[dns-operations] Force TCP for external quereis to Open Resolvers?

[Paul Vixie]

Xun Fan wrote:
> I want to emphasize here that my proposal is to use TCP only for
> off-net users, for all users inside the same network as OR, they just
> keep using UDP.

i've been following this thread. i have not yet seen a motive for
offering ubiquitous wide area dns services, whether by udp or tcp. can
you explain what positive outcome you predict for the 20+ million open
resolvers that jared's scan found last weekend, if instead of simply
closing them down and avoiding the creation of any new ones, we do as
you suggest and upgrade them to return TC=1 under UDP and to respond
normally to TCP?

what in other words is your proposed use case for 20+ million open
resolvers? if it's "to support research" then i'll agree with vernon who
said that the benefit of research does not outshine the cost of
maintaining such a ubiquitous service. (for example, since a TC=1 packet
is still a packet even though smaller, it's a good reflection tool for
attacks, even if non-amplifying. to make it safe at scale you'd have to
implement something like RRL to also cut the number of responses. this
is new state and new logic, whose cost has to be taken into account.)

>
> As I said before, if there are millions off-net user, then the
> administrator of the OR will make the judgement, probably won't close
> their OR.

this sounds like a response to something that has not been proposed.
noone is saying you can't run an OR if you want to, only that (a) if you
run it you should monitor it as closely as google and opendns monitor
theirs; and (b) openness should not be the default setting such that
it's on even for users who do not explicitly want it to be on.

paul