[dns-operations] Storm on the DNS

Phil Regnauld regnauld at nsrc.org
Wed Dec 16 22:54:35 UTC 2015


Patrik Fältström (paf) writes:
> 
> BCP48 / SAC-004 is what is needed. The kick down the road is a pretty hard kick.

	s/BCP48/BCP38/, although very low bit-rate links would solve most of
	our problems :)

> The ability to have a stateless protocol for lookups is pretty nice.

	A stateless data protocol, or a stateless transport protocol ?
	Query-response are iherently stateful.

> Anyway, my point is that I completely agree with Dave here. If we could at last get some better control over the IP addresses, we would be in a better situation. And given the depletion of IPv4 space when people started to use each others IP addresses, the situation will not be better, but worse, pretty quickly.

    Without any current incentives other than shaming to get most operators/
	content providers to deploy BCP 38, TCP only is a way lower fruit.

	Also, it's more likely we can move to TCP only through policy and
	progressive closing of UDP, than it is likely we can change other
	peoples' table manners. To quote Roland: Ignorance, Ineptitude,
	Indifference (I³).
	
> As a defence during an attack I envision sooner than I expected blocking IPv4 be one mechanism that simply must be deployed.

	I wonder how ready most networks will be when they get hit by
	v6 amplification attacks, considering how woefully unprepared
	they already are in v4 :( Oh wait, most networks won't even
	get hit by v6 traffic. Cause it's not setup. Repeat: I³.

	Cheers,
	Phil

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 535 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151216/ab21859f/attachment.sig>


More information about the dns-operations mailing list