Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

>The next step is experimentation, we wanted to see if the community thought >this was a stupid idea before going forward. I certainly don't think it's stupid. >There are 3 possible outcomes when a DNS querier gets an aswer like this >#1 It accepts everything from authority section >#2 It tosses

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Fri, Mar 25, 2016 at 10:51 PM, John Levine wrote: > >As I think many here know, I am not of the get-off-my-lawn persuasion > >for DNS innovations. I don't think it's a bad idea in principle. I'm > >just aware that we have this long history, and that history was based > >on

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Fri, Mar 25, 2016 at 7:51 PM, John Levine wrote: > >As I think many here know, I am not of the get-off-my-lawn persuasion > >for DNS innovations. I don't think it's a bad idea in principle. I'm > >just aware that we have this long history, and that history was based > >on a

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

>As I think many here know, I am not of the get-off-my-lawn persuasion >for DNS innovations. I don't think it's a bad idea in principle. I'm >just aware that we have this long history, and that history was based >on a certain kind of conservatism that is arguably appropriate to a >technology

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Thu, Mar 24, 2016 at 08:33:28AM +1000, George Michaelson wrote: > Very strong +1. The % of incoming query with DO set is far, far higher > than the % of incoming query seen at authority who subsequently ask > for DS/DNSKEY at zone and parent. There is a good, strong indication > that resolvers

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Thu, Mar 24, 2016 at 7:10 AM, Florian Weimer wrote: > DO was used initially for SIG and kept for RRSIG. For an early DNSSEC > implementation, RRSIG was just another unsolicited RR type because it > could only know about SIG. This suggests (to me at least) that >

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On 03/23/2016 09:03 PM, Andrew Sullivan wrote: > I don't understand how it's a way to evaluate this claim. DNSSEC > includes a bit (DO) that says you're prepared to handle the additional > data in the answer section. Indeed, the unpreparedness of people for > this data was just exactly the

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Hi, On Wed, Mar 23, 2016 at 09:37:57AM -0700, Marek Vavruša wrote: > > 1. We had no idea what resolvers who weren't expecting the > > in the Answer section would do. This draft says what is "more > > likely", but I have no way of evaluating that claim. Without an > > EDNS0

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On 03/22/2016 12:45 AM, Marek Vavruša wrote: > there was an interest in reducing latency for address record lookups. > Me and Olafur wrote a draft on adding records to A answers and > treating them as authoritative. This fixes latency issues with NS > A/ discovery in resolvers and

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On 03/22/2016 01:15 AM, Paul Vixie wrote: > > > Marek Vavruša wrote: >> ... >> >> https://datatracker.ietf.org/doc/draft-vavrusa-dnsop--for-free/ > > +1. we ought to have done this from the get-go. It did not work back then because unexpected RRsets in the answer broke resolvers. This is

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

In one of the experiments we are conducting we stuff the response with other QTYPE data and this seems to not interfere with resolver behaviour (unless we trigger it). So #3 doesn’t seem to be a common case (we could look in the fringes for this behaviour). Towards the resolver’s clients, all

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Tue, Mar 22, 2016 at 6:11 PM, Mark Andrews wrote: > > In message <2016030345.29993...@pallas.home.time-travellers.org>, > Shane Kerr writes: > > Maybe we just need a new RTYPE. It would be awesome if CloudFlare > > killed ANY and then gave us ANYA ("any address"). ;) > >

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

>We have a way of measuring DNSSEC algorithms penetration, QNAME >minimisation-enabled resolvers etc., thus also a way to evaluate this >claim. I'm setting up a special domain using this I-D and then we can use >RIPE Atlas or 1x1 test, should Google or someone be interested in testing >this. The

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Hi Andrew, first of all - thanks for being constructive. On Wed, Mar 23, 2016 at 6:07 AM, Andrew Sullivan wrote: > Hi, > > On Mon, Mar 21, 2016 at 04:45:51PM -0700, Marek Vavruša wrote: > > Me and Olafur wrote a draft on adding records to A answers and > > treating

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Andrew Sullivan wrote: > On Mon, Mar 21, 2016 at 04:45:51PM -0700, Marek Vavruša wrote: > > Me and Olafur wrote a draft on adding records to A answers and > > treating them as authoritative. > > The last time this was proposed, in DNSEXT when Olafur was co-chair, >

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Mon, Mar 21, 2016 at 06:55:00PM -0700, Paul Vixie wrote: > i think we have to start planning for a world in which EDNS0 never reaches > 75% penetration due to middleboxes having the high ground. Well, you could get most of the way there for this proposal by having just recursives do it. End

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Hi, On Mon, Mar 21, 2016 at 04:45:51PM -0700, Marek Vavruša wrote: > Me and Olafur wrote a draft on adding records to A answers and > treating them as authoritative. The last time this was proposed, in DNSEXT when Olafur was co-chair, the proposal was rejected on the following grounds:

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Marek Vavruša wrote: > > 1. No signalling to client when is unavailable > > I didn't want to include it in the beginning but I see it has a merit. Yep. Also, while improving this for direct address queries, it should also be improved for additional data in MX, NS,

