Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
The call for acceptance for draft-song-atr-large-resp is closed, and it is clear that there is insufficient support to adopt the concept as a DNSOP WG document. There was some concern about the increased number of packages involved in a legitimate exchange (half of them being ICMP messages, introducing other concerns) and that the problem space is too narrow to burden all resolvers. We would like to thank the authors and WG participants who responded to the call for adoption on the mailing list. Best regards, -- Benno DNSOP co-chair On 18/01/2019 18:55, Benno Overeinder wrote: > Dear DNSOP WG, > > We discussed this work (draft -01) in Montreal, and different opinions wrt. > adoption were expressed. In the past months, the authors pushed a draft > version -02 that addressed and resolved some of these comments. > > This starts a Call for Adoption for: > draft-song-atr-large-resp > > The draft is available here: > https://datatracker.ietf.org/doc/draft-song-atr-large-resp/ > > Please review this draft to see if you think it is suitable for adoption by > DNSOP, and comments to the list, clearly stating your view. > > Please also indicate if you are willing to contribute text, review, etc. The > WG accepts the document or not, but the WG chairs also expect a commitment > from the WG participants who support the document to contribute to the draft, > review, etc. > > The intended status of the draft is Experimental, but we want to ask > developers/vendors if they plan to implement it. > > This call for adoption ends: 1 February 2019 > > Thanks, > > Benno Overeinder > DNSOP co-chair > > > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
At Fri, 8 Feb 2019 00:39:27 +0530, Mukund Sivaraman wrote: > > The draft doubles the number of packets involved in a legitimate > > exchange; it more than doubles the number of packets involved in a > > spoofed exchange. About half of these packets are ICMP > > packets. Without the draft, ICMP packets are useful debugging aids, > > and in big numbers, indications of attacks or operational > > problems. With the draft, ICMP becomes another useless source of > > background noise. > > I had implemented the draft about a year ago as a server-side patch for > BIND so that it could be tried/tested. But I was not aware of the ICMP > issue that you mentioned. Today I looked at a packet capture with ATR > response and sure enough, the 2nd truncated response generates an ICMP > message from the recipient. I agree that this would be noisy. Probably off topic in the context of the adoption call, but I'd note that it depends on some implementation details of the resolver. ICMP port unreachable errors will be likely to be increased if the resolver closes the UDP socket for a query with an authoritative server immediately after it receives a return packet. BIND behaves that way by default, so did PowerDNS recursor when I checked the implementation many years ago (it probably still does). But not all resolver implementations adopt this practice; if I understand it correctly Unbound uses a pool of (many) UDP sockets and reuse the same socket for multiple queries. I've not tested it myself but I believe you won't see an increase of ICMP errors with such resolver implementations. -- JINMEI, Tatuya ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
Peter van Dijk wrote on 2019-02-07 06:41: ... I think it’s important to repeat that not only do I oppose adoption - any implementation, no matter the status of the document, will be *actively harmful to the DNS at large*. Please do not implement this. to be fair, the harm in terms of icmp noise would be to the whole internet, not just to the dns. -- P Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
On 6 Feb 2019, at 9:08, Mukund Sivaraman wrote:
Considering that the method is implementable without any changes at a
resolver, and that it doesn't require compatible behavior among DNS
implementations ("protocol" or best practice), I suppose it does not
matter if this draft is adopted or not as long as the idea has been
described somewhere.
While it can be implemented on an auth without changes to resolvers,
doing that would severely impact operation of all resolvers.
I think it’s important to repeat that not only do I oppose adoption -
any implementation, no matter the status of the document, will be
*actively harmful to the DNS at large*. Please do not implement this.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
On Fri, Jan 18, 2019 at 06:55:16PM +0100, Benno Overeinder wrote:
> Please review this draft to see if you think it is suitable for
> adoption by DNSOP, and comments to the list, clearly stating your
> view.
Considering that the method is implementable without any changes at a
resolver, and that it doesn't require compatible behavior among DNS
implementations ("protocol" or best practice), I suppose it does not
matter if this draft is adopted or not as long as the idea has been
described somewhere.
