[dns-operations] Configurable TC=1?

Jared Mauch jared at puck.nether.net
Tue Dec 22 00:22:34 UTC 2015 

On Tue, Dec 22, 2015 at 09:26:52AM +1100, Mark Andrews wrote:
> 
> In message <20151221205644.GB5821 at puck.nether.net>, Jared Mauch writes:
> > On Sun, Dec 20, 2015 at 03:27:00PM +0100, Ralph Babel wrote:
> > > Ralf Weber wrote:
> > > 
> > > > If we switch DNS to TCP there will be a huge cost
> > > > in implementing this, as TCP just doesn't scale
> > > > the way UDP does
> > > 
> > > True; so is there a nameserver implementation that
> > > allows me to respond with a minimal TC=1 packet if ...
> > > 
> > >   sizeof(UDP-response) > sizeof(UDP-query) * x + y
> > > 
> > > ..., x and y being fully configurable, preferably
> > > on a per-address-range basis, maybe even dependent
> > > upon the query type?
> > > 
> > > (not so much related to the "Storm on the DNS"
> > > issue but to DNS amplification attacks)
> > 
> > 	RRL is closer to the 'right' solution, but
> > you could likely do something in this part of the BIND
> > codebase:
> > 
> > http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
> > 
> > 	- Jared
> 
> One thing one can do is to get cookies deployed as soon as possible.
> We have the code points and we have implementations so there is no
> reason not to deploy cookies.  That way servers can identify
> legitimate traffic from repeat client.  If we can get a big enough
> base one could even return REFUSED to non cookie clients.

	This can already be done by keeping a hash or hot cache of
clients that passed a prior TCP 3-way test.

> A BADCOOKIE response is about the same size as TC=1 response and
> doesn't result in TCP state being used for subsequent requests.

	Yes, but keeps similar amount of memory state as nicely
organized arrays of inet6/inet ranges involved in queries.

> We already have some servers generating server cookies (search for
> cookie).  We need more.
> 
> https://ednscomp.isc.org/compliance/summary.html

	I'm looking forward to the next updates at dnsop and
the dns-oarc meeting in March/April.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the dns-operations mailing list