[dns-operations] Configurable TC=1?
Mark Andrews
marka at isc.org
Tue Dec 22 00:33:30 UTC 2015
In message <20151222002233.GD5821 at puck.nether.net>, Jared Mauch writes:
> On Tue, Dec 22, 2015 at 09:26:52AM +1100, Mark Andrews wrote:
> >
> > In message <20151221205644.GB5821 at puck.nether.net>, Jared Mauch writes:
> > > On Sun, Dec 20, 2015 at 03:27:00PM +0100, Ralph Babel wrote:
> > > > Ralf Weber wrote:
> > > >
> > > > > If we switch DNS to TCP there will be a huge cost
> > > > > in implementing this, as TCP just doesn't scale
> > > > > the way UDP does
> > > >
> > > > True; so is there a nameserver implementation that
> > > > allows me to respond with a minimal TC=1 packet if ...
> > > >
> > > > sizeof(UDP-response) > sizeof(UDP-query) * x + y
> > > >
> > > > ..., x and y being fully configurable, preferably
> > > > on a per-address-range basis, maybe even dependent
> > > > upon the query type?
> > > >
> > > > (not so much related to the "Storm on the DNS"
> > > > issue but to DNS amplification attacks)
> > >
> > > RRL is closer to the 'right' solution, but
> > > you could likely do something in this part of the BIND
> > > codebase:
> > >
> > > http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch
> > >
> > > - Jared
> >
> > One thing one can do is to get cookies deployed as soon as possible.
> > We have the code points and we have implementations so there is no
> > reason not to deploy cookies. That way servers can identify
> > legitimate traffic from repeat client. If we can get a big enough
> > base one could even return REFUSED to non cookie clients.
>
> This can already be done by keeping a hash or hot cache of
> clients that passed a prior TCP 3-way test.
Not when their addresses are being spoofed.
> > A BADCOOKIE response is about the same size as TC=1 response and
> > doesn't result in TCP state being used for subsequent requests.
>
> Yes, but keeps similar amount of memory state as nicely
> organized arrays of inet6/inet ranges involved in queries.
The server keeps no state. The client keeps the state (includes
recursive server for authoritative servers).
> > We already have some servers generating server cookies (search for
> > cookie). We need more.
> >
> > https://ednscomp.isc.org/compliance/summary.html
>
> I'm looking forward to the next updates at dnsop and
> the dns-oarc meeting in March/April.
>
> - Jared
>
> --
> Jared Mauch | pgp key available via finger from jared at puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only mine.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list