[dns-operations] Storm on the DNS

Patrik Fältström paf at frobbit.se
Thu Dec 17 05:30:57 UTC 2015


On 16 Dec 2015, at 23:54, Phil Regnauld wrote:

> Patrik Fältström (paf) writes:
>>
>> BCP48 / SAC-004 is what is needed. The kick down the road is a pretty hard kick.
>
> 	s/BCP48/BCP38/, although very low bit-rate links would solve most of 	our problems :)

Sigh...of course.

>> The ability to have a stateless protocol for lookups is pretty nice.
>
> 	A stateless data protocol, or a stateless transport protocol ?
> 	Query-response are iherently stateful.

Ok, definitions, definitions...

I think a stateless query protocol can go over a stateless transport protocol.

What I (according to my definition) think was done with HTTP is a stateless query protocol over a stateful transport protocol.

>> Anyway, my point is that I completely agree with Dave here. If we could at last get some better control over the IP addresses, we would be in a better situation. And given the depletion of IPv4 space when people started to use each others IP addresses, the situation will not be better, but worse, pretty quickly.
>
>  Without any current incentives other than shaming to get most operators/
> 	content providers to deploy BCP 38, TCP only is a way lower fruit.

Agree

> 	Also, it's more likely we can move to TCP only through policy and 	progressive closing of UDP, than it is likely we can change other 	peoples' table manners. To quote Roland: Ignorance, Ineptitude, 	Indifference (I³).

Yup.
 	
>> As a defence during an attack I envision sooner than I expected blocking IPv4 be one mechanism that simply must be deployed.
>
> 	I wonder how ready most networks will be when they get hit by 	v6 amplification attacks, considering how woefully unprepared 	they already are in v4 :( Oh wait, most networks won't even 	get hit by v6 traffic. Cause it's not setup. Repeat: I³.

I guess my statement of IPv6 is similar to yours above about "slow links" :-)

At least buys us time.

   paf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151217/25779878/attachment.sig>


More information about the dns-operations mailing list