[dns-operations] DNS challenge+response paper

Mark Allman mallman at icir.org
Fri Jun 22 00:33:42 UTC 2018


If one had cookies, then this wouldn't be necessary, for sure.

> What I’d like to see what percentage of queries had a DNS COOKIE
> or SIT (65001) option in them for the last 3 years in the DITL
> traffic so we can see deployment rates in recursive servers.  SIT
> was what named sent prior to the DNS COOKIE code point being
> allocated.

Per the footnote in the paper, the rate for 24hrs of A root DITL
traffic from this year is 0.15%.

> The paper also ignores the benefits the client sees in deploying
> DNS COOKIE. It is a win for both sides to deploy.

I don't think this is fair.  The paper doesn't suggest there aren't
benefits to cookies for the client.  Rather, the paper takes the
perspective an authoritative.  If cookies are there, great.  But,
what if they're not?  The scheme in the paper is something the an
auth server can do itself to protect from being used in an attack.
Cookies are fine and good and offer nice benefit to all, but they
are not something an auth can do by itself.

allman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 220 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180621/db8831f3/attachment.sig>


More information about the dns-operations mailing list