> On Nov 29, 2021, at 11:51 PM, Lars Eggert <l...@eggert.org> wrote: > > >> I dont necessarily agree that operating systems alone do a very good job >> of preventing DOS conditions. It is possible that Im not up-to-date on >> the latest and greatest in terms of operating system features, but I think >> historically applications have fared better when they manage their own >> connections. For example, can we realistically expect the OS to know which >> idle connections should be closed? > > The OS will certainly try to close sufficient connections under DDoS to > remain operational. But if an application wants to see connections closed > according to a certain policy - and DNS servers probably would - they need to > actively engage. Maybe that's the rationale here? >
Yes, that is the rationale. I’ve added a new sentence to the end of this paragraph along those lines: Operators of DNS server software SHOULD be aware that operating system and application vendors MAY impose a limit on the total number of established connections. These limits may be designed to protect against DDoS attacks or performance degradation. Operators SHOULD understand how to increase these limits if necessary, and the consequences of doing so. Limits imposed by the application SHOULD be lower than limits imposed by the operating system, so that the application can apply its own policy to connection management, such as closing the oldest idle connections first. >> >>> Section 4.2. , paragraph 3, comment: >>>> DNS server software SHOULD provide a configurable timeout for idle >>>> TCP connections. For very busy name servers this might be set to a >>>> low value, such as a few seconds. For less busy servers it might be >>>> set to a higher value, such as tens of seconds. >>> >>> Ditto. >> >> In this case all of the open source implementations I surveyed have this >> limit enabled by default. > > It might be useful to add a brief note similar to the one above here as well. Okay, I’ve done so in this paragraph. Second and third sentences are new: DNS server software SHOULD provide a configurable timeout for idle TCP connections. This can be used to free up resources for new connections and to ensure that idle connections are eventually closed. At the same time, it possibly limits client performance while leaving some TCP resources untilizied. For very busy name servers this might be set to a low value, such as a few seconds. For less busy servers it might be set to a higher value, such as tens of seconds. DNS clients and servers SHOULD signal their timeout values using the edns-tcp-keepalive option [RFC7828]. > > Thanks, > Lars > Thank you! DW _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
