ATR: Additional Truncated Response for Large DNS Response
draft-song-atr-large-resp-00

Document Type Active Internet-Draft (individual)
Last updated 2017-09-10
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet Engineering Task Force                                  L. Song
Internet-Draft                                Beijing Internet Institute
Intended status: Informational                        September 10, 2017
Expires: March 14, 2018

       ATR: Additional Truncated Response for Large DNS Response
                      draft-song-atr-large-resp-00

Abstract

   As the increasing use of DNSSEC and IPv6, there are more public
   evidence and concerns on IPv6 fragmentation issues due to larger DNS
   payloads over IPv6.  This memo introduces an simple improvement on
   authoritative server by replying additional truncated response just
   after the normal large response.

   REMOVE BEFORE PUBLICATION: The source of the document with test
   script is currently placed at GitHub [ATR-Github].  Comments and pull
   request are welcome.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 14, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect

Song                     Expires March 14, 2018                 [Page 1]
Internet-DraftATR: Additional Truncated Response for LargeSeptember 2017

   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  EDNS0 and DNS TCP . . . . . . . . . . . . . . . . . . . . . .   3
   3.  The ATR mechanism . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   5.  Author's Commnets . . . . . . . . . . . . . . . . . . . . . .   6
   6.  IANA considerations . . . . . . . . . . . . . . . . . . . . .   6
   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   6
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   Large DNS response is identified as a issue for a long time.  It has
   been regarded mainly as a issue or limitation on authoritative server
   (delegation) as [I-D.ietf-dnsop-respsize] introduced.  As the
   increasing use of DNSSEC and IPv6, there are more public evidence and
   concerns on resolver's suffering due to packets dropping caused by
   IPv6 fragmentation in DNS.

   It is observed that some IPv6 network devices like firewalls
   intentionally choose to drop the IPv6 packets with fragmentation
   Headers[I-D.taylor-v6ops-fragdrop].  [RFC7872] reported more than 30%
   drop rates for sending fragmented packets.  Regarding IPv6
   fragmentation issue due to larger DNS payloads in response, one
   measurement [IPv6-frag-DNS] reported 37% of endpoints using
   IPv6-capable DNS resolver can not receive a fragmented IPv6 response
   over UDP.

   Some workarounds and short-term solutions are proposed.  One is to
   continue to keep the response within a safe boundary, 512 octets for
   IPv4 and 1232 octets for IPv6 (IPv6 MTU minus IPv6 header and UDP
   header).  It avoids fragmentation, but it requires TCP and UDP
   applications to fit this limitation explicitly.  Currently
   coordination between IP layer and upper layer still do not go well.
   For example the draft [I-D.andrews-tcp-and-ipv6-use-minmtu] viewed it
   as a problem that TCP fails to respect IPV6_USE_MIN_MTU.

   Still, some cases are hard to avoid, for example the coming KSK
   rollover which will produce 1424 octets DNS response containing the
   new key and signature.  To encounter this problem, some root servers
   (A, B, G and J) implemented countermeasures by truncating the
Show full document text