On 08/12/2018 03:25 AM, John R Levine wrote: >>> truncated, but it's equally valid to do TCP in the first place. > >> I'm aware of that. But with traditional DNS, you start with UDP, and >> may fall back to TCP. DoS'ing the TCP support doesn't DoS the whole >> system. (If it were the case that 100% of UDP-based resolutions result >> in a subsequnt TCP-based resolution (which I'm not saying is not the >> case..I just don't know), then I wouldn't have this concern) > > With DNSSEC, the results are large enough that a whole lot of the > traffic is over TCP, A whole lot != all. In any case, are there measurements about this? > particularly on IPv6 where packet fragmentation > doesn't work reliably. And in any event, as someone else pointed out, > https is hardly an untried protocol in hostile enviroments. A lt of what you need to do to make a TCP-based protocol (such as HTTPS) to be resilient to DoS doesn't have much to do with the app protocol itself. Yes, there are lots of folks running TCP-based services in hostile environments. And if they are to be resilient to Do attacks, they have to take care of a lot of details. With UDP, you can get away with not taking care about a lot of them (because it's stateless). That was exactly my point. -- Fernando Gont SI6 Networks e-mail: fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
