Re: [DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Mukund Sivaraman
Hi Paul On Tue, Dec 16, 2014 at 10:32:08AM -0800, P Vixie wrote: > >It's 2 round trips to get at the data, answer the question. FIN is > >later. > > The total transaction time includes all time during which state is > held. That third round trip is in your departmental budget and will > show up a

Re: [DNSOP] Enough latency obsession Re: Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Mukund Sivaraman
Hi Nicholas On Tue, Dec 16, 2014 at 02:44:40PM -0500, Nicholas Weaver wrote: > > Its time to stop obsessing over latency in DNS! > > DNS doesn't exist in a vacuum, but then goes to at minimum, a TCP > handshake, and who knows what else beyond it. Amdahl's law matters. > > How many headaches wo

[DNSOP] Enough latency obsession Re: Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Nicholas Weaver
Its time to stop obsessing over latency in DNS! DNS doesn't exist in a vacuum, but then goes to at minimum, a TCP handshake, and who knows what else beyond it. Amdahl's law matters. How many headaches would go away if all DNS is over TCP? And how much would it really make a difference in Lat

[DNSOP] Enough latency obsession Re: Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Nicholas Weaver
Its time to stop obsessing over latency in DNS! DNS doesn't exist in a vacuum, but then goes to at minimum, a TCP handshake, and who knows what else beyond it. Amdahl's law matters. How many headaches would go away if all DNS is over TCP? And how much would it really make a difference in Lat

Re: [DNSOP] IESG COMMENT/DISCUSSION responses to the dnsop-child-sync draft

2014-12-16 Thread Ted Lemon
Comments below. Executive summary: everything's fine except I'm still not convinced nothing needs to be done about point 3 of my DISCUSS. I will be incommunicado between Christmas and 1/5, and to some extent possibly sooner, so a quick response is essential if you are hoping to have this DIS

Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt

2014-12-16 Thread Rubens Kuhl
> Em 16/12/2014, à(s) 15:54:000, Warren Kumari escreveu: > > On Mon, Dec 15, 2014 at 9:17 PM, Rubens Kuhl wrote: >> >> My feedback to a possible -01 version is to add something related to not >> consider NTAs for the upper hierarchy of a failed DNSSEC domain. For >> instance, even if I see a

Re: [DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread P Vixie
On December 16, 2014 9:47:34 AM PST, Mukund Sivaraman wrote: >Hi Paul > >On Tue, Dec 16, 2014 at 09:20:12AM -0800, Paul Vixie wrote: >> 3 round trips, 7 packets, for an isolated tcp/53 query. >> >> s -> >> <- s+a >> a -> >> q -> >> <- r+a >> f+a -> >> <- f+a > >It's 2 round tr

Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt

2014-12-16 Thread Evan Hunt
On Tue, Dec 16, 2014 at 10:47:33AM +, Tony Finch wrote: > That is a good point. Happily I think the draft already makes it hard for > operators to do that, since an NTA will be automatically removed if its > zone validates (section 10). Thank you for pointing this out, Tony; I'd missed it when

Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt

2014-12-16 Thread Warren Kumari
On Mon, Dec 15, 2014 at 9:17 PM, Rubens Kuhl wrote: > > My feedback to a possible -01 version is to add something related to not > consider NTAs for the upper hierarchy of a failed DNSSEC domain. For > instance, even if I see a good number of .gov domains failed DNSSEC, adding a > NTA configura

Re: [DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Mukund Sivaraman
Hi Paul On Tue, Dec 16, 2014 at 09:20:12AM -0800, Paul Vixie wrote: > 3 round trips, 7 packets, for an isolated tcp/53 query. > > s -> > <- s+a > a -> > q -> > <- r+a > f+a -> > <- f+a It's 2 round trips to get at the data, answer the question. FIN is later. Mu

Re: [DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Paul Vixie
> Mukund Sivaraman > Tuesday, December 16, 2014 9:13 AM > > Sorry, TCP also takes 2 RTT similar to UDP with DNS cookies. I had > included the initial UDP query by mistake, but this won't be involved if > TCP is directly tried. 3 round trips, 7 packets, for an isolated tcp/5

Re: [DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Mukund Sivaraman
On Tue, Dec 16, 2014 at 08:55:12PM +0530, Mukund Sivaraman wrote: > Given the risk of EDNS payload size related drops from an uknown server > and extra roundtrips, what are the reasons why this option should be > used in preference to TCP (that is just 1 RTT longer to get an answer > from) and has

[DNSOP] Review of draft-ietf-dnsop-cookies-00

2014-12-16 Thread Mukund Sivaraman
Hi all As a part of DNS fragments drafting (which requires protection against UDP amplification attacks), I reviewed draft-ietf-dnsop-cookies-00. Its use in fragments would be narrow and I mainly read the draft from that point-of-view. The draft describes different types of attacks and the COOKIE

Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt

2014-12-16 Thread Tony Finch
Rubens Kuhl wrote: > > My feedback to a possible -01 version is to add something related to not > consider NTAs for the upper hierarchy of a failed DNSSEC domain. For > instance, even if I see a good number of .gov domains failed DNSSEC, > adding a NTA configuration for .gov would not be considere