Hi Ted, On Tue, Aug 4, 2015 at 11:47 AM, Ted Lemon <ted.le...@nominum.com> wrote: >... > > To recap, the reason that I think cookies are more expensive than DNSSEC in > practice is that for cookies to be deployed in the real world, the DNS > server implementing them will need to maintain state: the fact that a client > has not presented a cookie cannot in itself be a reason to drop that > client’s request. DNSSEC does result in larger packets being sent, it’s
There is nothing in this draft about the server maintaining state other than its small server secret. The draft makes it clear that the situation for requests without a COOKIE is the same as it is now. So, COOKIEs don't help in the case of a client that doesn't implement them except that the server sees that that client didn't implement COOKIEs (or didn't implement OPT) and can take that into account in whatever policy based determinations it makes whether or how often it processes/discards requests or limits rates or replies suggesting TCP or whatever. Why can't a server just provide degraded service to client requests without cookies (which in some cases might mean providing degraded service to forged requests claiming to be from a cookie supporting client while providing better service for genuine requests from that client)? > true, but this is a relatively small load for the server, since these > packets can be served directly out of the database, and don’t need to be > computed, nor does special per-client behavior need to be implemented. What about the cryptographic computations at the client? And the problem with the much larger responses wasn't necessarily at the server but at the client, which probably has a narrower pipe than the server and may be getting sprayed with traffic from many servers. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e...@gmail.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
