From fanf2@hermes.cam.ac.uk Wed Dec 18 04:18:09 2013 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4E421ADF5B for ; Wed, 18 Dec 2013 04:18:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.262 X-Spam-Level: X-Spam-Status: No, score=0.262 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.538] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kD3GLSqZq6On for ; Wed, 18 Dec 2013 04:18:07 -0800 (PST) Received: from ppsw-52.csi.cam.ac.uk (ppsw-52.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f52]) by ietfa.amsl.com (Postfix) with ESMTP id 913991ACCDF for ; Wed, 18 Dec 2013 04:18:07 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:45395) by ppsw-52.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1VtG4j-0002Rp-Dh (Exim 4.82_3-c0e5623) for dnsext@ietf.org (return-path ); Wed, 18 Dec 2013 12:18:05 +0000 Received: from fanf2 by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1VtG4j-0000LW-6K (Exim 4.72) for dnsext@ietf.org (return-path ); Wed, 18 Dec 2013 12:18:05 +0000 Date: Wed, 18 Dec 2013 12:18:05 +0000 From: Tony Finch X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk To: dnsext@ietf.org Message-ID: User-Agent: Alpine 2.00 (LSU 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Tony Finch Subject: [dnsext] Support for 1RTT multi-queries over TCP (or lack thereof) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Dec 2013 12:18:10 -0000 I saw a message to the unbound-users list which says unbound processes TCP queries sequentially. http://unbound.nlnetlabs.nl/pipermail/unbound-users/2013-December/003096.html I thought this was disappointingly poor, especially wrt the recent discussion about backwards-compatible alternatives to edns-chain-query. So I did a quick test to see if BIND has the same problem. I shoved a few entries from the Alexa Top 1 Million list into adns as follows. $ sed 's|^[0-9]*,||;s|/.*||' top-1m.csv | head -100 | adnshost --cname-loose --asynch --pipe Over UDP you can clearly see the response serial numbers are out-of-order, and the whole thing runs in about 3 seconds with a cold cache. If I add --tcp to the adnshost command line the responses come back strictly in order and BIND processes them one at a time. Processing all the queries takes more than 30 seconds, so adns times out before getting responses to the last 25 queries. (When you invoke adnshost like this it does not by itself do anything to limit the number of outstanding queries.) In addition to that, named fails to notice that the TCP socket has gone away and continues to process queries. (I will report this as a bug.) So that is doubly disappointing. Tony. -- f.anthony.n.finch http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. From rwfranks@gmail.com Thu Dec 19 05:22:33 2013 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23D201ADBD7 for ; Thu, 19 Dec 2013 05:22:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.277 X-Spam-Level: X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cJ89oMevJG4Q for ; Thu, 19 Dec 2013 05:22:31 -0800 (PST) Received: from mail-ie0-x229.google.com (mail-ie0-x229.google.com [IPv6:2607:f8b0:4001:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 4ED441ADBD3 for ; Thu, 19 Dec 2013 05:22:31 -0800 (PST) Received: by mail-ie0-f169.google.com with SMTP id e14so1293968iej.0 for ; Thu, 19 Dec 2013 05:22:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=/r5IxLGcG/zTXLu7t3cmVbPLxaodTahw7fkHKpB8WpA=; b=jwls6oo3vRsQxYuZXoSTJ737ymWIEv/esWf0e5iS9ya9rVuPY0SJQER3EK6JkdgSPI zgzs45MpQNt/7SNFNcMznXSJWZGPPMcI9oYl9c4ZHq3BahmVLc7UOc6eDmDYyCv9FZ4l 63sSe23gPKgCnzbdnYh89TVVxlsI55+VyFmyY0g0XzWyVNARzoXSYjNElqowCsMQgjOL BpThxzEcXRTQlctABgTLI5+QMBicLyIGU9KsKkdlxwC93djKe12u2arSXuSnUvL69Lgu btNzu+DpHwHANSL5SCVB+AHzPnuW7dL+qLwsoZt5f9dsFhkg5IWpi7A/IQ2ceyaiD+Cg CkLg== X-Received: by 10.43.51.65 with SMTP id vh1mr1031912icb.24.1387459349190; Thu, 19 Dec 2013 05:22:29 -0800 (PST) MIME-Version: 1.0 Sender: rwfranks@gmail.com Received: by 10.64.17.98 with HTTP; Thu, 19 Dec 2013 05:22:09 -0800 (PST) In-Reply-To: References: From: Dick Franks Date: Thu, 19 Dec 2013 13:22:09 +0000 X-Google-Sender-Auth: H8tIcV_vojznkKGPLAVOfgNJNLE Message-ID: To: Tony Finch Content-Type: multipart/alternative; boundary=bcaec5299ad7a6687704ede30d5e Cc: "dnsext@ietf.org" Subject: Re: [dnsext] Support for 1RTT multi-queries over TCP (or lack thereof) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Dec 2013 13:22:33 -0000 --bcaec5299ad7a6687704ede30d5e Content-Type: text/plain; charset=UTF-8 In order to achieve parallelism you seem to desire, the transactions need to be mutually order independent. You will first need to free yourself from the ordering imposed by the TCP stream; a mighty TCP river with many sockets, the TCP equivalent of the Nile delta. Just the thing for DOS attacks! Perhaps disappointment(1) would be better directed at adns for offering what it is unable to deliver. Disappointment(2) would be justified only if the computational cost of the occasional wasted queries exceeded the cost of monitoring connections which are rarely dropped. Dick Franks ________________________ On 18 December 2013 12:18, Tony Finch wrote: > I saw a message to the unbound-users list which says unbound processes TCP > queries sequentially. > > > http://unbound.nlnetlabs.nl/pipermail/unbound-users/2013-December/003096.html > > I thought this was disappointingly poor, especially wrt the recent > discussion about backwards-compatible alternatives to edns-chain-query. So > I did a quick test to see if BIND has the same problem. I shoved a few > entries from the Alexa Top 1 Million list into adns as follows. > > $ sed 's|^[0-9]*,||;s|/.*||' top-1m.csv | head -100 | > adnshost --cname-loose --asynch --pipe > > Over UDP you can clearly see the response serial numbers are out-of-order, > and the whole thing runs in about 3 seconds with a cold cache. > > If I add --tcp to the adnshost command line the responses come back > strictly in order and BIND processes them one at a time. Processing all > the queries takes more than 30 seconds, so adns times out before getting > responses to the last 25 queries. (When you invoke adnshost like this it > does not by itself do anything to limit the number of outstanding > queries.) In addition to that, named fails to notice that the TCP socket > has gone away and continues to process queries. (I will report this as a > bug.) > > So that is doubly disappointing. > > Tony. > -- > f.anthony.n.finch http://dotat.at/ > Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at > first. > Rough, becoming slight or moderate. Showers, rain at first. Moderate or > good, > occasionally poor at first. > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext > --bcaec5299ad7a6687704ede30d5e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
In order to achieve parallelism you seem to= desire, the transactions need to be mutually order independent.