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

In message <2016030345.29993...@pallas.home.time-travellers.org>, Shane Kerr writes: > Maybe we just need a new RTYPE. It would be awesome if CloudFlare > killed ANY and then gave us ANYA ("any address"). ;) You would then need to do ANYA, A and queries or you have to have signaling to

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Tue, Mar 22, 2016 at 2:03 PM, Shane Kerr wrote: > Marek, > > At 2016-03-22 12:12:08 -0700 > Marek Vavruša wrote: > > > 2. Behavior of stubs is not explicit in the draft > > > > I should have stated this explicitly, the draft doesn't update

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Tue, Mar 22, 2016 at 1:20 PM, Mark Andrews wrote: > > In message

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Marek, At 2016-03-22 12:12:08 -0700 Marek Vavruša wrote: > 2. Behavior of stubs is not explicit in the draft > > I should have stated this explicitly, the draft doesn't update behaviour of > stub resolvers. In my opinion, they should use the most basic form of DNS >

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

In message

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Thanks everybody for comments! It's a lot so I'll try to rephrase and answer the questions below. 1. No signalling to client when is unavailable I didn't want to include it in the beginning but I see it has a merit. DNSSEC has means to provide authenticated non-existence for free, so I

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Tue, Mar 22, 2016 at 7:41 AM, Tony Finch wrote: > Marek Vavruša wrote: > > > > there was an interest in reducing latency for address record lookups. > > Me and Olafur wrote a draft on adding records to A answers and > > treating them as

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Tue, Mar 22, 2016 at 7:41 AM, Tony Finch wrote: > Marek Vavruša wrote: > > > > there was an interest in reducing latency for address record lookups. > > Me and Olafur wrote a draft on adding records to A answers and > > treating them as

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Marek Vavruša wrote: > > there was an interest in reducing latency for address record lookups. > Me and Olafur wrote a draft on adding records to A answers and > treating them as authoritative. This fixes latency issues with NS > A/ discovery in resolvers and

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

George Michaelson wrote: What did I mis-understand? The APNIC 1x1 is a random sample over users, and it sees significantly more than 75% EDNS0. More like 93%. by query volume, or by rdns ip? By query volume. And, we're at authority where I suspect you see the edge. Once the query is

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Tue, Mar 22, 2016 at 12:07 PM, Paul Vixie wrote: > > > George Michaelson wrote: >> >> I'm confused. DO bit implies EDNS0, and we think DO bit in the field >> is north of 75%. >> >> What did I mis-understand? The APNIC 1x1 is a random sample over >> users, and it sees

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

George Michaelson wrote: I'm confused. DO bit implies EDNS0, and we think DO bit in the field is north of 75%. What did I mis-understand? The APNIC 1x1 is a random sample over users, and it sees significantly more than 75% EDNS0. More like 93%. by query volume, or by rdns ip? -- P Vixie

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

I'm confused. DO bit implies EDNS0, and we think DO bit in the field is north of 75%. What did I mis-understand? The APNIC 1x1 is a random sample over users, and it sees significantly more than 75% EDNS0. More like 93%. -George On Tue, Mar 22, 2016 at 11:55 AM, Paul Vixie

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Mark Andrews wrote: In

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Mon, 21 Mar 2016, Marek Vavruša wrote: What happens with the Answer Count for QTYPE=A when there are no A records and only records? And can the examples also clarify this? That's an example 5.3 The use case is, but I still have no idea what the ANCOUNT should be. Neither

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

In message

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

I see the point but I don't really want to go down the EDNS route. So presuming that this draft catches on and Alexa 1M NSs publish at least one record, there would be no need for two queries in most cases and no need for additional signalisation. If they don't publish records, then the

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Mon, Mar 21, 2016 at 5:14 PM, Paul Wouters wrote: > On Mon, 21 Mar 2016, Marek Vavruša wrote: > > there was an interest in reducing latency for address record lookups. Me >> and Olafur wrote a draft on adding records to A answers and treating >> them as authoritati >> ve.

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Or we could defined the "aaa" (A and ) {E}DNS bit where the server guarantees that the response contains both the A and answers for A or queries if aaa=1 in the response. Recursive servers would lookup A/ records if cache is missing them before returning a response. If the A /

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Who wants to get rid of A lookups? "A" is going to be here for a while and using it as a generic mean to get all addresses of given protocol (regardless of version) gives servers a way to smoothly transition over versions. If the A was updated to have a variable address length, then it could be

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Tue, 22 Mar 2016, Mark Andrews wrote: Well we really want to get rid of A lookups. Why don't we just recommend that we publish mapped A records in RRsets and have master servers update RRsets if they are inconsitent with the A RRsets. We also need a way to signal that there are

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

On Mon, 21 Mar 2016, Marek Vavruša wrote: there was an interest in reducing latency for address record lookups. Me and Olafur wrote a draft on adding records to A answers and treating them as authoritati ve. This fixes latency issues with NS A/ discovery in resolvers and improves

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Marek Vavruša wrote: ... https://datatracker.ietf.org/doc/draft-vavrusa-dnsop--for-free/ +1. we ought to have done this from the get-go. -- P Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

Well we really want to get rid of A lookups. Why don't we just recommend that we publish mapped A records in RRsets and have master servers update RRsets if they are inconsitent with the A RRsets. We also need a way to signal that there are no A records in the RRset.