[dns-operations] Configurable TC=1?
marka at isc.org
Mon Dec 21 22:26:52 UTC 2015
In message <20151221205644.GB5821 at puck.nether.net>, Jared Mauch writes:
> On Sun, Dec 20, 2015 at 03:27:00PM +0100, Ralph Babel wrote:
> > Ralf Weber wrote:
> > > If we switch DNS to TCP there will be a huge cost
> > > in implementing this, as TCP just doesn't scale
> > > the way UDP does
> > True; so is there a nameserver implementation that
> > allows me to respond with a minimal TC=1 packet if ...
> > sizeof(UDP-response) > sizeof(UDP-query) * x + y
> > ..., x and y being fully configurable, preferably
> > on a per-address-range basis, maybe even dependent
> > upon the query type?
> > (not so much related to the "Storm on the DNS"
> > issue but to DNS amplification attacks)
> RRL is closer to the 'right' solution, but
> you could likely do something in this part of the BIND
> - Jared
One thing one can do is to get cookies deployed as soon as possible.
We have the code points and we have implementations so there is no
reason not to deploy cookies. That way servers can identify
legitimate traffic from repeat client. If we can get a big enough
base one could even return REFUSED to non cookie clients.
A BADCOOKIE response is about the same size as TC=1 response and
doesn't result in TCP state being used for subsequent requests.
We already have some servers generating server cookies (search for
cookie). We need more.
> Jared Mauch | pgp key available via finger from jared at puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only mine.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations