On 16 Oct 2015, at 11:30, Paul Vixie wrote:
On Friday, October 16, 2015 13:58:00 Joe Abley wrote:
On 16 Oct 2015, at 13:15, Paul Hoffman wrote:
On 16 Oct 2015, at 10:07, Darcy Kevin (FCA) wrote:
Let's see, millions of full-service resolvers, times the
packet-count
differential between UDP and TCP, times the average reload/restart
frequency of those full-service resolvers per day/week/month. Can't
a
case be made from sheer volume?
The root operators have shown no concern about legitimate resolvers
asking a lot more queries.
i am a root operator and i reject your characterization of my
position.
I meant the root operators as a group, not every single person who works
for or with a rootop.
i don't want tcp tried first, ever. i understand that tcp would be
tried
first, for new-fangled clients who want to try to negotiate persistent
tcp.
but that should not include the priming query, because root name
servers are
expected to have a large number of rdns servers to serve, and tcpcb's
will
always be finite.
Are you arguing for a special case of "TCP to authoritative servers is
fine, but not for the root servers"? If so, that's an interesting
discussion for draft-ietf-dnsop-5966bis, which is still in WG Last Call.
Given that using TCP for priming helps
mitigate an injection attack,
given that tcp is often blocked by firewalls since udp mostly just
works and
has always been tried first, i think that leaning on tcp to help with
a
priming injection attack has a low success likelihood.
If a recursive resolver is behind a firewall that blocks TCP, the
priming query will time out and they will use UDP.
let's get the injection
attack solved in other ways, for example, using dns cookies.
If you believe that the extra CPU required for a root server to support
https://tools.ietf.org/html/draft-ietf-dnsop-cookies-05 is less of a
threat to the operations of the root server than that of persistent TCP
connections, it would be great to see a write-up on that. The
intelligent use of state for TCP seems to be similar to that for
cookies, but comes with some major advantages. If rootops as a group
support cookies instead of TCP, that's valuable information, but we
haven't heard that yet.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop