[dns-operations] Always replying to UDP requests with TC=1, good practice or not

Paul Vixie paul at redbarn.org
Tue Oct 20 04:19:16 UTC 2015


On Tuesday, October 20, 2015 07:49:34 Mark Andrews wrote:
> 
> With EDNS COOKIES one can require a good server cookie before
> providing more of a answer than just BADCOOKIE over UDP.  This is
> similar in nature to always sending TC=1 but keeps the traffic on
> UDP rather than switching the traffic to TCP.  It also doesn't
> require the authoritative server to keep any per client state.

fwiw, i love this approach. DNS RRL is a workaround, nothing more. 

note, though:

http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf

in this paper, the authors explain why the obligation in TCP to retransmit un-
acked data should not have covered the unconnected state. SYN's will be 
retransmitted, so SYN-ACK's need not have been subject to retransmission.

so there are billions of connected devices now willing to reflect with an 
amplification between 5X and 50X (there was no standard for this number), 
which devices are (a) globally reachable via the internet and (b) unpatchable 
and (c) immortal. so, we should get DNS cookies implemented, in order that the 
reflective amplifying spoofed-source attackers can switch to TCP SYN instead.

-- 
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151019/601b9937/attachment.sig>


More information about the dns-operations mailing list