> The growing deployment of DNS Security (DNSSEC) and IPv6 has increased response sizes and therefore the use of TCP.
Yes, but doesn't IPv6 also increase the "maximum safe UDP packet size" from 512 bytes to 1280?
> Existing deployments of DNSSEC [RFC4033] have shown that truncation at the 512-byte boundary is now commonplace. For example, a Non-Existent Domain (NXDOMAIN) (RCODE == 3) response from a DNSSEC-signed zone using NextSECure 3 (NSEC3) [RFC5155] is almost invariably larger than 512 bytes.
This has been a flagged issue in DNSSEC since it was originally considered. This was a massive oversight on their part and was only added because DNSSEC originally made it quite easy to probe entire DNS trees and expose obscured RRs.
> The MTU most commonly found in the core of the Internet is around 1500 bytes, and even that limit is routinely exceeded by DNSSEC-signed responses.
> Stub resolver implementations (e.g., an operating system's DNS resolution library) MUST support TCP since to do otherwise would limit the interoperability between their own clients and upstream servers.
Fair enough but are network clients actually meant to use DNSSEC? Isn't this just an issue for authoritative and recursive DNSSEC resolvers to and down the roots?
>> The growing deployment of DNS Security (DNSSEC) and IPv6 has increased response sizes and therefore the use of TCP.
> Yes, but doesn't IPv6 also increase the "maximum safe UDP packet size" from 512 bytes to 1280?
DNS mostly has to support larger sizes, and has for decades for things like svc/txt records used for various encryption and large blocks of text. Having worked for a registrar and dealing with ddos, not much you can do but filter more intelligently. There are ddos appliances/services built just to deal with volumetric queries from hosts for such reason.
> Fair enough but are network clients actually meant to use DNSSEC?
I dream of an alternate reality where DNSSEC and DANE had become more ubiquitous, and we didn't have need for CAs to sign TLS certificates[1]. But that requires DNSSEC (or some other cryptographic verification) on the client.
[1]: Or something like that. In that mythical world maybe DNSSEC was also better designed...
Just to add real quick: there is not in fact a meaningful growing deployment of DNSSEC --- in fact, in North America and the western commercial Internet, the opposite thing is true: the number of signed zones has decreased. This is especially stark if you look at the true figure of merit, DNSSEC deployment on popular zones (take the Tranco academic research ranking of popular zones as a model):
> Yes, but doesn't IPv6 also increase the "maximum safe UDP packet size" from 512 bytes to 1280?
Sure would be nice if people used IPv6. Even if you're actually sending data over IPv6, that doesn't mean the DNS lookups are going over IPv6. Infrastructure like that lags.
> This has been a flagged issue in DNSSEC since it was originally considered. This was a massive oversight on their part and was only added because DNSSEC originally made it quite easy to probe entire DNS trees and expose obscured RRs.
... probably because the people who originally designed DNSSEC (and DNS) couldn't believe that people would be crazy enough to try to keep their DNS records secret (or run split address spaces, for that matter). But anyway, whatever the reason, the replies are big and that has to be dealt with.
> Fair enough but are network clients actually meant to use DNSSEC?
You should be validating as close to the point of use as possible.
> Isn't this just an issue for authoritative and recursive DNSSEC resolvers to and down the roots?
If by "resolvers" you mean "local resolution-only servers", then that's common, but arguably bad, practice.
Anyway, using TCP also neuters DNS as a DoS amplifier, at least if you can make it universal enough to avoid downgrade attacks.
> probably because the people who originally designed DNSSEC (and DNS) couldn't believe that people would be crazy enough to try to keep their DNS records secret
I wonder if it's time to just retire this mechanism. In 2025 you'd have to be crazy to not use encryption with an internet-facing host, which in practice usually means TLS, which means your hostname is already logged in Certificate Transparency logs and trivially enumerated.
> couldn't believe that people would be crazy enough to try to keep their DNS records secret
You'd hope people working on DNS would have had broader actual experience with it. There was an ironic lack of paranoia in the DNSSEC people and they seemed overly focused on one peculiar problem, which is, it's easy to spoof DNS responses when you typically only have at most 2**16 - 1024 ports to choose from. They sort of ignored everything else.
> If by "resolvers" you mean "local resolution-only servers", then that's common, but arguably bad, practice.
I haven't kept pace with DNSSEC, but originally, this was the _recommended_ configuration. Has that changed?
> Anyway, using TCP also neuters DNS as a DoS amplifier,
We're ensuring all servers support TCP, but we're not anywhere near dropping UDP.
