IETF Logo Mail Archive

Re: [Asrg] DNS over SCTP

Douglas Otis <dotis@mail-abuse.org> Sat, 30 May 2009 00:26 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E7503A6FED for <asrg@core3.amsl.com>; Fri, 29 May 2009 17:26:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.344
X-Spam-Level:
X-Spam-Status: No, score=-6.344 tagged_above=-999 required=5 tests=[AWL=0.255, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07qotoxiGjR4 for <asrg@core3.amsl.com>; Fri, 29 May 2009 17:26:45 -0700 (PDT)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id C4D6B28C188 for <asrg@irtf.org>; Fri, 29 May 2009 17:26:21 -0700 (PDT)
Received: from [IPv6:::1] (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id 4453CA9443B; Sat, 30 May 2009 00:24:54 +0000 (UTC)
Message-Id: <E6E4FD71-FAE4-482D-AAC4-FD4E24BB8CD2@mail-abuse.org>
From: Douglas Otis <dotis@mail-abuse.org>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
In-Reply-To: <200905291433.n4TEXEII041611@givry.fdupont.fr>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Fri, 29 May 2009 17:24:54 -0700
References: <200905291433.n4TEXEII041611@givry.fdupont.fr>
X-Mailer: Apple Mail (2.935.3)
Cc: Anti-Spam Research Group - IRTF <asrg@irtf.org>, ietf@ietf.org
Subject: Re: [Asrg] DNS over SCTP
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 May 2009 00:26:45 -0000

On May 29, 2009, at 7:33 AM, Francis Dupont wrote:

> I don't understand your argument: it seems to apply to UDP over SCTP  
> but here we have SCTP over UDP.  BTW the easiest way to convert DNS  
> over UDP into DNS over SCTP is to use an ALG (application layer  
> gateway) which in the DNS is known as a caching server (such servers  
> are already used to provide IPv4/IPv6 transport conversion).

The goal is to apply the SCTP protocol as a means to better protect  
DNS from source spoofing, resource exhaustion, reflected attack  
exploitation, and increased latency.  SCTP in any form does not  
prevent deployment of DNSSEC.  SCTP might even better facilitate  
DNSSEC than EDNS0.  Use of DNS on SCTP, even when tunneled over UDP,  
should be explored.  The issues related to DDoS risk related to cached  
macros were presented to various DNS WGs and forums.  Unfortunately,  
this DNS issue earned little respect from the proponents of the  
protocol using macros and extensive record chaining.  The prevalent  
response was to declare DNS broken by pointing to other aspects of DNS  
at risk.  SCTP seems a reasonable solution in the face of this  
neglect.  Problems are likely to grow much faster than adoption of  
DNSSEC.  In fact, adoption of DNSSEC may make some aspects of DDoS  
exploitation worse.

-Doug

v2.23.0 | Report a Bug | By Email