Hi Ted,

On Tue, Aug 4, 2015 at 11:50 AM, Ted Lemon <ted.le...@nominum.com> wrote:
> On Aug 4, 2015, at 4:20 AM, Mark Andrews <ma...@isc.org> wrote:
>> If you are under attack the current method drop or send back TC=1.  TC=1
>> means managing many more TCP session on both the server and client side.
>> With cookies it is drop or BADCOOKIE which keeps the traffic on UDP if there
>> isn't a good server cookie.
>
> This is the current method BIND uses.   BIND is not renowned for its ability
> to weather DDoS attacks.   Your other assertions are false, and I already
> explained why.   You cannot drop no-cookie queries without increasing the
> effectiveness of the DDoS attack.

You have misinterpreted Mark's message. I don't think his message had
anything to do with always dropping no-cookie requests. (By the way,
the draft tries to be careful to use request and response since it
isn't just about queries.) I think Mark was pointing out that if you
are under attack and want to use weak authentication to help resist
that attack, there is no particular reason to push cookie supporting
clients to TCP to provide that authentication. COOKIEs provide weak
authentication roughly equivalent to TCP while continue to use less
burdensome UDP.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e...@gmail.com

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to