Dean Anderson wrote:
TCP is used by many, if not all, resolvers to get large responses.
And I'm working on changes to DJBDNS dnscache that enable a
configuration option to use TCP by default and fall back to UDP if TCP
is not available.
As that would increase security, I imagine that many operators will
like to have it ready, just in case. However, I don't think many will
enable that option, because of performance reasons. Enabling
keep-alive is not practical, because slow queries would become a
bottleneck. I haven't tried SCTP yet, but since it can have multiple
streams, it should support keeping alive connections with the
preferred resolvers. That would make the connection overhead
imperceivable.
See my NTIA comments on DNSSEC at
http://www.ntia.doc.gov/dns/comments/comment027.pdf for details on the
DDOS attack in DNSSEC.
Independently of who discovered the attack, Kaminsky's calculations on
the probabilities of poisoning a server, given that the attacker knows
exactly what the server is going to query, look correct. While
guessing port and query id may succeed in with a workable probability,
adding an SCTP TSN would drastically reduce them. I guess the very
fact that this simple (possibly retrofittable) solution has not come
out may be a further sign of conspiracy, if that's what you look for.
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf