On 16 Oct 2015, at 11:30, Paul Vixie wrote:

On Friday, October 16, 2015 13:58:00 Joe Abley wrote:
On 16 Oct 2015, at 13:15, Paul Hoffman wrote:
On 16 Oct 2015, at 10:07, Darcy Kevin (FCA) wrote:
Let's see, millions of full-service resolvers, times the packet-count
differential between UDP and TCP, times the average reload/restart
frequency of those full-service resolvers per day/week/month. Can't a
case be made from sheer volume?

The root operators have shown no concern about legitimate resolvers
asking a lot more queries.

i am a root operator and i reject your characterization of my position.

I meant the root operators as a group, not every single person who works for or with a rootop.

i don't want tcp tried first, ever. i understand that tcp would be tried first, for new-fangled clients who want to try to negotiate persistent tcp. but that should not include the priming query, because root name servers are expected to have a large number of rdns servers to serve, and tcpcb's will
always be finite.

Are you arguing for a special case of "TCP to authoritative servers is fine, but not for the root servers"? If so, that's an interesting discussion for draft-ietf-dnsop-5966bis, which is still in WG Last Call.


Given that using TCP for priming helps
mitigate an injection attack,

given that tcp is often blocked by firewalls since udp mostly just works and has always been tried first, i think that leaning on tcp to help with a
priming injection attack has a low success likelihood.

If a recursive resolver is behind a firewall that blocks TCP, the priming query will time out and they will use UDP.

let's get the injection
attack solved in other ways, for example, using dns cookies.

If you believe that the extra CPU required for a root server to support https://tools.ietf.org/html/draft-ietf-dnsop-cookies-05 is less of a threat to the operations of the root server than that of persistent TCP connections, it would be great to see a write-up on that. The intelligent use of state for TCP seems to be similar to that for cookies, but comes with some major advantages. If rootops as a group support cookies instead of TCP, that's valuable information, but we haven't heard that yet.

--Paul Hoffman

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to