Hi Ted, On Tue, Aug 4, 2015 at 11:50 AM, Ted Lemon <ted.le...@nominum.com> wrote: > On Aug 4, 2015, at 4:20 AM, Mark Andrews <ma...@isc.org> wrote: >> If you are under attack the current method drop or send back TC=1. TC=1 >> means managing many more TCP session on both the server and client side. >> With cookies it is drop or BADCOOKIE which keeps the traffic on UDP if there >> isn't a good server cookie. > > This is the current method BIND uses. BIND is not renowned for its ability > to weather DDoS attacks. Your other assertions are false, and I already > explained why. You cannot drop no-cookie queries without increasing the > effectiveness of the DDoS attack.
You have misinterpreted Mark's message. I don't think his message had anything to do with always dropping no-cookie requests. (By the way, the draft tries to be careful to use request and response since it isn't just about queries.) I think Mark was pointing out that if you are under attack and want to use weak authentication to help resist that attack, there is no particular reason to push cookie supporting clients to TCP to provide that authentication. COOKIEs provide weak authentication roughly equivalent to TCP while continue to use less burdensome UDP. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e...@gmail.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop