[dns-operations] Cloudflare TYPE65283

Puneet Sood puneets at google.com
Mon Mar 27 22:16:06 UTC 2023


This part of the discussion probably should move to the dnsop wg thread for
the draft. I will send some comments there.

On Mon, Mar 27, 2023 at 5:36 PM Shumon Huque <shuque at gmail.com> wrote:

> On Tue, Mar 28, 2023 at 6:19 AM Viktor Dukhovni <ietf-dane at dukhovni.org>
> wrote:
>
>>
>> A possibly inconvenient question, just to make sure we're not ignoring
>> the obvious sceptical position:
>>
>> * How compelling are compact lies?
>>
>> The reason to ask is that both the original and now modified protocols
>> involve non-trivial complexity, and would have resolvers responding
>> differently to queries with the DO bit set (tell them the truth) vs.
>> queries that don't request validated answers (unmask the lie).
>>
>> The savings vs. actual by-the-book NSEC responses appear to be a 2x
>> reduction in the number of signatures to compute (the SOA RRSIG is
>> presumably easily cached) and a 1.5x reduction in the number of
>> signatures to transmit (SOA + 1 NSEC, vs. SOA + 2 NSEC).
>>
>> Do the CPU and packet size reductions justify the additional protocol
>> complexity?
>>
>
> That's a reasonable question, and perhaps best directed to the originators
> of the scheme at Cloudflare. I don't know if there have been any
> measurement studies or analyses of the cost benefits vs by-the-book DNSSEC.
> There are currently 3 large commercial DNS providers that have had it
> deployed for a while now, so I suspect that it is here to stay.
>


>
> Note that one other provider (UltraDNS) does support traditional NSEC
> White "Lies" that give by-the-book DNSSEC proofs for NXDOMAIN, so
> apparently they are bearing the additional costs just fine.
>
> One other point -- without the additional rcode substitution schemes under
> discussion, Compact Answers can cause additional work for authority
> servers, since NODATA responses may lead to follow-on queries by DNS client
> applications (e.g. the common AAAA followed by A pattern). So, the
> per-response crypt & size reductions need to also be weighed against the
> cost of these additional queries.
>

The draft should also specify desired behavior for queries for the new
NXNAME RR type at the auth and at the resolver.



>
> Shumon.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230327/20da2a30/attachment.html>


More information about the dns-operations mailing list