[dns-operations] Configurable TC=1?

Mark Andrews marka at isc.org
Tue Dec 22 00:33:30 UTC 2015 

In message <20151222002233.GD5821 at puck.nether.net>, Jared Mauch writes:
> On Tue, Dec 22, 2015 at 09:26:52AM +1100, Mark Andrews wrote:
> > 
> > In message <20151221205644.GB5821 at puck.nether.net>, Jared Mauch writes:
> > > On Sun, Dec 20, 2015 at 03:27:00PM +0100, Ralph Babel wrote:
> > > > Ralf Weber wrote:
> > > > 
> > > > > If we switch DNS to TCP there will be a huge cost
> > > > > in implementing this, as TCP just doesn't scale
> > > > > the way UDP does
> > > > 
> > > > True; so is there a nameserver implementation that
> > > > allows me to respond with a minimal TC=1 packet if ...
> > > > 
> > > >   sizeof(UDP-response) > sizeof(UDP-query) * x + y
> > > > 
> > > > ..., x and y being fully configurable, preferably
> > > > on a per-address-range basis, maybe even dependent
> > > > upon the query type?
> > > > 
> > > > (not so much related to the "Storm on the DNS"
> > > > issue but to DNS amplification attacks)
> > > 
> > > 	RRL is closer to the 'right' solution, but
> > > you could likely do something in this part of the BIND
> > > codebase:
> > > 
> > > http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
> > > 
> > > 	- Jared
> > 
> > One thing one can do is to get cookies deployed as soon as possible.
> > We have the code points and we have implementations so there is no
> > reason not to deploy cookies.  That way servers can identify
> > legitimate traffic from repeat client.  If we can get a big enough
> > base one could even return REFUSED to non cookie clients.
> 
> 	This can already be done by keeping a hash or hot cache of
> clients that passed a prior TCP 3-way test.

Not when their addresses are being spoofed.
 
> > A BADCOOKIE response is about the same size as TC=1 response and
> > doesn't result in TCP state being used for subsequent requests.
> 
> 	Yes, but keeps similar amount of memory state as nicely
> organized arrays of inet6/inet ranges involved in queries.

The server keeps no state.  The client keeps the state (includes
recursive server for authoritative servers).
 
> > We already have some servers generating server cookies (search for
> > cookie).  We need more.
> > 
> > https://ednscomp.isc.org/compliance/summary.html
> 
> 	I'm looking forward to the next updates at dnsop and
> the dns-oarc meeting in March/April.
> 
> 	- Jared
> 
> -- 
> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list