Re: DNS Qname minimisation
On Thu, Mar 24, 2016, at 02:25, Ian Jackson wrote:
> Robert Edmonds writes ("Re: DNS Qname minimisation"):
> > DNS qname minimisation is already available in Debian; unbound 1.5.8 in
> > testing and jessie-backports has support for it, which can be enabled by
> > adding the following config snippet to /etc/unbound/unbound.conf.d/:
> >
> > server:
> > qname-minimisation: yes
>
> Perhaps we should enable it by default ? Debian testing is a good
> place for such things I think. If the authors/promoters of qname
> minimisation think it is ready for deployment soon, then maybe the
> Debian unbound maintainers should be consulted. (Or indeed, unbound
> upstream.)
JFTR Knot Resolver (knot-resolver) has only QNAME minimisation mode
(with some workarounds for Akamai and other broken DNS).
> I did have one question for Hugo: is there a conventional optimisation
> or compromise in the qname minimisation for ip6.arpa lookups ?
> Without such a thing, the large number of labels in an ip6.arpa
> lookup, compared to the usually comparatively small number of zone
> cuts, would mean a big performance hit.
The performance hit will be the only when the cache is cold (the RFC
addressed that in Section 6:
https://tools.ietf.org/html/rfc7816#section-6).
That said, f.e. Knot Resolver switch to full resolution when it
encounters first empty non-terminal in the resolution (mainly because
Akamai crappy CDN DNS implementation, but it also helps this case), so
the actual resolution looks like this with cold cache:
$ ./daemon/kresd -a 127.0.0.1\#5353 $(mktemp -d) -f 1 -v
[plan] plan
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.b.0.1.0.0.2.ip6.arpa.'
type 'PTR'
[resl] => using root hints
[resl] => querying: '2001:dc3::500' score: 10 zone cut: '.' m12n:
'aRpA.' type: 'NS'
[resl] optional: '202.12.27.33' score: 10 zone cut: '.' m12n:
'aRpA.' type: 'NS'
[resl] optional: '2001:500:3::b00' score: 10 zone cut: '.' m12n:
'aRpA.' type: 'NS'
[resl] optional: '199.7.83.42' score: 10 zone cut: '.' m12n:
'aRpA.' type: 'NS'
[iter] <= rcode: NOERROR
[iter] <= found cut, retrying with non-minimized name
[resl] <= server: '202.12.27.33' rtt: 324 ms
[resl] => querying: '2001:dc3::500' score: 10 zone cut: '.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.B.0.1.0.0.2.ip6.ARPa.'
type: 'PTR'
[resl] optional: '202.12.27.33' score: 10 zone cut: '.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.B.0.1.0.0.2.ip6.ARPa.'
type: 'PTR'
[resl] optional: '2001:500:3::b00' score: 10 zone cut: '.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.B.0.1.0.0.2.ip6.ARPa.'
type: 'PTR'
[resl] optional: '199.7.83.42' score: 10 zone cut: '.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.B.0.1.0.0.2.ip6.ARPa.'
type: 'PTR'
[iter] <= referral response, follow
[resl] <= server: '202.12.27.33' rtt: 325 ms
[resl] => querying: '2001:67c:e0::2' score: 10 zone cut: 'ip6.arpa.'
m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.b.0.1.0.0.2.iP6.ArPA.'
type: 'PTR'
[resl] optional: '193.0.9.2' score: 10 zone cut: 'ip6.arpa.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.b.0.1.0.0.2.iP6.ArPA.'
type: 'PTR'
[resl] optional: '2001:dc0:2001:a:4608::59' score: 10 zone cut:
'ip6.arpa.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.b.0.1.0.0.2.iP6.ArPA.'
type: 'PTR'
[resl] optional: '202.12.29.59' score: 10 zone cut: 'ip6.arpa.'
m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.b.0.1.0.0.2.iP6.ArPA.'
type: 'PTR'
[iter] <= referral response, follow
[resl] <= server: '2001:67c:e0::2' rtt: 14 ms
[plan] plan 'tinnie.arin.net.' type 'AAAA'
[resl] => using root hints
[resl] => querying: '2001:dc3::500' score: 10 zone cut: '.' m12n:
'net.' type: 'NS'
[resl] optional: '202.12.27.33' score: 10 zone cut: '.' m12n:
'net.' type: 'NS'
[resl] optional: '2001:500:3::b00' score: 10 zone cut: '.' m12n:
'net.' type: 'NS'
[resl] optional: '199.7.83.42' score: 10 zone cut: '.' m12n:
'net.' type: 'NS'
[iter] <= referral response, follow
[resl] <= server: '202.12.27.33' rtt: 326 ms
[resl] => querying: '192.55.83.30' score: 10 zone cut: 'net.' m12n:
'aRiN.neT.' type: 'NS'
[resl] optional: '192.41.162.30' score: 10 zone cut: 'net.' m12n:
'aRiN.neT.' type: 'NS'
[resl] optional: '192.52.178.30' score: 10 zone cut: 'net.' m12n:
'aRiN.neT.' type: 'NS'
[resl] optional: '192.48.79.30' score: 10 zone cut: 'net.' m12n:
'aRiN.neT.' type: 'NS'
[iter] <= referral response, follow
[resl] <= server: '192.55.83.30' rtt: 151 ms
[resl] => querying: '2001:500:a9::108' score: 10 zone cut:
'arin.net.' m12n: 'TINnie.Arin.Net.' type: 'AAAA'
[resl] optional: '199.5.26.108' score: 10 zone cut: 'arin.net.'
