[dns-operations] hard data on signed, truncated priming queries
Mark Andrews
marka at isc.org
Mon Dec 14 22:52:52 UTC 2009
In message <20091214214140.GB26106 at vacation.karoshi.com.>, bmanning at vacation.karoshi.com writes:
> On Mon, Dec 14, 2009 at 02:53:21PM -0600, Jorge Amodio wrote:
> > > Your earlier message to this list said a double-digit percentage of the
> > > priming queries that go to B will hit truncation problems if/when the server
> > > gets the signed root. Now you're saying this finding is based on
> > > *projections* from traffic analysis from an ICANN root server testbed. Can
> > > you please help to clear up my confusion by answering the following
> > > questions?
> > >
> > > [1] Where has this data and analysis been published?
> >
> > There is some information and analysis at
> > https://st.icann.org/data/workspaces/new-gtld-overarching-issues/attachments/security_and_stability_root_zone_scaling:20091007
> 230946-0-13722/original/root-zone-augementation-analysis-17sep09-en.pdf
> >
> > Chapter 6.
> >
> > Jorge.
> > _______________________________________________
>
> Jorge/Jim,
> about 14% of the priming queries that hit "B" set DO=1/BUFSIZ=512.
> presuming David Conrads public statement that the response size in
> their testbed was just under 1800 bytes leads me to project problems.
You mean a answer that looks like this? You will get extra UDP
queries for root server addresses than you do with a unsigned zone.
You won't however go dark. This simulation was done with the
proposed key sizes for signing the root.
; <<>> DiG 9.3.6-P1 <<>> ns . +dnssec +bufsize=512 +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60950
;; flags: qr aa ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN RRSIG NS 8 0 518400 20091224105644 20091124105644 7695 . Lxi6tYY3PO6Tw/ySjuVIe62CqZcX39W1+vFsROp8Jv++zolNinueomPA DO2+iVelapCnA0Po39A4gvqOxuz5xT2oLW+g8v7Ty4pzOdsVTxJPgz7g 1L0e2ThazKZ1Yd0BVGRvwY3LQkI5hGRlJ1BfsXacSEUK3jjqw4E86XQU VF8=
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 15 09:40:37 2009
;; MSG SIZE rcvd: 509
A COM referral will look like this.
; <<>> DiG 9.3.6-P1 <<>> foo.com +norec +dnssec +bufsize=512
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3163
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;foo.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS M.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 86400 IN NSEC COOP. NS RRSIG NSEC
com. 86400 IN RRSIG NSEC 8 1 86400 20091224105644 20091124105644 7695 . mD+hT9fJayROupad4tLnr+626h0Ru+zooTx3tRvUdzhHhbOVqJOw84EN c5zLzk4FafYzROb1Hd4w4nYlTlrcmGQUGh0HRUQzkR1lHdU2sIais5Eq 9JPkr3n4p400ya33tGW+tmbS8FnCI0bVSprzRCiXnJyFF0IN3GCCGxTR sbQ=
;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 15 09:35:06 2009
;; MSG SIZE rcvd: 509
With root-servers.net also signed, using a similar key sizes to that proposed
for the root, the full priming response will be something like this.
; <<>> DiG 9.7.0rc1 <<>> ns . +dnssec +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28894
;; flags: qr aa ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 39
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN RRSIG NS 8 0 518400 20091224105644 20091124105644 7695 . Lxi6tYY3PO6Tw/ySjuVIe62CqZcX39W1+vFsROp8Jv++zolNinueomPA DO2+iVelapCnA0Po39A4gvqOxuz5xT2oLW+g8v7Ty4pzOdsVTxJPgz7g 1L0e2ThazKZ1Yd0BVGRvwY3LQkI5hGRlJ1BfsXacSEUK3jjqw4E86XQU VF8=
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:ba3e::2:30
F.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2f::f
H.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:1::803f:235
J.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:c27::2:30
K.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7fd::1
L.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:3::42
M.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:dc3::35
A.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. jtdU34SSLAuvS7a2MrUYUx0j1X77kSqR7mVbWGSXXxaiEuDLkCDrmyji iC9XHBD5g/XHCZXWfFdnCa1of8T+4ZTqLqDCqgMceZtwp9S7vrxt8PG+ teFvixNZxahQ5F2MVx9EMCHA1+gSv27cmfE11RtqGeftWkbYzBiSDLfp 4Dc=
A.ROOT-SERVERS.NET. 2592000 IN RRSIG AAAA 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. bDugC091WSfKgfu/HneClPMYCfyIMChqbjAL4jqKX7oesfQn6L5LbjJv Ct+phwfw1vkmDi6ej+9FepJ/bscE9AiLP3Tz/46VndC8wGi0jmwnLpHL EqiXUyIATZTcTTUxDgQbzhdyTn78ErzLcCE2JY/LxHz67y/BAHqXM8L9 xO8=
B.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. U8nnbi2d8wjsXCnAMYiu9hh1sTKVrrTlFxkX1+JyBbPY2rLU/HwFzLye 1yDgdTbW9dxgx01Zp3mu+la4SDTSZdQh+6R741bvsz5GjNbocHSE8rJk IFAKKcMx6nS6CWORY1Z/FIjll//ZnixurrZeVvWPV0XPn6eljLGYa9hH CrA=
C.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. G7PVgSxxCh68+4Z5kSA9BZGRSpqdr5wQ9fym16phWxtWQsM+lt0urATA 92Sfb63SbKBtG2DINmpIkvvKOcP/0l6rFEdIeCXFQ9HxfDInAPVtR+Yt 59QoSQ4BGm2kU+jReUjJS7Vc8WLXZScZOMbBL1yFiw+5mPk38IPju72+ 1rA=
D.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. DvfI8/LBZkwd9rArUpnEQrn5gJYlbbujkNXeJJIOwp5fAhzzbDiMrcKf rQIT+gBxFpHwoI2KQcyf6JLHYPl5LacPnzUkft/Papc7DmH6WU713V6S JStUuvtGsd3ttw9j0Ni/HDphWAjWwIFbpyQQ/X37dbPGROtV31H0hA4s M0Q=
E.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. p0SiAhtf1GZ86lJVuOmx3rp7r35ya/h9cXEeRDGvIhN/BJYBoCCw7w2z 3JZ9dQr6804eqDV+yBUn6JcRjdSWYNhfGy1lt2TdtoToCykNwjYh8OUy 2o4toaz4opV1yWLDIRCDVM3Q1skAXDHjvSwnANqc4zxiCZK1DnhOuPFL oiA=
F.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. Ad8z+fhOk1DxUGNrPHtpTZEHBrTsdAmMYtL6OgmEaNYpM4WdX78KdZ3O +BjpmyKY/U2ReKXsj/DZHnuy48HG7QXiYGP4hV+P8JF5VGWzPX+tI94v /8dxg/Y1++gTjEJpiEMACEgdZJgi9t9RCutDbXJ0Jj0Hzt0BuuwoX5mO Lrg=
F.ROOT-SERVERS.NET. 2592000 IN RRSIG AAAA 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. ahhssdgbC7mJfJSRfQE4rA2NWg+5dQEE8BykZXdMMC2myx8z+gVlnwLZ lhOsJ7FE+4foyeuvqwrjj26nM+IxUr1dUcZaz5AGWVSP9Y17q8BZoR7F A+PaDGKJ1H40RYEkhZPTJPCM4q1fBvmx6ur0FT6RZ6No0NwTR2Bb8gzQ a5Y=
G.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. YMQk1kkikylxHJoSglDobrVoBG89YHDCnmOSZLTn+sDIkXYcMHc3JE7+ HOXX57cOw1lKRri3hJoEGSAn1ez5DeZ8+hEvmkPERBJFNudxS/2AoqnI O2TLFjRjtpKWV9ejUCCBCAehUyAjgxrPc0nVBIaqgNfj/M4//i7MWfxc eb4=
H.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. KSRfcH9xNZUKJ7Bviv6Ow+W4LmvD8aJcOyKJae9Fany8dcZQvQxBjM3o ZViK4/HUwXLbPYUQp2qzgBvgr8sOZZUiewpBAMW0NVLykXcM/dMEABxT Sb/x6lFPoQMJ867zIZfPVVtd2DznDJs6iFHncC422JZClj9rH7f0Bzh2 ZRM=
H.ROOT-SERVERS.NET. 2592000 IN RRSIG AAAA 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. t6NwP+Ofis8j4Gr7hkXi+iPDQlzY4b+Q7ThDp19e0b0SuQ+wg0D1CLJC 1rs9wZkQa1aaDidpa1fa+DUiG7mnqlVB3o+Gnq8kdKvgRl+InV3SSCSm 3yZ33LMbTjZcj3WcM8x9cacZlVyDPmqlrJsF2Gtb9jBPjDEXAaGqKXaL IU4=
I.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. JlmzmC5PR8Z4GGmaAPg/g6mpuOcy+H/jfsLgTnr6+DRnGhxxFTPAT8VG 18DPJSD/kKwVrfh3owhId/3nqfRjRQ1s3UPWFlttV9bp0ZesSJC+vjNP AXgbgd/kQHUqXHigoTr2/A+OuwXjrDTbUJBjV/k1qIHl1AinaSXt42R5 BMw=
J.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. RyCJIQ9bSI3nqXERAbhj8VUDVAIqxzdA3dZc83NiDf8ttmKq65+Wc0zi fiFkaDQVBNqIytq11tfFqRUK3etNN09RA2vaz81akl1LgUXj13VBGHtT mDQqxB802L3wa75CcOJmDmHES0IfWPL//n7y/mwB4S83iSseL9wm1bP5 4fk=
