Re: [DNSOP] Fwd: New Version Notification for draft-mekking-dnsop-kasp-00.txt

2014-07-28 Thread Jerry Lundström
On mån, 2014-07-28 at 18:06 +0200, 神明達哉 wrote: > At Mon, 28 Jul 2014 10:17:51 +0200, > Matthijs Mekking wrote: > > > YANG is not used as an example. It is used here as the *modeling* > > language for the policy. XML is an example *markup* language that can be > > used to write down the policy. >

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Mark Andrews
In message <53d734ea.3010...@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes: > Tony Finch wrote: > > > BIND 9.10 changes the first state to do variable-size probing: it > > will try 512, 1232, 1432, and 4096, starting at the bottom and > > working up and down depending on what works. The middl

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Masataka Ohta
David Conrad wrote: >> The IPv6 net has decreed “No, really, FRAGMENTS DO NOT WORK”. > > This could be a bit of an issue when the DNSSEC root key is rolled. It is not, if separate RR types are used for different set of authentication algorithms and, during roll over, separate RR types are used f

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Masataka Ohta
Tony Finch wrote: > BIND 9.10 changes the first state to do variable-size probing: it > will try 512, 1232, 1432, and 4096, starting at the bottom and > working up and down depending on what works. The middle numbers come > from the minimum IPv6 MTU minus space for headers, and the ethernet > MTU

Re: [DNSOP] Irony.

2014-07-28 Thread David Conrad
Oops. Mailer problems and obviously misdirected... (intended to be sent to someone with whom I worked on the name collision stuff :)) Sincere apologies. Regards, -drc On Jul 28, 2014, at 3:34 PM, Casey Deccio wrote: > I have to admit I have struggled to not respond to Casey (who works for VRS

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Casey Deccio
On Mon, Jul 28, 2014 at 10:05 AM, David Conrad wrote: > Hi, > > On Jul 28, 2014, at 5:48 AM, Nicholas Weaver > wrote: > > The IPv6 net has decreed “No, really, FRAGMENTS DO NOT WORK”. > > This could be a bit of an issue when the DNSSEC root key is rolled. Could > someone point me to a writeup an

Re: [DNSOP] Fwd: New Version Notification for draft-mekking-dnsop-kasp-00.txt

2014-07-28 Thread 神明達哉
At Mon, 28 Jul 2014 10:17:51 +0200, Matthijs Mekking wrote: > >> I have just one very minor comment at this moment. While the draft > >> says in Section 1.2 as follows: > >> > >>A key and signing policy can be expressed in any format. This > >>document uses XML as example. > >> > >> the

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Stephane Bortzmeyer
On Mon, Jul 28, 2014 at 08:52:06AM -0400, Fernando Gont wrote a message of 60 lines which said: > Just curious: How do you check that the UDP-based DNS replies > actually get to the node that sent the query? 1) Because, otherwise, we would see retransmissions by the client. 2) Because we tes

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Tony Finch
David Conrad wrote: > On Jul 28, 2014, at 5:48 AM, Nicholas Weaver > wrote: > > > The solution is to detect and fallback on EDNS0 MTU to retry at 1400B > > first (rather than directly down to 512b), and properly handle > > truncation. > > How many shipping resolvers actually do this? I don't kn

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread David Conrad
Hi, On Jul 28, 2014, at 5:48 AM, Nicholas Weaver wrote: > The IPv6 net has decreed “No, really, FRAGMENTS DO NOT WORK”. This could be a bit of an issue when the DNSSEC root key is rolled. Could someone point me to a writeup and/or data as to how we know the above decree? (I'm not disagreeing,

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Fernando Gont
On 07/28/2014 08:48 AM, Nicholas Weaver wrote: >> >> There are many good reasons to use TCP but, in that case, I do not >> see why we need it. First, IPv6 users typically don't use >> extension headers and, second, if the problem is in IP, why would >> changing from UDP to TCP work? > > Because t

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Fernando Gont
Hi, Stephane, Thanks so much for your prompt response. Comments in-line... On 07/28/2014 08:42 AM, Stephane Bortzmeyer wrote: >> This essentially raises the question of "What's the plan for >> transporting DNS queries/responses in IPv6?" > > Why do we need a plan? We serve DNS over IPv6 for now

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Nicholas Weaver
On Jul 28, 2014, at 8:42 AM, Stephane Bortzmeyer wrote: >> Quite a few folks usually argue "oh, that's simple: we'll use TCP", > > There are many good reasons to use TCP but, in that case, I do not see > why we need it. First, IPv6 users typically don't use extension > headers and, second, if th

Re: [DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Stephane Bortzmeyer
On Mon, Jul 28, 2014 at 08:24:59AM -0400, Fernando Gont wrote a message of 43 lines which said: > The packet drop rates range from 10% to over 50%, depending on the > dataset Annoying. > This essentially raises the question of "What's the plan for > transporting DNS queries/responses in IPv

[DNSOP] DNS, fragmentation, and IPv6 extension headers

2014-07-28 Thread Fernando Gont
Folks, (Apologies if this has been debated to death already). At the last IEPG meeting we presented some results regarding the filtering of packets that employ IPv6 extension headers (please see: ). The packet

Re: [DNSOP] Fwd: New Version Notification for draft-mekking-dnsop-kasp-00.txt

2014-07-28 Thread Matthijs Mekking
On 07/28/2014 07:55 AM, Jerry Lundström wrote: > Hi, > > On fre, 2014-07-25 at 19:07 +0200, 神明達哉 wrote: > >> I have just one very minor comment at this moment. While the draft >> says in Section 1.2 as follows: >> >>A key and signing policy can be expressed in any format. This >>documen