Mukund
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
At Fri, 18 Jan 2019 18:55:16 +0100, Benno Overeinder wrote: > We discussed this work (draft -01) in Montreal, and different opinions wrt. adoption were expressed. In the past months, the authors pushed a draft version -02 that addressed and resolved some of these comments. > > This starts a Call for Adoption for: > draft-song-atr-large-resp > > The draft is available here: > https://datatracker.ietf.org/doc/draft-song-atr-large-resp/ > > Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. I've read draft-song-atr-large-resp-02. I support the adoption of this doc, or at least of *some work* related to the "large response drop" problem, by DNSOP. If adopted I'm willing to review subsequent versions. I don't have empirical measurement results of my own on this topic, but my general understanding of the discussion in the IETF is that the concern (i.e., the bad effects of dropping fragmented large packets) is seriously taken. One of the latest efforts in this sense is draft-ietf-intarea-frag-fragile, which is currently in an intarea WGLC and talks about DNS implications (btw, those who dismiss atr-large-resp because the concern is FUD may want to comment on intarea-frag-fragile too). The research result cited in draft-song-atr-large-resp (https://blog.apnic.net/2017/08/22/dealing-ipv6-fragmentation-dns) may still be anecdotal and artificial, but it also looks solid and sufficiently broad to draw attention. So I don't agree on dismissing the work "because the problem doesn't exist". I also don't agree on dismissing the work "because it's specific to IPv6" (I don't know if it really is, but even if so), given the commitment by the IETF to IPv6 deployment and related problems. I see it's still debatable whether the particular proposal of "ATR" is a good solution to the problem, however. I admit that's a hack with some obvious adverse effects such as increasing response traffic, so if there's a better, cleaner solution, I'm happy to support that one instead of ATR. One aspect I like about ATR, however, is that it can be deployed without changing resolvers. In that sense I see it as more promising compared to some other proposed DNS hacks, e.g., (the ultimate form of) ANAME. -- JINMEI, Tatuya ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
Paul Vixie wrote: > likewise. we should not avoid fragmentation in this particular way. that is, > we can use persistent TCP, or we can avoid sending large messages by shaping > their contents better (smaller signatures, less additional data). Like this? https://mailarchive.ietf.org/arch/msg/dnsop/xnJjuOFRE4IiT7uqEFyqhYKKT7c Tony. -- f.anthony.n.finchhttp://dotat.at/ Lundy, Fastnet, Irish Sea: Northwest 5 to 7. Slight or moderate in Irish Sea, otherwise moderate or rough, occasionally very rough, but high at first in west Fastnet. Rain or showers. Good, occasionally moderate. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
Peter van Dijk wrote on 2019-01-21 11:22: Hello, On 18 Jan 2019, at 18:55, Benno Overeinder wrote: ... This starts a Call for Adoption for: draft-song-atr-large-resp I oppose adoption. ... likewise. we should not avoid fragmentation in this particular way. that is, we can use persistent TCP, or we can avoid sending large messages by shaping their contents better (smaller signatures, less additional data). in fact i would prefer to embrace fragmentation and fix it. so, in addition to my reasoning above, i am also biased against the goal itself. (i say this not to persuade, but for full disclosure.) in ~1998, the IETF DNSIND WG persuaded me to remove the MD bit from EDNS0, and the reasons given then (see the archives) are all still valid today, especially given that IPv6 made fragmentation worse not better than it was in V4, and it was pretty broken in V4, the absolute value of this negative bar was rather high. -- P Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
On 21-01-19 11:22, Peter van Dijk wrote: > I oppose adoption. Any implementation of this draft will actively hurt the > DNS and the Internet, and thus publication as an RFC will actively hurt the > DNS and the Internet. I agree with Peter. This workaround does more harm than good and should not be adopted. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
+1. I we should not adopt this draft for all the reasons all ready presented in the thread and also the draft text regarding "moving all DNS over TCP”. regards John On 21 Jan 2019, at 10:41, Ralf Weber wrote: > Moin! > > On 21 Jan 2019, at 11:26, Ondřej Surý wrote: >>> On 21 Jan 2019, at 11:22, Peter van Dijk >>> wrote: >>> Please do not adopt. >> >> +1 to everything that Peter said. I’ve been opposing ATR draft from the >> very beginning. We can’t be removing EDNS workarounds and at the same time >> slap another workaround into the DNS. > Another +1 for not adopting this draft. I wonder if there is a coincidence > that the end of the adoption call is on the same date as DNS Flag day ;-). > > If I recall the presentation that lead to this correct it is mostly an IPv6 > problem and given the nature of DNS it will only occur if all name servers > are on v6. Having one v6 name server that will respond correct with fragments > also solves the problem. I think the problem space is to narrow to burden > this problem on all resolvers. > > So long > -Ralf > —-- > Ralf Weber > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop John Dickinson https://sinodun.com Sinodun Internet Technologies Ltd. Magdalen Centre Oxford Science Park Robert Robinson Avenue Oxford OX4 4GA U.K. signature.asc Description: OpenPGP digital signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