J.ROOT-SERVERS.NET. 2592000 IN RRSIG AAAA 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. cpLV1148li8AOxxPWt2zVyOl5BmlvU0RqpfxFfTKazubZ/4NrO5qCfqm vNwsBthAiLSeqaUrvKQQbJwSmtBszMWCb2u/vF6u4cBV5u+qzOxuhB6c C/ch4nJD6ZCPF1h/A4BmBEaVag40NL6hw03IbMLGlNWyW+V0GwSf0LXv I0w=
K.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. ubntkbiyT9wdZrldYsNU1D5n1rgFArpLF1pG+NpFMy7uoJ1MKQd/SsYN gHkkHxf6PRDSAcBrb8OvvUYFuvf5Mt9rGk1uQfmw91iiwFrRcj2zDXIp iHQbWJUppSpzLhIOYA9B5Qo7NUXsi/DRSSzWiDHhPk09idMZj2eHrG3E U4w=
K.ROOT-SERVERS.NET. 2592000 IN RRSIG AAAA 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. WDFVZC4TzTjswaAVX8IGbHoNH+Aj6a1kFjHpXSVsHxDh+4kwwuE3gNMa Pgpwq9zvomXSXszDnTGI/8LJ4NyUP2OQrfbI0jJ+szHl7I4Zmw/96Czh 8OAVoGWHQG1BJm7aFHCdIK2C7SEf3bGFS2LxLVCdEweN2f/4snwFDBPj V+Y=
L.ROOT-SERVERS.NET. 2592000 IN RRSIG A 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. YOoQn2IZQyCkm8RkFfyQRcYVW7IucoG3LaVO3A9m+/kUV6eB3bjefKoS 4DBUgZdJ5V/r4cmhl98TLaulZWkmAkwHJZioZ2tzrpDDC+nttfEoBK2e yzxIxdURqspH3DL0G0JfsPFraVVc+J8DQ+CMtKj5cBqcGj9wBVtoikmQ 9X4=
L.ROOT-SERVERS.NET. 2592000 IN RRSIG AAAA 8 3 3600000 20091224110954 20091124110954 6663 root-servers.net. T2IgCfDvojO8hmUXumX+8Db4PENvEQX92I49taoszqT4zZmSXK0ut/KR /cYNenQyZGo91OUKIOBkvX2avS6QxiYIsvrjq7A3OyxksbWc9jNdi2MK 89M0barm+nQYYry3pV1UpjQsszfymfWm8c9DYra5aSIR7YZBHLUKFWnW dHo=
;; Query time: 29 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 15 09:45:46 2009
;; MSG SIZE rcvd: 3969
> Even Matts note about a response size of 800ish bytes would seem to be
> problematic - given the behaviours of middleboxen.
>
> the "wild-card" here is fragmentation... what happens when EDNS is enabled
> and fragmentation occurs... Few middlebox devices seem to deal well with
> UDP fragments.
Actually most middle boxes handle fragmentation fine when you direct
queries through them rather than to them. Firewalls that drop all
fragments are a problem but most NAT boxes will let them through.
> Then we have TCP as the failover...
>
> my short list...
>
>
> http://labs.ripe.net/content/preparing-k-root-signed-root-zone
> http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
> http://www.sanog.org/resources/sanog14/sanog14-gaurab-edns.pdf
> http://www.icann.org/en/committees/security/sac035.pd
> https://www.dns-oarc.net/oarc/services/replysizetest
> https://st.icann.org/data/workspaces/new-gtld-overarching-issues/attachments/security_and_stability_root_zone_scaling:2009100723
> 0946-0-13722/original/root-zone-augementation/analysis-17sep09-en.pdf
> https://www.dns-oarc.net/files/workshop-200911/Duane_Wessels.pdf
>
> and the aformentioned SSAC35 report.
>
> clearly some people think there are real issues but either want to make light of them or
> presume that tweeks at one side or the other is going to work...
>
>
> I posit three possible outcomes:
>
> a) authoritative server operators take a hardline and ignore middlebox assumptions.
> b) authoritative server operators take the pacifist line and jump through hoops to cram
> the enough "correct" data into a 512byte UDP datagram
> c) we wait - again - for decent crypto to save us - According to Bellovin, we could prolly
> get by with EC in such a small package.
>
>
> all of these have multiyear, long-tail failure modes. a) pushes the cost to the edge, b) is
> a fundamental change in DNS behavour and pushes the cost to the core, and c) ... looks like
> DNSSEC over the last 18 years or so...
>
> if you had to choose, where would you go?
>
> --bill
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list