[dns-operations] Force TCP for external quereis to Open Resolvers?

Vernon Schryver vjs at rhyolite.com
Sun Mar 31 20:04:04 UTC 2013

> From: Paul Vixie <paul at redbarn.org>

> also, in TCPCT there's room for a payload in the SYN.

In theory there was also room for a payload in the TCP SYN before
popular defenses against syn-flooding.

> in practice this means a normal three way handshake for the first
> connection between an endpoint-pair, but there's a single round trip on
> any subsequent connection between that endpoint-pair, involving one
> packet to send the request, and one or more packets to send the response.

> level -- i think tcp/80 could benefit from zero state cost in
> responders, and single round trip for request plus multipacket response,

> <http://static.usenix.org/publications/login/2009-12/openpdfs/metzger.pdf>.

> argue for TCPCT i'm arguing for it on the general principle that we'd
> like a responder to have proof of requester identity before sending a
> multipacket response. we would not use these powers to make OR ubiquitous.

That bit about mult-packet responses is critical.  Replacing 2 DNS/UDP
packets with 9 DNS/TCP or 9 DNS/TCPCT for an isolated request is
unprofitable.  However, if the DNS response is not a single <=512 byte
UDP packet but a train of DNS/UDP/IP fragments carrying 2 or 3 KBytes, ...

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list