[dns-operations] Configurable TC=1?
Jared Mauch
jared at puck.nether.net
Mon Dec 21 20:56:44 UTC 2015
On Sun, Dec 20, 2015 at 03:27:00PM +0100, Ralph Babel wrote:
> Ralf Weber wrote:
>
> > If we switch DNS to TCP there will be a huge cost
> > in implementing this, as TCP just doesn't scale
> > the way UDP does
>
> True; so is there a nameserver implementation that
> allows me to respond with a minimal TC=1 packet if ...
>
> sizeof(UDP-response) > sizeof(UDP-query) * x + y
>
> ..., x and y being fully configurable, preferably
> on a per-address-range basis, maybe even dependent
> upon the query type?
>
> (not so much related to the "Storm on the DNS"
> issue but to DNS amplification attacks)
RRL is closer to the 'right' solution, but
you could likely do something in this part of the BIND
codebase:
http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
- Jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the dns-operations
mailing list