[dns-operations] Cloudflare TYPE65283

[Shumon Huque]

On Tue, Mar 28, 2023 at 6:19 AM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

>
> A possibly inconvenient question, just to make sure we're not ignoring
> the obvious sceptical position:
>
> * How compelling are compact lies?
>
> The reason to ask is that both the original and now modified protocols
> involve non-trivial complexity, and would have resolvers responding
> differently to queries with the DO bit set (tell them the truth) vs.
> queries that don't request validated answers (unmask the lie).
>
> The savings vs. actual by-the-book NSEC responses appear to be a 2x
> reduction in the number of signatures to compute (the SOA RRSIG is
> presumably easily cached) and a 1.5x reduction in the number of
> signatures to transmit (SOA + 1 NSEC, vs. SOA + 2 NSEC).
>
> Do the CPU and packet size reductions justify the additional protocol
> complexity?
>

That's a reasonable question, and perhaps best directed to the originators
of the scheme at Cloudflare. I don't know if there have been any
measurement studies or analyses of the cost benefits vs by-the-book DNSSEC.
There are currently 3 large commercial DNS providers that have had it
deployed for a while now, so I suspect that it is here to stay.

Note that one other provider (UltraDNS) does support traditional NSEC White
"Lies" that give by-the-book DNSSEC proofs for NXDOMAIN, so apparently they
are bearing the additional costs just fine.

One other point -- without the additional rcode substitution schemes under
discussion, Compact Answers can cause additional work for authority
servers, since NODATA responses may lead to follow-on queries by DNS client
applications (e.g. the common AAAA followed by A pattern). So, the
per-response crypt & size reductions need to also be weighed against the
cost of these additional queries.

Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230328/a110dc79/attachment.html>