You will first need to free yourself from the ordering imposed by the TC= P stream; a mighty TCP river with many sockets, the TCP equivalent of the N= ile delta.=C2=A0 Just the thing for DOS attacks!

Perhaps disappointment(1) would be better directed at adns for of= fering what it is unable to deliver.

Disappointment(2) wo= uld be justified only if the computational cost of the occasional wasted qu= eries exceeded the cost of monitoring connections which are rarely dropped.=



Dick Franks
________________________



On 18 December 2013 12:18, Tony Finch <dot@d= otat.at> wrote:
I saw a message to the unbound-users list which says unbound processes TCP<= br> queries sequentially.

http://unbound.nlnetlabs.nl/pipermail/unbo= und-users/2013-December/003096.html

I thought this was disappointingly poor, especially wrt the recent
discussion about backwards-compatible alternatives to edns-chain-query. So<= br> I did a quick test to see if BIND has the same problem. I shoved a few
entries from the Alexa Top 1 Million list into adns as follows.

$ sed 's|^[0-9]*,||;s|/.*||' top-1m.csv | head -100 |
=C2=A0 adnshost --cname-loose --asynch --pipe

Over UDP you can clearly see the response serial numbers are out-of-order,<= br> and the whole thing runs in about 3 seconds with a cold cache.

If I add --tcp to the adnshost command line the responses come back
strictly in order and BIND processes them one at a time. Processing all
the queries takes more than 30 seconds, so adns times out before getting responses to the last 25 queries. (When you invoke adnshost like this it does not by itself do anything to limit the number of outstanding
queries.) In addition to that, named fails to notice that the TCP socket has gone away and continues to process queries. (I will report this as a bug.)

So that is doubly disappointing.

