nanog mailing list archives
Re: DNS hardening, was Re: Dan Kaminsky
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 5 Aug 2009 21:53:44 -0400
On Wed, Aug 5, 2009 at 6:53 PM, Douglas Otis<dotis () mail-abuse org> wrote:
On 8/5/09 2:49 PM, Christopher Morrow wrote:and state-management seems like it won't be too much of a problem on that dns server... wait, yes it will.DNSSEC UDP will likely become problematic. This might be due to reflected attacks, fragmentation related congestion, or packet loss. When it does, TCP
because all of these problems aren't already problems today? how is dnssec adding to this? or is your premise that dnssec adds to it because it requires edns0 and larger responses?
fallback will tried. TCP must retain state for every attempt to connect,
ask worldnic how well that works... edns0 exists (for at least) the sidestep of truncate and use tcp.
and will require significantly greater resources for comparable levels of resilience.
Do you really think that dns in the future is going to move to mostly TCP based transport? do you know what added latency that will be for all clients which switch? What about handling more stateful requests on what today are stateless systems? (f-root-style anycasted pods of authoritative resolvers)
SCTP instead uses cryptographic cookies and the client to retain this state information. SCTP can bundle several transactions into a common association, which reduces overhead and latency compared against TCP. SCTP
great... which internet scale applications use SCTP today? Which loadbalancers are prepared to deal with this 'new' requirement?
ensures against source spoofed reflected attacks or related resource exhaustion. TCP or UDP does not. Under load, SCTP can redirect services
how does SCTP ensure against spoofed or reflected attacks?
without using anycast. TCP can not.
explain your assertions please... these seem like overly broad marketing slides which may be truthful in a corner-case but under wide deployment aren't going to work in this manner. -Chris
Current thread:
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky, (continued)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Alexander Harrowell (Aug 06)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 07)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Tony Finch (Aug 06)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Roland Dobbins (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Jakma (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Ross Vandegrift (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Steven M. Bellovin (Aug 07)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 10)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)