m12n: 'TINnie.Arin.Net.' type: 'AAAA'
[resl] optional: '2001:500:31::108' score: 10 zone cut:
'arin.net.' m12n: 'TINnie.Arin.Net.' type: 'AAAA'
[resl] optional: '199.71.0.108' score: 10 zone cut: 'arin.net.'
m12n: 'TINnie.Arin.Net.' type: 'AAAA'
[iter] <= rcode: NOERROR
[resl] <= server: '2001:500:a9::108' rtt: 145 ms
[resl] => querying: '2001:500:13::c7d4:35' score: 10 zone cut:
'b.0.1.0.0.2.ip6.arpa.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.b.0.1.0.0.2.IP6.arPA.'
type: 'PTR'
[iter] <= referral response, follow
[resl] <= server: '2001:500:13::c7d4:35' rtt: 93 ms
[resl] => querying: '2001:67c:e0::6' score: 10 zone cut:
'8.a.b.0.1.0.0.2.ip6.arpa.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.B.0.1.0.0.2.Ip6.ARPa.'
type: 'PTR'
[resl] optional: '193.0.9.6' score: 10 zone cut:
'8.a.b.0.1.0.0.2.ip6.arpa.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.E.1.0.8.A.B.0.1.0.0.2.Ip6.ARPa.'
type: 'PTR'
[iter] <= referral response, follow
[resl] <= server: '2001:67c:e0::6' rtt: 14 ms
[plan] plan 'master.ns.chiark.greenend.org.uk.' type 'AAAA'
[resl] => using root hints
[resl] => querying: '2001:dc3::500' score: 10 zone cut: '.' m12n:
'uk.' type: 'NS'
[resl] optional: '202.12.27.33' score: 10 zone cut: '.' m12n:
'uk.' type: 'NS'
[resl] optional: '2001:500:3::b00' score: 10 zone cut: '.' m12n:
'uk.' type: 'NS'
[resl] optional: '199.7.83.42' score: 10 zone cut: '.' m12n:
'uk.' type: 'NS'
[iter] <= referral response, follow
[resl] <= server: '202.12.27.33' rtt: 325 ms
[resl] => querying: '2401:fd80:404::1' score: 10 zone cut: 'uk.'
m12n: 'OrG.UK.' type: 'NS'
[resl] optional: '43.230.48.1' score: 10 zone cut: 'uk.' m12n:
'OrG.UK.' type: 'NS'
[resl] optional: '2a01:618:404::1' score: 10 zone cut: 'uk.'
m12n: 'OrG.UK.' type: 'NS'
[resl] optional: '213.248.220.1' score: 10 zone cut: 'uk.' m12n:
'OrG.UK.' type: 'NS'
[iter] <= rcode: NOERROR
[iter] <= found cut, retrying with non-minimized name
[resl] <= server: '2401:fd80:404::1' rtt: 22 ms
[resl] => querying: '2a01:618:404::1' score: 10 zone cut: 'uk.'
m12n: 'MaSter.NS.ChIARK.greeNend.ORG.UK.' type: 'AAAA'
[resl] optional: '213.248.220.1' score: 10 zone cut: 'uk.' m12n:
'MaSter.NS.ChIARK.greeNend.ORG.UK.' type: 'AAAA'
[resl] optional: '2401:fd80:400::1' score: 10 zone cut: 'uk.'
m12n: 'MaSter.NS.ChIARK.greeNend.ORG.UK.' type: 'AAAA'
[resl] optional: '103.49.80.1' score: 10 zone cut: 'uk.' m12n:
'MaSter.NS.ChIARK.greeNend.ORG.UK.' type: 'AAAA'
[iter] <= referral response, follow
[resl] <= server: '2a01:618:404::1' rtt: 22 ms
[resl] => querying: '212.13.197.229' score: 10 zone cut:
'greenend.org.uk.' m12n: 'mAStER.NS.cHiarK.GReeneNd.oRg.uK.' type:
'AAAA'
[iter] <= rcode: NOERROR
[ pc ] => answer cached for TTL=900
[resl] <= server: '212.13.197.229' rtt: 25 ms
[plan] plan 'master.ns.chiark.greenend.org.uk.' type 'A'
[ rc ] => satisfied from cache
[iter] <= rcode: NOERROR
[resl] => querying: '212.13.197.229' score: 25 zone cut:
'3.e.1.0.8.a.b.0.1.0.0.2.ip6.arpa.' m12n:
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.e.1.0.8.a.B.0.1.0.0.2.Ip6.ArPA.'
type: 'PTR'
[iter] <= rcode: NOERROR
[resl] <= server: '212.13.197.229' rtt: 26 ms
[resl] finished: 4, queries: 4, mempool: 49200 B
I don't know details of Unbound implementation of QNAME-min, but there
will be talk about it next week @DNS-OARC and I'll be also speaking
about Knot Resolver if you are interested.
Cheers,
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Reply to: