On Friday, October 16, 2015 13:58:00 Joe Abley wrote: > On 16 Oct 2015, at 13:15, Paul Hoffman wrote: > > On 16 Oct 2015, at 10:07, Darcy Kevin (FCA) wrote: > >> Let's see, millions of full-service resolvers, times the packet-count > >> differential between UDP and TCP, times the average reload/restart > >> frequency of those full-service resolvers per day/week/month. Can't a > >> case be made from sheer volume? > > > > The root operators have shown no concern about legitimate resolvers > > asking a lot more queries.
i am a root operator and i reject your characterization of my position. i don't want tcp tried first, ever. i understand that tcp would be tried first, for new-fangled clients who want to try to negotiate persistent tcp. but that should not include the priming query, because root name servers are expected to have a large number of rdns servers to serve, and tcpcb's will always be finite. > > Given that using TCP for priming helps > > mitigate an injection attack, given that tcp is often blocked by firewalls since udp mostly just works and has always been tried first, i think that leaning on tcp to help with a priming injection attack has a low success likelihood. let's get the injection attack solved in other ways, for example, using dns cookies. -- Paul
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