On 21. 01. 19 11:34, Jim Reid wrote: > > >> On 21 Jan 2019, at 10:26, Ondřej Surý wrote: >> >> We can’t be removing EDNS workarounds and at the same time slap another >> workaround into the DNS. > > +1 > > I think the WG should drop this draft. +1, I also oppose adoption of this draft. Solving rare operational problem with a huge and ugly hack is no-go territory for Knot Resolver project. [Most importantly we need to get an explanation why Geoff's experiments show problems but clients can in practice resolve org. DNSKEY just fine.] -- Petr Špaček @ CZ.NIC ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
Moin! On 21 Jan 2019, at 11:26, Ondřej Surý wrote: On 21 Jan 2019, at 11:22, Peter van Dijk wrote: Please do not adopt. +1 to everything that Peter said. I’ve been opposing ATR draft from the very beginning. We can’t be removing EDNS workarounds and at the same time slap another workaround into the DNS. Another +1 for not adopting this draft. I wonder if there is a coincidence that the end of the adoption call is on the same date as DNS Flag day ;-). If I recall the presentation that lead to this correct it is mostly an IPv6 problem and given the nature of DNS it will only occur if all name servers are on v6. Having one v6 name server that will respond correct with fragments also solves the problem. I think the problem space is to narrow to burden this problem on all resolvers. So long -Ralf —-- Ralf Weber ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
> On 21 Jan 2019, at 10:26, Ondřej Surý wrote: > > We can’t be removing EDNS workarounds and at the same time slap another > workaround into the DNS. +1 I think the WG should drop this draft. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
> On 21 Jan 2019, at 11:22, Peter van Dijk wrote: > > Signed PGP part > Hello, > > On 18 Jan 2019, at 18:55, Benno Overeinder wrote: > >> We discussed this work (draft -01) in Montreal, and different opinions wrt. >> adoption were expressed. In the past months, the authors pushed a draft >> version -02 that addressed and resolved some of these comments. >> >> This starts a Call for Adoption for: >> draft-song-atr-large-resp >> >> The draft is available here: >> https://datatracker.ietf.org/doc/draft-song-atr-large-resp/ >> >> Please review this draft to see if you think it is suitable for adoption by >> DNSOP, and comments to the list, clearly stating your view. >> >> Please also indicate if you are willing to contribute text, review, etc. >> The WG accepts the document or not, but the WG chairs also expect a >> commitment from the WG participants who support the document to contribute >> to the draft, review, etc. >> >> The intended status of the draft is Experimental, but we want to ask >> developers/vendors if they plan to implement it. >> >> This call for adoption ends: 1 February 2019 > > I oppose adoption. Any implementation of this draft will actively hurt the > DNS and the Internet, and thus publication as an RFC will actively hurt the > DNS and the Internet. > > The draft doubles the number of packets involved in a legitimate exchange; it > more than doubles the number of packets involved in a spoofed exchange. About > half of these packets are ICMP packets. Without the draft, ICMP packets are > useful debugging aids, and in big numbers, indications of attacks or > operational problems. With the draft, ICMP becomes another useless source of > background noise. > > Meanwhile, we have no indication that the draft solves any existing real > world problem in a useful way. > > Please do not adopt. +1 to everything that Peter said. I’ve been opposing ATR draft from the very beginning. We can’t be removing EDNS workarounds and at the same time slap another workaround into the DNS. Ondrej -- Ondřej Surý ond...@isc.org signature.asc Description: Message signed with OpenPGP ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp
Hello, On 18 Jan 2019, at 18:55, Benno Overeinder wrote: > We discussed this work (draft -01) in Montreal, and different opinions wrt. > adoption were expressed. In the past months, the authors pushed a draft > version -02 that addressed and resolved some of these comments. > > This starts a Call for Adoption for: > draft-song-atr-large-resp > > The draft is available here: > https://datatracker.ietf.org/doc/draft-song-atr-large-resp/ > > Please review this draft to see if you think it is suitable for adoption by > DNSOP, and comments to the list, clearly stating your view. > > Please also indicate if you are willing to contribute text, review, etc. The > WG accepts the document or not, but the WG chairs also expect a commitment > from the WG participants who support the document to contribute to the draft, > review, etc. > > The intended status of the draft is Experimental, but we want to ask > developers/vendors if they plan to implement it. > > This call for adoption ends: 1 February 2019 I oppose adoption. Any implementation of this draft will actively hurt the DNS and the Internet, and thus publication as an RFC will actively hurt the DNS and the Internet. The draft doubles the number of packets involved in a legitimate exchange; it more than doubles the number of packets involved in a spoofed exchange. About half of these packets are ICMP packets. Without the draft, ICMP packets are useful debugging aids, and in big numbers, indications of attacks or operational problems. With the draft, ICMP becomes another useless source of background noise. Meanwhile, we have no indication that the draft solves any existing real world problem in a useful way. Please do not adopt. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ signature.asc Description: OpenPGP digital signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
