[dns-operations] Comparing TCP and UDP response times of root name servers
marka at isc.org
Wed Nov 21 22:22:59 UTC 2012
In message <20121121084640.0d470d3a at localhost>, John Kristoff writes:
> On Wed, 21 Nov 2012 14:19:02 +0000
> Tony Finch <dot at dotat.at> wrote:
> > I doubt it would provide any advantage compared to DNS over TCP.
> Your doubt isn't very convincing to me, but I'm not inclined to argue
> too strenuously that it would be worth doing in lieu of just utilizing
> TCP. Nevertheless, I would certainly be interested in experimenting
> with a DNS over DCCP implementation if someone builds it.
> > You can't fix an attack by inviting the attackers to change to a more
> > well-behaved protocol.
> The annoying source spoofed attacks that result in reflection and
> amplification, and to the degree that they are actually happening in
> the wild or not the Kaminsky-style cache poisoning, would help address
> the problem if something like DCCP were to supplant UDP.
Moving off UDP would take decades and there is no need to do so.
We have the ability to defeat amplification attacks today continuing
to use UDP as a transport and not breaking older clients. It only
a matter of deploying the technology.
Legacy clients get sent to TCP as a transport (one can set a
acceptable amplification threshold/respone size to trigger on).
Updated clients continue to use UDP after establishing that there
is a two way path.
> Note, there are a number of services over UDP that might benefit from
> a change away from UDP for similar reasons. Architecturally DCCP seems
> to make more sense to me than the heavier TCP-based or
> application-specific solution like than Donald Eastlake's draft Paul
> pointed to, but I realize deep architectural changes are unlikely.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations