DNS over SCTP (was: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: a Critical Review

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Douglas Otis wrote:
Just using TCP would prevent most of the DNS poisoning attacks that Amir's paper reports.

TCP is prone to DDoS attack.  As such, TCP is seldom used with DNS.

I thought TCP was the default when the UDP message size is not enough. That's, AFAIK, the only advantage of TCP over SCTP: it's already in place and ready. (Yes, one needs to run firewalls and all that stuff.)

A single SCTP connection can support thousands of simultaneous streams,

I agree SCTP is better, and it's been around for nearly a decade now. Yet, for those who miss it, good old TCP allows, say, a client to hold a couple of connections to its favorite resolver in order to avoid many of the threats illustrated by Kaminsky...

There is also OS support for UDP tunneling of SCTP when supporting legacy NATs and firewalls. Until there is an significant incentive to make DNS more robust, use of SCTP is likely to remain just a good and under appreciated option.

It seems that DNS over SCTP would solve 90% of the problems with 10% of the efforts and resources required to implement DNSSEC. However, I hear more often about the latter than the former. How come?

_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]