Re: DNS Qname minimisation

2016-03-24 Thread Ondřej Surý 
On Thu, Mar 24, 2016, at 02:25, Ian Jackson wrote:
> Robert Edmonds writes ("Re: DNS Qname minimisation"):
> > DNS qname minimisation is already available in Debian; unbound 1.5.8 in
> > testing and jessie-backports has support for it, which can be enabled by
> > adding the following config snippet to /etc/unbound/unbound.conf.d/:
> > 
> > server:
> > qname-minimisation: yes
> 
> Perhaps we should enable it by default ?  Debian testing is a good
> place for such things I think.  If the authors/promoters of qname
> minimisation think it is ready for deployment soon, then maybe the
> Debian unbound maintainers should be consulted.  (Or indeed, unbound
> upstream.)

JFTR Knot Resolver (knot-resolver) has only QNAME minimisation mode
(with some workarounds for Akamai and other broken DNS).

> I did have one question for Hugo: is there a conventional optimisation
> or compromise in the qname minimisation for ip6.arpa lookups ?
> Without such a thing, the large number of labels in an ip6.arpa
> lookup, compared to the usually comparatively small number of zone
> cuts, would mean a big performance hit.

The performance hit will be the only when the cache is cold (the RFC
addressed that in Section 6:
https://tools.ietf.org/html/rfc7816#section-6).

That said, f.e. Knot Resolver switch to full resolution when it
encounters first empty non-terminal in the resolution (mainly because
Akamai crappy CDN DNS implementation, but it also helps this case), so
the actual resolution looks like this with cold cache:

$ ./daemon/kresd -a 127.0.0.1\#5353 $(mktemp -d) -f 1 -v
[plan] plan
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.b.0.1.0.0.2.ip6.arpa.'
type 'PTR'
[resl]   => using root hints
[resl]   => querying: '2001:dc3::500' score: 10 zone cut: '.' m12n:
'aRpA.' type: 'NS'
[resl]  optional: '202.12.27.33' score: 10 zone cut: '.' m12n:
'aRpA.' type: 'NS'
[resl]  optional: '2001:500:3::b00' score: 10 zone cut: '.' m12n:
'aRpA.' type: 'NS'
[resl]  optional: '199.7.83.42' score: 10 zone cut: '.' m12n:
'aRpA.' type: 'NS'
[iter]   <= rcode: NOERROR
[iter]   <= found cut, retrying with non-minimized name
[resl]   <= server: '202.12.27.33' rtt: 324 ms
[resl]   => querying: '2001:dc3::500' score: 10 zone cut: '.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.B.0.1.0.0.2.ip6.ARPa.'
type: 'PTR'
[resl]  optional: '202.12.27.33' score: 10 zone cut: '.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.B.0.1.0.0.2.ip6.ARPa.'
type: 'PTR'
[resl]  optional: '2001:500:3::b00' score: 10 zone cut: '.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.B.0.1.0.0.2.ip6.ARPa.'
type: 'PTR'
[resl]  optional: '199.7.83.42' score: 10 zone cut: '.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.B.0.1.0.0.2.ip6.ARPa.'
type: 'PTR'
[iter]   <= referral response, follow
[resl]   <= server: '202.12.27.33' rtt: 325 ms
[resl]   => querying: '2001:67c:e0::2' score: 10 zone cut: 'ip6.arpa.'
m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.b.0.1.0.0.2.iP6.ArPA.'
type: 'PTR'
[resl]  optional: '193.0.9.2' score: 10 zone cut: 'ip6.arpa.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.b.0.1.0.0.2.iP6.ArPA.'
type: 'PTR'
[resl]  optional: '2001:dc0:2001:a:4608::59' score: 10 zone cut:
'ip6.arpa.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.b.0.1.0.0.2.iP6.ArPA.'
type: 'PTR'
[resl]  optional: '202.12.29.59' score: 10 zone cut: 'ip6.arpa.'
m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.b.0.1.0.0.2.iP6.ArPA.'
type: 'PTR'
[iter]   <= referral response, follow
[resl]   <= server: '2001:67c:e0::2' rtt: 14 ms
[plan]   plan 'tinnie.arin.net.' type ''
[resl] => using root hints
[resl] => querying: '2001:dc3::500' score: 10 zone cut: '.' m12n:
'net.' type: 'NS'
[resl]optional: '202.12.27.33' score: 10 zone cut: '.' m12n:
'net.' type: 'NS'
[resl]optional: '2001:500:3::b00' score: 10 zone cut: '.' m12n:
'net.' type: 'NS'
[resl]optional: '199.7.83.42' score: 10 zone cut: '.' m12n:
'net.' type: 'NS'
[iter] <= referral response, follow
[resl] <= server: '202.12.27.33' rtt: 326 ms
[resl] => querying: '192.55.83.30' score: 10 zone cut: 'net.' m12n:
'aRiN.neT.' type: 'NS'
[resl]optional: '192.41.162.30' score: 10 zone cut: 'net.' m12n:
'aRiN.neT.' type: 'NS'
[resl]optional: '192.52.178.30' score: 10 zone cut: 'net.' m12n:
'aRiN.neT.' type: 'NS'
[resl]optional: '192.48.79.30' score: 10 zone cut: 'net.' m12n:
'aRiN.neT.' type: 'NS'
[iter] <= referral response, follow
[resl] <= server: '192.55.83.30' rtt: 151 ms
[resl] => querying: '2001:500:a9::108' score: 10 zone cut:
'arin.net.' m12n: 'TINnie.Arin.Net.' type: ''
[resl]optional: '199.5.26.108' score: 10 zone cut: 'arin.net.'
m12n: 'TINnie.Arin.Net.' type: ''
[resl]optional: '2001:500:31::108' score: 10 zone cut:
'arin.net.' m12n: 'TINnie.Arin.Net.' type: ''
[resl]optional:

Re: DNS Qname minimisation

2016-03-24 Thread Ian Jackson 
Ondřej Surý writes ("Re: DNS Qname minimisation"):
> [facts]

Thanks for the information!

Regards,
Ian.