Draft http://tools.ietf.org/html/draft-ietf-dnsop-resolver-priming-02
says
"2.1. Parameters of a Priming Query
A priming query SHOULD use a QNAME of "." and a QTYPE of NS. The
priming query MUST be sent over UDP (section 6.1.3.2 of [RFC1123]).
The UDP source port SHOULD be randomly selected [RFC5452]. The RD
bit MUST NOT be set. The resolver SHOULD also use EDNS0 [RFC2671]
and announce and handle a reassembly size of at least 1024 octets
[RFC3226].
[[Do we need a fallback strategy for EDNS unfriendly environments?]]
"
Going forward I think this is a bad recommendation. I would like to
propose that the document take the plunge of recommending that
modern DNSSEC capable resolvers perform the priming query over TCP.
The benefit is that a single query can retrieve the signed root NS set
and all the signed glue records.
The alternative is that a resolver that really cares about DNSSEC will have
to issue up to 27 UDP queries in order to get all the records that are
related to the NS set.
Background:
26 signed glue records will require about 5K answer if each RRSet is
signed by a single 1024 bit RSA key.
This will never fit into an ENDS0 answer as number of implementations
have 4096 byte hard limit on answer size.
As of today all the root servers instances that my host reached answered a TCP
query.
Proposed replacement text:
A priming query MUST use a QNAME of "." and a QTYPE of NS, QCLASS of IN,
with RD bit set to 0, the source port of the query should be randomly
selected [RFC5452].
A DNSSEC aware resolver SHOULD sent the priming query over TCP.
If TCP is refused a different server SHOULD be tried, after 3 tries
the resolver SHOULD fall back on UDP.
A DNSSEC ignorant but EDNS0 capable, resolver SHOULD issue the
priming query over UDP, ENDS0 option MUST be included with buffer
size of 1220 or larger. If the UDP query times out TCP SHOULD be tried.
An EDNS0 ignorant resolver MUST issue the priming query over UDP.
By making this change section 2.4 can be dropped, the one
on not asking for signed answers.
In section 2.2 the draft allows "pre-fetching" of the priming answer when
75% of TTL has passed. I think this should be higher more like 85%..95% or
a fixed minimum time like 6 hours.
IANA consideration section mentions TTL recommendations for the root zone, but
does not make any, I think the document should document what the current values
are and the group should pass a comment if it thinks the values are
reasonable or
can be improved. If the values are going to change based on signature
life times
when the root is signed then that should also be reflected in the document.
Olafur
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop