[dns-operations] Storm on the DNS
Patrik Fältström
paf at frobbit.se
Thu Dec 17 05:30:57 UTC 2015
On 16 Dec 2015, at 23:54, Phil Regnauld wrote:
> Patrik Fältström (paf) writes:
>>
>> BCP48 / SAC-004 is what is needed. The kick down the road is a pretty hard kick.
>
> s/BCP48/BCP38/, although very low bit-rate links would solve most of our problems :)
Sigh...of course.
>> The ability to have a stateless protocol for lookups is pretty nice.
>
> A stateless data protocol, or a stateless transport protocol ?
> Query-response are iherently stateful.
Ok, definitions, definitions...
I think a stateless query protocol can go over a stateless transport protocol.
What I (according to my definition) think was done with HTTP is a stateless query protocol over a stateful transport protocol.
>> Anyway, my point is that I completely agree with Dave here. If we could at last get some better control over the IP addresses, we would be in a better situation. And given the depletion of IPv4 space when people started to use each others IP addresses, the situation will not be better, but worse, pretty quickly.
>
> Without any current incentives other than shaming to get most operators/
> content providers to deploy BCP 38, TCP only is a way lower fruit.
Agree
> Also, it's more likely we can move to TCP only through policy and progressive closing of UDP, than it is likely we can change other peoples' table manners. To quote Roland: Ignorance, Ineptitude, Indifference (I³).
Yup.
>> As a defence during an attack I envision sooner than I expected blocking IPv4 be one mechanism that simply must be deployed.
>
> I wonder how ready most networks will be when they get hit by v6 amplification attacks, considering how woefully unprepared they already are in v4 :( Oh wait, most networks won't even get hit by v6 traffic. Cause it's not setup. Repeat: I³.
I guess my statement of IPv6 is similar to yours above about "slow links" :-)
At least buys us time.
paf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151217/25779878/attachment.sig>
More information about the dns-operations
mailing list