Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming

Fri, 16 Oct 2015 11:48:44 -0700 

On 16 Oct 2015, at 11:30, Paul Vixie wrote:


On Friday, October 16, 2015 13:58:00 Joe Abley wrote:

On 16 Oct 2015, at 13:15, Paul Hoffman wrote:

On 16 Oct 2015, at 10:07, Darcy Kevin (FCA) wrote:
Let's see, millions of full-service resolvers, times the packet-count 
differential between UDP and TCP, times the average reload/restart
frequency of those full-service resolvers per day/week/month. Can't a 
case be made from sheer volume?


The root operators have shown no concern about legitimate resolvers
asking a lot more queries.



i am a root operator and i reject your characterization of my 
position.



I meant the root operators as a group, not every single person who works 
for or with a rootop.



i don't want tcp tried first, ever. i understand that tcp would be 
tried
first, for new-fangled clients who want to try to negotiate persistent 
tcp.
but that should not include the priming query, because root name 
servers are
expected to have a large number of rdns servers to serve, and tcpcb's 
will

always be finite.



Are you arguing for a special case of "TCP to authoritative servers is 
fine, but not for the root servers"? If so, that's an interesting 
discussion for draft-ietf-dnsop-5966bis, which is still in WG Last Call.





Given that using TCP for priming helps
mitigate an injection attack,



given that tcp is often blocked by firewalls since udp mostly just 
works and
has always been tried first, i think that leaning on tcp to help with 
a

priming injection attack has a low success likelihood.



If a recursive resolver is behind a firewall that blocks TCP, the 
priming query will time out and they will use UDP.



let's get the injection
attack solved in other ways, for example, using dns cookies.



If you believe that the extra CPU required for a root server to support 
https://tools.ietf.org/html/draft-ietf-dnsop-cookies-05 is less of a 
threat to the operations of the root server than that of persistent TCP 
connections, it would be great to see a write-up on that. The 
intelligent use of state for TCP seems to be similar to that for 
cookies, but comes with some major advantages. If rootops as a group 
support cookies instead of TCP, that's valuable information, but we 
haven't heard that yet.


--Paul Hoffman

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop























					Reply via email to