[dns-operations] hard data on signed, truncated priming queries

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Dec 14 21:41:40 UTC 2009


On Mon, Dec 14, 2009 at 02:53:21PM -0600, Jorge Amodio wrote:
> > Your earlier message to this list said a double-digit percentage of the
> > priming queries that go to B will hit truncation problems if/when the server
> > gets the signed root. Now you're saying this finding is based on
> > *projections* from traffic analysis from an ICANN root server testbed. Can
> > you please help to clear up my confusion by answering the following
> > questions?
> >
> > [1] Where has this data and analysis been published?
> 
> There is some information  and analysis at
> https://st.icann.org/data/workspaces/new-gtld-overarching-issues/attachments/security_and_stability_root_zone_scaling:20091007230946-0-13722/original/root-zone-augementation-analysis-17sep09-en.pdf
> 
> Chapter 6.
> 
> Jorge.
> _______________________________________________

Jorge/Jim,
	about 14% of the priming queries that hit "B" set DO=1/BUFSIZ=512.
	presuming David Conrads public statement that the response size in
	their testbed was just under 1800 bytes leads me to project problems.

	Even Matts note about a response size of 800ish bytes would seem to be
	problematic - given the behaviours of middleboxen.

	the "wild-card" here is fragmentation... what happens when EDNS is enabled
	and fragmentation occurs... Few middlebox devices seem to deal well with
	UDP fragments.

	Then we have TCP as the failover... 

my short list...


http://labs.ripe.net/content/preparing-k-root-signed-root-zone
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
http://www.sanog.org/resources/sanog14/sanog14-gaurab-edns.pdf
http://www.icann.org/en/committees/security/sac035.pd
https://www.dns-oarc.net/oarc/services/replysizetest
https://st.icann.org/data/workspaces/new-gtld-overarching-issues/attachments/security_and_stability_root_zone_scaling:20091007230946-0-13722/original/root-zone-augementation/analysis-17sep09-en.pdf
https://www.dns-oarc.net/files/workshop-200911/Duane_Wessels.pdf

and the aformentioned SSAC35 report.

clearly some people think there are real issues but either want to make light of them or
presume that tweeks at one side or the other is going to work...  


I posit three possible outcomes:

a) authoritative server operators take a hardline and ignore middlebox assumptions.
b) authoritative server operators take the pacifist line and jump through hoops to cram
	the enough "correct" data into a 512byte UDP datagram 
c) we wait - again - for decent crypto to save us - According to Bellovin, we could prolly
	get by with EC in such a small package.


all of these have multiyear, long-tail failure modes.  a) pushes the cost to the edge, b) is
a fundamental change in DNS behavour and pushes the cost to the core, and c) ... looks like 
DNSSEC over the last 18 years or so...  

if you had to choose, where would you go?

--bill



More information about the dns-operations mailing list