On 14 Oct 2015, at 8:20, Sara Dickinson wrote:
> Section 6.2.3 Idle Timeouts > > @@ -477,6 +477,12 @@ > specified in [RFC1035]. Servers MAY use zero timeouts when > experiencing heavy load or are under attack. > > + DNS messages delivered over TCP might arrive in multiple segments. A > + DNS server that resets its idle timeout after receiving a single > + segment might be vulnerable to a "slow read attack." For this > + reason, servers SHOULD apply the idle timeout to the receipt of a > + full DNS message, rather than to receipt of a TCP segment. > + > > Section 8 TCP Message Field Lengths > > @@ -542,7 +549,18 @@ > problems due to some DNS servers being very sensitive to timeout > conditions on receiving messages (they might abort a TCP session if > the first TCP segment does not contain both the length field and the > - entire message) > + entire message). Such behavior is certainly undesirable. As > + described in [6.2.3], servers SHOULD apply connection timeouts to the > + receipt of a full message and MUST NOT close a connection simply > + because the first segment does not contain the entire message. I think that's a great improvement and I think the advice is clear and good. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
