6 Dub
2016
6 Dub
'16
19:34
Hi Gert,
----- Original Message -----
From: "Gert Doering" <gert(a)space.net>
To: "Ondřej Surý" <ondrej.sury(a)nic.cz>
Cc: "Gert Doering" <gert(a)space.net>et>, knot-dns-users(a)lists.nic.cz
Sent: Wednesday, April 6, 2016 12:27:25 PM
Subject: Re: [knot-dns-users] preserve case in labels?
Hi Ondrej,
On Wed, Apr 06, 2016 at 03:36:11PM +0200, Ond??ej Surý wrote:
Recursors don't care about the casing in neither the ANSWER, AUTHORITY nor ADDITIONAL
sections. They might care in the QUESTION section in case 0x20 as additional antispoofing
measure is used, but that works in Knot.
no, we don't have such option. DENIC should
fix their interface as their checks
are broken.
I never said that DENIC's checks are very *useful* (or that we're worried
about it) - but that's how I came to know about it.
DNS is indeed case insensitive and Knot DNS does
the unification for performance
reasons.
One of the other values of unifying the case is a DNS compression making the DNS
responses smaller. You wouldn't be able to use DNS compression if you have
inconsistent case through the zone.
Well, we do have consistent casing - uppercase S and N, it's just that
knot is the odd one here, causing recursors to see mixed-case or
lowercase-only results, depending on which authority they are asking. I'm a bit frustrated to hear that, because
"not interfere with the stuff
I put into a zone file, unless I authorize software to do it" is indeed
important to us - so it's "back to bind" time for now.
Sorry to hear that, but there's a lot of other software that convert the data into
canonical form, and in DNS the wire format is purely aesthetic issue, as most the DNS
responses are consumed by stub resolvers and not humans. And since we are over 1M
responses per second (with SO_REUSEPORT) I think the approach works quite well for us.
I can see the compression argument (and surprisingly
it seems to reflect
in the traffic volume of the machine - though that might be due to other
optimizations in knot, not just case folding) - but since the difference
between bind and knot is only about 10-20 Gbytes per month, this is not
an issue of utmost importance for us.
Definitely the main difference is the minimal responses we sent, as the modern resolvers
will ignore most of the unsolicited extra information for security reasons.
(The "lookup performance" issue I can also
see, but this should not
affect "responses shipped" - like in a SOA or PTR record)
Shrug. Just because BIND has been doing something for years, that doesn't necessarily
makes it right. And in the end when you are under DDoS attack you will care more about
the DNS server performance than the CaMeL casing you put into the zone. Just
sayin'...
Have a nice day,
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------