[dns-operations] Configurable TC=1?

Mukund Sivaraman muks at isc.org
Sun Dec 20 15:42:45 UTC 2015


Hi Ralph

On Sun, Dec 20, 2015 at 03:27:00PM +0100, Ralph Babel wrote:
> Ralf Weber wrote:
> 
> > If we switch DNS to TCP there will be a huge cost
> > in implementing this, as TCP just doesn't scale
> > the way UDP does
> 
> True; so is there a nameserver implementation that
> allows me to respond with a minimal TC=1 packet if ...
> 
>   sizeof(UDP-response) > sizeof(UDP-query) * x + y
> 
> ..., x and y being fully configurable, preferably
> on a per-address-range basis, maybe even dependent
> upon the query type?

What is possible from having a nameserver that supports this arithmetic?
There is a required minimum query message size that will result in an
amplified answer, and answers can vary disproportionally to that minimum
size as zones change.

Some nameservers implement an absolute maximum message size limit
setting (e.g., max-udp-size in BIND at per view and per peer level) that
is sufficient if one wants to truncate UDP responses above a limit.

There is regular talk about switching to DNS over TCP these days that
worries me. In answer to attacks like this, scaling infrastructure will
be wasteful and surely protocol should be made to avoid this
problem. While additional roundtrips for fetches have their problems, we
have protocol for DNS over UDP to thwart such attacks with spoofed
source addresses with low processing overhead, and additional roundtrips
should be fine for the case of root servers.

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151220/31ec75a2/attachment.sig>


More information about the dns-operations mailing list