On Tue, 4 Aug 2015, Ted Lemon wrote:
On Aug 4, 2015, at 12:35 PM, Donald Eastlake <d3e...@gmail.com> wrote: There is nothing in this draft about the server maintaining state other than its small server secret.I know that. The problem is that in order to avoid the negative consequences of DNS cookies when they are not widely implemented, you have to maintain state.
I don't see that, despite you bringing this up a few times. The server sends back a packet with cookie request and completely forgets about the query. There is no state. The confusion is introduced by the term "negative consequences of DNS cookies when they are not widely implemented". If the client fails to understand the packet, and it is a legitimate client, it will ask again. If it is a botnet, it never sees the answer (and asks again anyway because it is doing a a DDOS). If the legitimate client would not get an answer because the server is about to topple over, it would also ask again. So I do not understand what these "negative consequences" are. However, if a client does understand cookies and the server receives back a cookie, it can give that request a higher preference and answer it in favour of sending cookie requests to clients that did not send requests with cookies. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