They did recommend it at one point. But I don't think that makes it not-bad. It was long enough ago that they might have been worried about crypto performance; I don't know.
> Instead, people want to capitalize on someone else's hard work for free.
This would only make sense if there _wasn't_ free video standards competing with HDMI. How is it that one group managed to do this for free yet the other group charges clearly exorbitant rates for a nearly equivalent product.
> They own IP.
That isn't nearly as valuable as they say it is. They only do this to prevent piracy and not to promote any useful technical standard.
> People want to use that IP.
People are _forced_ to because the same group practically gives away their technology under certain conditions so their connectors get added to nearly every extant device. I don't _want_ to use HDMI. I'm simply _forced_ to through market manipulation.
> want to make money.
Selling drugs would earn them more money. Why don't we tolerate that? It could be, under some torturous logic, be just another "standard business practice." In fact looking at our laws I see tons of "standard business practices" that are now flatly illegal.
The law is a tool. It can be changed. It should be changed. The citizens pay for 85% of it and while businesses only pay 7%. Why do their "standard practices" hold a candle to the "needs of the citizens."
It all stems from the companies behind the HDMI authority. It's basically all of the major AV device makers circa early 2000s. They wrote the spec and added it to all of their products. Displayport wasn't around just yet so HDMI just beat it to market. Since everyone needed an HDMI thing to go with their HDMI thing, everyone else jumped on the HDMI bandwagon. Although I'm really not sure how HDMI managed to get it's way into PCs. Displayport should have just cornered the entire market, it's very popular on business-class machines. I'm guessing it's because of HTPCs and people wanting to put big TVs on their PCs is what led to the adoption.
I think the HDMI connectors popped up at the same time screens switched from 16:10 (VESA compatible at the time) to 16:9 to be more cost effective for the manufacturers. But I’m not sure why. I looked at graphicscards and wondered why HDMI suddenly gained traction in the PC space even after the release of DisplayPort. I think this should never have happened.
Same thing applies to PCI. I can get USB specs for free from USB-IF. But the PCI and PCIe specs cost $4000 plus. Just so I can write my own PCI driver. Legally, I mean. Oh, there is external references, but what if I want the authoritative documentation? Should I have to pay thousands and thousands for access (!) to a standard that is ubiquitous in every sense of the word? There is, to me, a point at which ubiquity trumps any "IP rights" the standards org would have.
That’s true for earlier iterations, but definitely not for an actual HDMI 2.1 signal. I think you can still connect to a DVI-D monitor and the source will automatically downgrade, but I haven’t tried it in a very long time.
> This is an absurd concept when it comes to international trade.
In this case it's just wrong. I don't know what people think "e-waste" recycling actually is or what happens to their "unrepairable" units after they rid themselves of them.
> Even intellectual property is mostly meaningless outside a state.
Interestingly the Dollar is most definitely meaningful outside of our state. I think the assumption becomes, that if this is true, then using it's power to enforce trade sanctions isn't that big a stretch.
> Of course people will evade sanctions
What's less clear if they should expect their government to actively help them in this evasion or not. I think the Chinese citizens are in unique international territory here.
> what is the us going to do, invade singapore or malaysia?
Deny our exports to them. This will cost the political donor class a lot of profits. So this is why it doesn't get done.
None of this is a fait accompli. This is the result of years of intentional corruption of the core systems involved.
Your dismissive tone is really discouraging me from replying with a legitimate answer to your concerns.
So you only get: people have been predicting the imminent demise of Apple every year for the last 20 and they are still the most valuable non-bubble stock in existence by a country mile.
Keep whining, I'm going to retire early on your whining.
Once again. It's great you earned money. Does it not bother you that you could have earned TWICE as much if the company didn't make so many stupid bets?
To completely ignore this obvious and clear point from the outset to crow about your stock market gains is absolutely the type of irrationality I was describing.
I'm not dismissing you. You've just failed to address the actual point.
> Back then, me and other old-timers were answering about 4,000 new-hire questions a month.
> Then in December, Claude finally got good enough to answer some of those questions for us.
What getting high on your own supply actually looks like. These are not the types of questions most people have or need answered. It's unique to the hiring process and the nascent status of the technology. It seems insane to stretch this logic to literally any other arena.
On top of that horses were initially replaced with _stationary_ gasoline engines. Horses:Cars is an invalid view into the historical scenario.
You're misremembering. It's the "Windsor V8." Or more specifically the "4.8L Windsor Ford V8."
reply