Xun Fan wrote: > I want to emphasize here that my proposal is to use TCP only for > off-net users, for all users inside the same network as OR, they just > keep using UDP.
i've been following this thread. i have not yet seen a motive for offering ubiquitous wide area dns services, whether by udp or tcp. can you explain what positive outcome you predict for the 20+ million open resolvers that jared's scan found last weekend, if instead of simply closing them down and avoiding the creation of any new ones, we do as you suggest and upgrade them to return TC=1 under UDP and to respond normally to TCP? what in other words is your proposed use case for 20+ million open resolvers? if it's "to support research" then i'll agree with vernon who said that the benefit of research does not outshine the cost of maintaining such a ubiquitous service. (for example, since a TC=1 packet is still a packet even though smaller, it's a good reflection tool for attacks, even if non-amplifying. to make it safe at scale you'd have to implement something like RRL to also cut the number of responses. this is new state and new logic, whose cost has to be taken into account.) > > As I said before, if there are millions off-net user, then the > administrator of the OR will make the judgement, probably won't close > their OR. this sounds like a response to something that has not been proposed. noone is saying you can't run an OR if you want to, only that (a) if you run it you should monitor it as closely as google and opendns monitor theirs; and (b) openness should not be the default setting such that it's on even for users who do not explicitly want it to be on. paul _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
