[dns-operations] Configurable TC=1?

Jared Mauch jared at puck.nether.net
Mon Dec 21 20:56:44 UTC 2015


On Sun, Dec 20, 2015 at 03:27:00PM +0100, Ralph Babel wrote:
> Ralf Weber wrote:
> 
> > If we switch DNS to TCP there will be a huge cost
> > in implementing this, as TCP just doesn't scale
> > the way UDP does
> 
> True; so is there a nameserver implementation that
> allows me to respond with a minimal TC=1 packet if ...
> 
>   sizeof(UDP-response) > sizeof(UDP-query) * x + y
> 
> ..., x and y being fully configurable, preferably
> on a per-address-range basis, maybe even dependent
> upon the query type?
> 
> (not so much related to the "Storm on the DNS"
> issue but to DNS amplification attacks)

	RRL is closer to the 'right' solution, but
you could likely do something in this part of the BIND
codebase:

http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



More information about the dns-operations mailing list