Tony.
--
f.anthony.n.finch =C2=A0<dot@dotat.at> =C2=A0http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first= .
Rough, becoming slight or moderate. Showers, rain at first. Moderate or goo= d,
occasionally poor at first.
_______________________________________________
dnsext mailing list
dnsext@ietf.org = https://www.ietf.org/mailman/listinfo/dnsext

--bcaec5299ad7a6687704ede30d5e-- From fanf2@hermes.cam.ac.uk Thu Dec 19 05:23:59 2013 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9657F1ADEA0 for ; Thu, 19 Dec 2013 05:23:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.262 X-Spam-Level: X-Spam-Status: No, score=0.262 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.538] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id th3tpCzelKbc for ; Thu, 19 Dec 2013 05:23:57 -0800 (PST) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f32]) by ietfa.amsl.com (Postfix) with ESMTP id 7EC7C1ADE87 for ; Thu, 19 Dec 2013 05:23:57 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:55129) by ppsw-32.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1VtdZy-0005XO-2Q (Exim 4.82_3-c0e5623) (return-path ); Thu, 19 Dec 2013 13:23:54 +0000 Received: from fanf2 by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1VtdZy-0001AL-Ma (Exim 4.72) (return-path ); Thu, 19 Dec 2013 13:23:54 +0000 Date: Thu, 19 Dec 2013 13:23:54 +0000 From: Tony Finch X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk To: Dick Franks In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (LSU 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Tony Finch Cc: "dnsext@ietf.org" Subject: Re: [dnsext] Support for 1RTT multi-queries over TCP (or lack thereof) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Dec 2013 13:23:59 -0000 Dick Franks wrote: > In order to achieve parallelism you seem to desire, the transactions need > to be mutually order independent. That is what the query ID is for. Tony. -- f.anthony.n.finch http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. From marka@isc.org Thu Dec 19 05:49:04 2013 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 263E41AD948 for ; Thu, 19 Dec 2013 05:49:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.439 X-Spam-Level: X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHaYLoLiAyUn for ; Thu, 19 Dec 2013 05:49:02 -0800 (PST) Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 5228A1A1F62 for ; Thu, 19 Dec 2013 05:49:01 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id C9EFC2383C7; Thu, 19 Dec 2013 13:48:44 +0000 (UTC) (envelope-from marka@isc.org) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D9E74160470; Thu, 19 Dec 2013 13:57:39 +0000 (UTC) Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 82B65160436; Thu, 19 Dec 2013 13:57:39 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 4B869BFE80B; Fri, 20 Dec 2013 00:49:05 +1100 (EST) To: Tony Finch From: Mark Andrews References: In-reply-to: Your message of "Wed, 18 Dec 2013 12:18:05 -0000." Date: Fri, 20 Dec 2013 00:49:04 +1100 Message-Id: <20131219134905.4B869BFE80B@rock.dv.isc.org> Cc: dnsext@ietf.org Subject: Re: [dnsext] Support for 1RTT multi-queries over TCP (or lack thereof) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Dec 2013 13:49:04 -0000 In message , Tony F inch writes: > I saw a message to the unbound-users list which says unbound processes TCP > queries sequentially. > > http://unbound.nlnetlabs.nl/pipermail/unbound-users/2013-December/003096.html > > I thought this was disappointingly poor, especially wrt the recent > discussion about backwards-compatible alternatives to edns-chain-query. So > I did a quick test to see if BIND has the same problem. I shoved a few > entries from the Alexa Top 1 Million list into adns as follows. And edns-chain-query is primarially worried about getting the DNSSEC records required to validate a response. You do not need asynchronous processing in a nameserver for this. The nameserver should be validating the initial query (cd=0 despite what is written in a recent rfc) which will trigger most the asyncronous lookups needed and the queued lookups are just filled from the cached data. Add to that asynchronous processing then required more complicated response handling so that each message is added to the TCP stream atomically. Now one could do that but there is little benefit once you get more that a couple of simultaneous TCP clients. > $ sed 's|^[0-9]*,||;s|/.*||' top-1m.csv | head -100 | > adnshost --cname-loose --asynch --pipe > > Over UDP you can clearly see the response serial numbers are out-of-order, > and the whole thing runs in about 3 seconds with a cold cache. > > If I add --tcp to the adnshost command line the responses come back > strictly in order and BIND processes them one at a time. Processing all > the queries takes more than 30 seconds, so adns times out before getting > responses to the last 25 queries. (When you invoke adnshost like this it > does not by itself do anything to limit the number of outstanding > queries.) In addition to that, named fails to notice that the TCP socket > has gone away and continues to process queries. (I will report this as a > bug.) > > So that is doubly disappointing. And how this is different to a UDP source which sends queries without listening to the responses? Both can get named to do work. Add to that there isn't really a way in TCP to say I've closed my read side which is not also a spoofable dos vector for still open connections. > Tony. > -- > f.anthony.n.finch http://dotat.at/ > Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. > Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, > occasionally poor at first. > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org