[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Mark Andrews marka at isc.org
Mon Jun 6 04:25:04 UTC 2016


In message <20160606105806.53131d1f at pallas.home.time-travellers.org>, Shane Ker
r writes:
> 
> Paul,
> 
> At 2016-06-06 02:38:43 +0000
> P Vixie <paul at redbarn.org> wrote:
> 
> > +1 to this approach.
> 
> Which approach? Also supporting DNS cookies, or doing DNS cookies
> instead of port randomization?
> 
> AIUI cookies requires both server and client support, right? Given the
> long adoption tail of DNS, I don't think we can safely run a DNS
> server or client on the Internet that doesn't do source port
> randomization for decades. :(

Given the client can workout if the server supports COOKIES you can
start ramping down port randomisation today.  You don't need to
wait.

> (Although maybe one could run a switchable model where you use a client
> library that doesn't include port randomization support, but have one
> lying around that does in case you find yourself on a network where
> this is needed?)
> 
> So basically DNS cookies is another feature for coders to implement and
> maintain, with more code, a bigger footprint, more bugs, and a larger
> attack surface. It's probably worth it, but it's not like you can rip
> out the port randomization code.
 
Oh dear a couple of extra lines of code, the horror of it.  DNS
COOKIES is a extremely lightweight mechanism especially on the
client side.  Pick a 64 bit random number.  Add to the opt record.
Check that it is returned.  Handle BADCOOKIE if you get your client
cookie back by resending w/ the returned cookie.  That handle 99.9%
of the cases.  If you want to make it work across multiple queries
remember the returned cookie longer.

We already have TLD operators that support DNS COOKIES and Alexa
Top 1000 operators that support DNS COOKIES.

> It is also probably just another reason that people should people who
> know and love DNS implement the DNS. :)  (Note that I don't mean that
> this needs to be existing DNS folks - new blood with a passion for DNS
> can do awesome things!)
> 
> I wonder if the systemd folks would accept a patch for DNS cookies
> support? Does anybody know if they are welcoming of such things? (My
> intuition says "probably not" but if you fit in their NIH model maybe
> so?)
> 
> Cheers,
> 
> --
> Shane
> 
> --Sig_/eCBWp8pd=kzACy7/3Zv/8po
> Content-Type: application/pgp-signature
> Content-Description: OpenPGP digital signature
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iEYEARECAAYFAldU5r4ACgkQMsfZxBO4kbQ19ACdERJXgSioB5OqgOLCrdRpL7Qd
> S0EAnjGHF8meKDvozG+k2Cdq2+RZPRSm
> =+pk/
> -----END PGP SIGNATURE-----
> 
> --Sig_/eCBWp8pd=kzACy7/3Zv/8po--
> 
> --===============4319967555648298974==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --===============4319967555648298974==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list