[dns-operations] EDNS vs DDOS scrubbing - was Re: Nice to see Amazon Route 53 remove the EDNS(1) filters for *.co.uk.
Mark Andrews
marka at isc.org
Wed May 27 12:00:33 UTC 2015
In message <D18B2214.BC32%edward.lewis at icann.org>, Edward Lewis writes:
>
> I'm reacting because I see a case of someone observing symptoms,
> presenting eye-catchy colorful pictures and then running hard into the
> land of diagnosis.
>
> On 5/27/15, 7:10, "Mark Andrews" <marka at isc.org> wrote:
>
> >For others is is scrubbing / DoS services which are blocking EDNS(1)
> >queries.
>
> This sounds like there might be a need to analyze a trade-off. Taking the
> leap of faith that the dropping EDNS(1) figures is caused by DDoS
> scrubbing services, the question is "why?" Is EDNS(1) and DDoS scrubbing
> incompatible?
No. Just "different query - must be bad". "Different query - don't
know what to do -> drop" from firewall vendors. Had this sort of
discussion years ago with a firewall vendor. Both firewall vendors
and scrubbing services don't tend to drop different rather than
figuring out "is it dangerous / bad".
Yes, EDNS compliance issues have been traced to scrubbing services and
firewalls. I've had reports from server operators using both of theses.
Both can be, or should be able to be, tuned to pass EDNS(1) queries
or queries with EDNS options or queries with EDNS flags.
.cisco is a example of a recently added tld.
https://ednscomp.isc.org/ednscomp/47bd30e419
These errors should have been caught in testing prior to adding the
delegation to the root zone. dig has supported +edns=<value> for a
decade now. +ednsflags is new.
> I will offer that, from what I've seen, DDoS scrubbing seems to offer
> value to the Internet. I.e., I don't think that it's not simply going to
> go away. (I'm remaining neutral on the question of value-for-money, in
> the sense that's not the topic here.) I seriously doubt that DDoS
> scrubbing services will go away because they interrupt EDNS(1) adoption.
>
> Perhaps there isn't a conflict, it is just that the testing is throwing
> packets into a hole and declaring failure. Perhaps the lost EDNS(1)
> traffic ought to be explained away as part of the flotsam that is DDoS
> traffic.
>
> I'm just skeptical that a technology or mechanism will see lowered
> adoption over time - if it is a good idea. I understand falling adoption
> during the phase out/retirement/etc. You point out the new TLD operators
> - but it's dropping across the board (except for the bottom 1000, which
> might be related to those cellar-dwellers not being subject to DDoS load,
> hence no scrubbing).
>
> I would have expected to see a chart showing over increase in adoption
> with perhaps a sector that is failing and needing attention. I don't see
> that in the chart.
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list