On Oct 20, 2015, at 5:02 PM, Ray Bellis <ray@isc.org> wrote:
On 20/10/2015 16:50, Wessels, Duane wrote:
Proposed Remedy:
Amend the paragraph above to read:
DNS query sizes are determined by the length of the entire DNS message. Thus, in practical terms, the transport headers (Ethernet, IP, and TCP or UDP etc) are removed leaving the DNS payload to measure. The DNS query message sizes should be recorded for both TCP and UDP. For TCP the DNS payload also includes a two-octet size prefix. Implementations should include these two octets in the calculation of message size.
My preference is that those two framing octets should be *excluded* from the calculation, and treated as if they were part of the transport overhead.
Whilst the current development version of BIND does include them, I believe that to be an oversight that should be corrected, and there's already a ticket in our bug tracking system requesting that.
My rationale is that with the 16-byte wide histograms it's impossible to do an exact 1:1 comparison of UDP packets against TCP packets. You can't tell from the binning whether the packets in a particular TCP bin might have gone into a different bin with UDP.
Ray, I don't really get this argument. I don't see why the "width" of the histogram matters. And I don't see, from an RSSAC-002 perspective, why it matters if packets end up int he same bin or not. The measurements are highly aggregated. DW