[dns-operations] Force TCP for external quereis to Open Resolvers?
Vernon Schryver
vjs at rhyolite.com
Sun Mar 31 20:04:04 UTC 2013
> From: Paul Vixie <paul at redbarn.org>
> also, in TCPCT there's room for a payload in the SYN.
In theory there was also room for a payload in the TCP SYN before
popular defenses against syn-flooding.
> in practice this means a normal three way handshake for the first
> connection between an endpoint-pair, but there's a single round trip on
> any subsequent connection between that endpoint-pair, involving one
> packet to send the request, and one or more packets to send the response.
> level -- i think tcp/80 could benefit from zero state cost in
> responders, and single round trip for request plus multipacket response,
> <http://static.usenix.org/publications/login/2009-12/openpdfs/metzger.pdf>.
> argue for TCPCT i'm arguing for it on the general principle that we'd
> like a responder to have proof of requester identity before sending a
> multipacket response. we would not use these powers to make OR ubiquitous.
That bit about mult-packet responses is critical. Replacing 2 DNS/UDP
packets with 9 DNS/TCP or 9 DNS/TCPCT for an isolated request is
unprofitable. However, if the DNS response is not a single <=512 byte
UDP packet but a train of DNS/UDP/IP fragments carrying 2 or 3 KBytes, ...
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations
mailing list