At 15:51 -0400 9/24/07, Stephen Hanna wrote:
Finally, I wonder whether other more fundamental techniques for addressing the problem have been explored. For instance, if DNS clients were required to perform a simple handshake before a DNS server sent a long response, fake requests would provide little amplification.
It would be easier to just disable the UDP transport and go to TCP only to accomplish the same goal. (For one, the handshake would be subject to the same vulnerabilities that TCP has been strengthened against.) Removing UDP from DNS erode the light, quick nature of (legitimate) use.
For example, requests that elicit long responses could prompt a shift to TCP. Of course, this would have other unpleasant side effects such as slowing down the processing of DNS requests with long responses and troubles getting DNS requests through firewalls. I'm not suggesting that this approach be discussed in this document, simply that it be considered (which probably has already been done).
Consider it considered. That cure would be worse than the disease. Especially as the trend will likely be towards a greater incidence of large DNS responses, e.g., for IPv6, for ENUM, and (if it ever flies) for DNSSEC.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Think glocally. Act confused. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf