Re: [DNSOP] EDNS0, the DO bit and acceptance of responses [Re: A different question]

[Mark Andrews]

> One other issue around DO is that it was introduced to signal "understanding"
> of DNSSEC as per RFC 2535.  The reaction of hypothetical 2535 only
> resolvers to DNSSECbis responses is to be explored.  I vaguely remember that
> we've had this discussion of versioning the DO "bit".

It's not a issue with BIND 9.1 or BIND 9.2.  They will just
ignore the DNSSEC-4035 records.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] EDNS0, the DO bit and acceptance of responses [Re: A different question]

[Peter Koch]

On Wed, Aug 20, 2008 at 04:06:05PM -0700, David Conrad wrote:

> - if the advertised EDNS0 buffer size is not large enough, it will  
> trigger truncation and, as a result, an increase in the number of TCP  
> sessions going to the root.

assumed that it's reasonable to focus on referrals and NXDOMAIN responses
only, we'd usually see a DS and RRSIG(DS) or an NSEC plus RRSIG(NSEC) for
the former and two NSECs plus two RRSIG(NSEC) for the latter.
As per RFC 3226 (or 4035, section 6), the resolver sending DO is expected
to support at least 1220 octet responses.
Hard data on the advertized sizes for both DO and "EDNS, but not DO" would
be helpful.

> - if the advertised EDNS0 buffer size is large enough, but the network  
> MTU is too small, fragmentation will occur which may cause the  
> response to be dropped (for a variety of reasons).

Since, as Mark has pointed out, EDNS is used in many queries today, resulting
in referral responses larger than 512, this problem should have been faced
even without DNSSEC (or DO inparticular) involved.  Again, measurement data
showing the response size distributions for root name servers would be helpful.

> - if there are middle boxes in the way that do stupid things (e.g.,  
> disallow DNS over TCP), those middle boxes will likely drop the larger  
> responses.

Much of this has already been initiated by resolvers using EDNS (with sizes
> 512 octets) and either large referrals or  RRs in priming responses.
The remaining risk is that DNSSEC responses would increase the size above
some critical value that doesn't regularily appear today.

> The concern I see (that I had hoped would be avoided by DO being set  
> to 1 only when the caching server administrator had explicitly  
> configured DNSSEC awareness) is that folks who are blissfully unaware  

DO can only signal from the resolver to the server, but for responses to
reach the resolver, anything in the way must also leave "larger packets"
alone.
One other issue around DO is that it was introduced to signal "understanding"
of DNSSEC as per RFC 2535.  The reaction of hypothetical 2535 only
resolvers to DNSSECbis responses is to be explored.  I vaguely remember that
we've had this discussion of versioning the DO "bit".

-Peter
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop