[88595] in North American Network Operators' Group
NANOG36-NOTES 2006.02.13 talk 3 NTT labs AAAA query explosion worries
daemon@ATHENA.MIT.EDU (Matthew Petach)
Mon Feb 13 11:59:18 2006
Date: Mon, 13 Feb 2006 08:56:31 -0800
From: Matthew Petach <mpetach@netflight.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
------=_Part_4974_8963773.1139849791958
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
(Huge apologies in advance for any and all names I completely
mangle!  check http://nanog.multiply.com/ to see names/faces
correctly handled by Ren.  ^_^; )
Matt
2006.02.13, talk 3
NTT labs, (Steve Feldman apologizes for mangling the
pronnounciation of their names).
NTT information sharing platform labs
(didn't get names/info from opening slide)
Outline
Expect increase in number of DNS queries this year
Discussion
 effect on cache server load and user response time
 how can we decrease number of unnecessary queries?
Today's topic
we focus on increase in number of queries between users
and cache servers caused by
 IPv6 support
  number of 4A queries same as that of A queries
 domain name completion function
  DN completion by OS
  DN completion by application
IPv6 enabled OS increases 4A queries
 Vista will be v6 enbled by default
IPv6 and OS resolver
IPv6 enabled OS sends 4A queries for every name resolution
BSD/Windows
  Sends both A and 4A queries for every name resolution
   currently no way to disable one or the other
Domain Name Completion
 when a name resolution fails, both OS and APP automatically
 try different prefix/suffix completions.
OS using these domains to complete:
 FreeBSD: specified by "search" in /etc/resolv.conf,
  distributed by DHCP
 Windows: configured in control panel, distributed by
  DHCP
 Applications:
  Mozilla: retries with www domain prefix
  IE searches domain using MSN search and then retries
   name resolutions for domains by adding .com, .org,
   .net, .edu.
Convenient for user, perhaps, hard on nameservers.
Combination in FreeBSD
completions are different depending on OS
FreeBSD
 tried domain completions for A and 4A for each case.
Windows tries all 4A records first, THEN tries all A
 records.
So IPv6 queries in Windows means even if there's an
A record in v4 space, it exhausts ALL 4A possibilities
FIRST, before going back to get A record.
Longhorn/Vista
IPv6 default enabled
 ALWAYS tries 4A queries first!
IE7 plus Vista results in 12 DNS queries per user click,
best case.
Worst case, one user click results in 40 DNS queries!!
Slide showing projected impact based on historical
data plus projected Vista deployment.
Right now, 4A queries only about 5% of queries.
After Vista, size of increase could dwarf rest of
DNS queries.
Release of Windows Vista (IPv6 by default)
 doubles at least the number of user queries
 causes more queries in domain name completions and domain
  search sequences
Operators
 cache servers should be prepared for those increases
 stop domain distribution to users by DHCP or PPPoE
Developers of OS
 is current search order of resolvers appropriate?
  eg should "A" record be resolved before domain completion.
Ed from Neustar, at microphone: before we consider this
a problem, consider from point of application provider;
when you need a name, you don't know what transport you
may have underneath; if you wait for NXDomain, you
increase latency, so app developers generally send all
queries at once.
What about changing DNS to allow asking for multiple
questions at once?
Changing application behaviour isn't likely to happen,
and changing protocols isn't easy; so why not just
beef up the infrastructure to handle it?
Joel Yagli, UofOregon; do you know how many of those
queries will need to fail over from UDP to TCP due to
responses being too large to fit into a single UDP
response?
Most of the responses coming back don't have data, so
they don't need to go to TCP.
Tony Bates--what happens when v6 record is returned
as valid; does the chain stop there?
Also, if you flip to return A record first, we'll
never to move to v6.  We NEED to start resolving v6
records first, to help move the 'Net off IPv4.
Applause, on to next talk.
------=_Part_4974_8963773.1139849791958
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<br>
(Huge apologies in advance for any and all names I completely<br>
mangle!  check <a href=3D"http://nanog.multiply.com/">http://nanog.mul=
tiply.com/</a> to see names/faces<br>
correctly handled by Ren.  ^_^; )<br>
<br>
Matt<br>
<br>
<br>
2006.02.13, talk 3<br>
NTT labs, (Steve Feldman apologizes for mangling the<br>
pronnounciation of their names).<br>
<br>
NTT information sharing platform labs<br>
(didn't get names/info from opening slide)<br>
<br>
Outline<br>
Expect increase in number of DNS queries this year<br>
Discussion<br>
 effect on cache server load and user response time<br>
 how can we decrease number of unnecessary queries?<br>
<br>
Today's topic<br>
we focus on increase in number of queries between users<br>
and cache servers caused by<br>
 IPv6 support<br>
  number of 4A queries same as that of A queries<br>
 domain name completion function<br>
  DN completion by OS<br>
  DN completion by application<br>
<br>
IPv6 enabled OS increases 4A queries<br>
 Vista will be v6 enbled by default<br>
<br>
IPv6 and OS resolver<br>
IPv6 enabled OS sends 4A queries for every name resolution<br>
BSD/Windows<br>
  Sends both A and 4A queries for every name resolution<br>
   currently no way to disable one or the other<br>
<br>
Domain Name Completion<br>
 when a name resolution fails, both OS and APP automatically<br>
 try different prefix/suffix completions.<br>
<br>
OS using these domains to complete:<br>
 FreeBSD: specified by "search" in /etc/resolv.conf,<br>
  distributed by DHCP<br>
 Windows: configured in control panel, distributed by<br>
  DHCP<br>
 Applications:<br>
  Mozilla: retries with www domain prefix<br>
  IE searches domain using MSN search and then retries<br>
   name resolutions for domains by adding .com, .org,<br>
   .net, .edu.<br>
<br>
Convenient for user, perhaps, hard on nameservers.<br>
<br>
Combination in FreeBSD<br>
completions are different depending on OS<br>
FreeBSD<br>
 tried domain completions for A and 4A for each case.<br>
Windows tries all 4A records first, THEN tries all A<br>
 records.<br>
<br>
So IPv6 queries in Windows means even if there's an<br>
A record in v4 space, it exhausts ALL 4A possibilities<br>
FIRST, before going back to get A record.<br>
<br>
Longhorn/Vista<br>
IPv6 default enabled<br>
 ALWAYS tries 4A queries first!<br>
<br>
IE7 plus Vista results in 12 DNS queries per user click,<br>
best case.<br>
Worst case, one user click results in 40 DNS queries!!<br>
<br>
Slide showing projected impact based on historical<br>
data plus projected Vista deployment.<br>
Right now, 4A queries only about 5% of queries.<br>
After Vista, size of increase could dwarf rest of<br>
DNS queries.<br>
<br>
Release of Windows Vista (IPv6 by default)<br>
 doubles at least the number of user queries<br>
 causes more queries in domain name completions and domain <br>
  search sequences<br>
<br>
Operators<br>
 cache servers should be prepared for those increases<br>
<br>
 stop domain distribution to users by DHCP or PPPoE<br>
Developers of OS<br>
 is current search order of resolvers appropriate?<br>
  eg should "A" record be resolved before domain completion.=
<br>
<br>
Ed from Neustar, at microphone: before we consider this<br>
a problem, consider from point of application provider;<br>
when you need a name, you don't know what transport you<br>
may have underneath; if you wait for NXDomain, you <br>
increase latency, so app developers generally send all<br>
queries at once.<br>
What about changing DNS to allow asking for multiple<br>
questions at once?<br>
Changing application behaviour isn't likely to happen,<br>
and changing protocols isn't easy; so why not just<br>
beef up the infrastructure to handle it?<br>
<br>
Joel Yagli, UofOregon; do you know how many of those<br>
queries will need to fail over from UDP to TCP due to<br>
responses being too large to fit into a single UDP<br>
response?<br>
Most of the responses coming back don't have data, so<br>
they don't need to go to TCP.<br>
<br>
Tony Bates--what happens when v6 record is returned<br>
as valid; does the chain stop there?<br>
Also, if you flip to return A record first, we'll<br>
never to move to v6.  We NEED to start resolving v6<br>
records first, to help move the 'Net off IPv4.<br>
<br>
Applause, on to next talk.<br>
<br>
------=_Part_4974_8963773.1139849791958--