[dns-operations] Configurable TC=1?
jared at puck.nether.net
Tue Dec 22 00:22:34 UTC 2015
On Tue, Dec 22, 2015 at 09:26:52AM +1100, Mark Andrews wrote:
> In message <20151221205644.GB5821 at puck.nether.net>, Jared Mauch writes:
> > On Sun, Dec 20, 2015 at 03:27:00PM +0100, Ralph Babel wrote:
> > > Ralf Weber wrote:
> > >
> > > > If we switch DNS to TCP there will be a huge cost
> > > > in implementing this, as TCP just doesn't scale
> > > > the way UDP does
> > >
> > > True; so is there a nameserver implementation that
> > > allows me to respond with a minimal TC=1 packet if ...
> > >
> > > sizeof(UDP-response) > sizeof(UDP-query) * x + y
> > >
> > > ..., x and y being fully configurable, preferably
> > > on a per-address-range basis, maybe even dependent
> > > upon the query type?
> > >
> > > (not so much related to the "Storm on the DNS"
> > > issue but to DNS amplification attacks)
> > RRL is closer to the 'right' solution, but
> > you could likely do something in this part of the BIND
> > codebase:
> > http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
> > - Jared
> One thing one can do is to get cookies deployed as soon as possible.
> We have the code points and we have implementations so there is no
> reason not to deploy cookies. That way servers can identify
> legitimate traffic from repeat client. If we can get a big enough
> base one could even return REFUSED to non cookie clients.
This can already be done by keeping a hash or hot cache of
clients that passed a prior TCP 3-way test.
> A BADCOOKIE response is about the same size as TC=1 response and
> doesn't result in TCP state being used for subsequent requests.
Yes, but keeps similar amount of memory state as nicely
organized arrays of inet6/inet ranges involved in queries.
> We already have some servers generating server cookies (search for
> cookie). We need more.
I'm looking forward to the next updates at dnsop and
the dns-oarc meeting in March/April.
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the dns-operations