NANOG36-NOTES 2006.02.13 talk 3 NTT labs AAAA query explosion worries

(Huge apologies in advance for any and all names I completely
mangle! check to see names/faces
correctly handled by Ren. ^_^; )


2006.02.13, talk 3
NTT labs, (Steve Feldman apologizes for mangling the
pronnounciation of their names).

NTT information sharing platform labs
(didn’t get names/info from opening slide)

Expect increase in number of DNS queries this year
effect on cache server load and user response time
how can we decrease number of unnecessary queries?

Today’s topic
we focus on increase in number of queries between users
and cache servers caused by
IPv6 support
number of 4A queries same as that of A queries
domain name completion function
DN completion by OS
DN completion by application

IPv6 enabled OS increases 4A queries
Vista will be v6 enbled by default

IPv6 and OS resolver
IPv6 enabled OS sends 4A queries for every name resolution
Sends both A and 4A queries for every name resolution
currently no way to disable one or the other

Domain Name Completion
when a name resolution fails, both OS and APP automatically
try different prefix/suffix completions.

OS using these domains to complete:
FreeBSD: specified by “search” in /etc/resolv.conf,
distributed by DHCP
Windows: configured in control panel, distributed by
Mozilla: retries with www domain prefix
IE searches domain using MSN search and then retries
name resolutions for domains by adding .com, .org,
.net, .edu.

Convenient for user, perhaps, hard on nameservers.

Combination in FreeBSD
completions are different depending on OS
tried domain completions for A and 4A for each case.
Windows tries all 4A records first, THEN tries all A

So IPv6 queries in Windows means even if there’s an
A record in v4 space, it exhausts ALL 4A possibilities
FIRST, before going back to get A record.

IPv6 default enabled
ALWAYS tries 4A queries first!

IE7 plus Vista results in 12 DNS queries per user click,
best case.
Worst case, one user click results in 40 DNS queries!!

Slide showing projected impact based on historical
data plus projected Vista deployment.
Right now, 4A queries only about 5% of queries.
After Vista, size of increase could dwarf rest of
DNS queries.

Release of Windows Vista (IPv6 by default)
doubles at least the number of user queries
causes more queries in domain name completions and domain
search sequences

cache servers should be prepared for those increases

stop domain distribution to users by DHCP or PPPoE
Developers of OS
is current search order of resolvers appropriate?
eg should “A” record be resolved before domain completion.

Ed from Neustar, at microphone: before we consider this
a problem, consider from point of application provider;
when you need a name, you don’t know what transport you
may have underneath; if you wait for NXDomain, you
increase latency, so app developers generally send all
queries at once.
What about changing DNS to allow asking for multiple
questions at once?
Changing application behaviour isn’t likely to happen,
and changing protocols isn’t easy; so why not just
beef up the infrastructure to handle it?

Joel Yagli, UofOregon; do you know how many of those
queries will need to fail over from UDP to TCP due to
responses being too large to fit into a single UDP
Most of the responses coming back don’t have data, so
they don’t need to go to TCP.

Tony Bates–what happens when v6 record is returned
as valid; does the chain stop there?
Also, if you flip to return A record first, we’ll
never to move to v6. We NEED to start resolving v6
records first, to help move the 'Net off IPv4.

Applause, on to next talk.


> Expect increase in number of DNS queries this year
> Discussion
> effect on cache server load and user response time
> how can we decrease number of unnecessary queries?


Speaking from the point of view of someone serving authoritative DNS
data, rather than running a cache server for users, there is one thing
above all required to reduce the number of unnecessary queries:

** All traces of BIND 8.3.3 and 8.3.4, and all code that shares their
AAAA/A6 nameserver lookup bug, must be purged from the net completely. **

In the two and a half years or so since I first noticed this issue, the
extent of any improvement has been slight. This isn't really surprising;
how many people even know that those versions are broken? How many people
would care, even if they knew, about the fact that they are generating
unnecessary queries to other people's DNS servers?