On 10/20/15, 5:02 PM, "rssac-caucus-bounces@icann.org on behalf of Ray Bellis" <rssac-caucus-bounces@icann.org on behalf of ray@isc.org> wrote:
On 20/10/2015 16:50, Wessels, Duane wrote:
Proposed Remedy:
Amend the paragraph above to read:
DNS query sizes are determined by the length of the entire DNS message. Thus, in practical terms, the transport headers (Ethernet, IP, and TCP or UDP etc) are removed leaving the DNS payload to measure. The DNS query message sizes should be recorded for both TCP and UDP. For TCP the DNS payload also includes a two-octet size prefix. Implementations should include these two octets in the calculation of message size.
My preference is that those two framing octets should be *excluded* from the calculation, and treated as if they were part of the transport overhead.
Whilst the current development version of BIND does include them, I believe that to be an oversight that should be corrected, and there's already a ticket in our bug tracking system requesting that.
My rationale is that with the 16-byte wide histograms it's impossible to do an exact 1:1 comparison of UDP packets against TCP packets. You can't tell from the binning whether the packets in a particular TCP bin might have gone into a different bin with UDP.
Even before this issue came up a couple of months ago it had caused me slight puzzlement when I discovered this quirk in BIND's stats channel when two packets that I expected to be in the same bin didn't get counted that way.
I am fine with explicitly saying either saying the payload size does or does not include the two-octet size prefix. Ray's logic here for exclusion seems fine. --Paul Hoffman