came from an address

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Paul Vixie
Vernon Schryver wrote: http://www.circleid.com/posts/20130820_a_question_of_dns_protocols disappointed me with this characterization of RRL: There is a conversation thread that says that resolvers should implement response rate limiting (RRL), and silently discard repetitive

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Alan Shackelford
-oarc.net Subject: Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study. Vernon Schryver wrote: http://www.circleid.com/posts/20130820_a_question_of_dns_protocols disappointed me with this characterization of RRL: There is a conversation thread that says that resolvers should

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Geoff Huston
On 22/08/2013, at 9:36 AM, Geoff Huston g...@apnic.net wrote: On 22/08/2013, at 12:36 AM, Jon Lewis jle...@lewis.org wrote: On Wed, 21 Aug 2013, Dobbins, Roland wrote: http://www.circleid.com/posts/20130820_a_question_of_dns_protocols/ I didn't even get far enough to get to the

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Paul Vixie
Geoff Huston wrote: ... So here is what I would say to this audience: ... thank you geoff, i understand it now. vixie ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread David Conrad
Geoff, I personally think this is really interesting work. A question about methodology: On Aug 21, 2013, at 4:36 PM, Geoff Huston g...@apnic.net wrote: - Our experiment used a modified DNS server that truncated all UDP at 512 bytes, and over 10 days we enlisted some 2 million end clients to

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-21 Thread Geoff Huston
On 22/08/2013, at 10:32 AM, David Conrad d...@virtualized.org wrote: Geoff, I personally think this is really interesting work. A question about methodology: On Aug 21, 2013, at 4:36 PM, Geoff Huston g...@apnic.net wrote: - Our experiment used a modified DNS server that truncated all

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-20 Thread Yasuhiro Orange Morishita / 森下泰宏
Geoff's original article is here (in potaroo.net) A Question of DNS Protocols http://www.potaroo.net/ispcol/2013-09/dnstcp.html It also describes the open resolver project as a name and shame approach. (I have quoted below, and IMHO, certainly this approach is effective) The open resolver

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-20 Thread Paul Vixie
Dobbins, Roland wrote: http://www.circleid.com/posts/20130820_a_question_of_dns_protocols/ canard. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

2013-08-20 Thread George Michaelson
On 21/08/2013, at 3:23 PM, Paul Vixie p...@redbarn.org wrote: Dobbins, Roland wrote: http://www.circleid.com/posts/20130820_a_question_of_dns_protocols/ canard. We invested quite a lot of time re-checking things with a shorter EDNS0 limit coded into bind, to confirm the TCP failure