Re: secdir review of draft-ietf-dnsop-reflectors-are-evil-04.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 15:51 -0400 9/24/07, Stephen Hanna wrote:

Finally, I wonder whether other more fundamental techniques for
addressing the problem have been explored. For instance, if DNS clients
were required to perform a simple handshake before a DNS server sent
a long response, fake requests would provide little amplification.

It would be easier to just disable the UDP transport and go to TCP only to accomplish the same goal. (For one, the handshake would be subject to the same vulnerabilities that TCP has been strengthened against.) Removing UDP from DNS erode the light, quick nature of (legitimate) use.

For example, requests that elicit long responses could prompt a
shift to TCP. Of course, this would have other unpleasant side effects
such as slowing down the processing of DNS requests with long responses
and troubles getting DNS requests through firewalls. I'm not suggesting
that this approach be discussed in this document, simply that it be
considered (which probably has already been done).

Consider it considered. That cure would be worse than the disease. Especially as the trend will likely be towards a greater incidence of large DNS responses, e.g., for IPv6, for ENUM, and (if it ever flies) for DNSSEC.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Think glocally.  Act confused.

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]