[dns-privacy] DDoS resiliance & DNS-over-TCP (was Root Server Operators Statement on DNS Encryption)

Shane Kerr <shane@time-travellers.org> Thu, 01 April 2021 15:13 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BED8F3A1778 for <dns-privacy@ietfa.amsl.com>; Thu, 1 Apr 2021 08:13:10 -0700 (PDT)
X-Quarantine-ID: <K_Yi5Ez_9Cvy>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up entirely of whitespace (char 20 hex): X-Spam-Report: ...T_ADDRESS@@ for details. Content previ[...]
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_Yi5Ez_9Cvy for <dns-privacy@ietfa.amsl.com>; Thu, 1 Apr 2021 08:13:06 -0700 (PDT)
Received: from saturn.zonnestelsel.tk (saturn.zonnestelsel.tk [80.100.157.192]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28C583A1771 for <dns-privacy@ietf.org>; Thu, 1 Apr 2021 08:13:05 -0700 (PDT)
Received: from earth.fritz.box ([2001:984:2b8c:1:ea63:1152:2f3:f18]) by saturn.zonnestelsel.tk with esmtpsa (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <shane@time-travellers.org>) id 1lRz08-00042Z-9K for dns-privacy@ietf.org; Thu, 01 Apr 2021 15:12:55 +0000
To: dns-privacy@ietf.org
References: <c925da9089fa4b1e991ec74fc9c11e7f@verisign.com> <CAChr6Sxwao=FAcoeHMuOf0L=JCZ+wvhsr9BNZW_dbt+1=HWQwg@mail.gmail.com> <20210331091238.GA10597@nic.fr> <CAChr6SxPNVAZMYfZqF+K6Xf8FPGa9ZgHkL-uUvtKMEiJSPmp8Q@mail.gmail.com> <2607D274-936F-4A31-9E4D-EEBCF45BE838@pch.net>
From: Shane Kerr <shane@time-travellers.org>
Autocrypt: addr=shane@time-travellers.org; keydata= xsFNBFgDj8oBEACUm+ujzTIUk8+EdWGSymrZ0xJdINhXX2mMTxeSdND4Z0C/LjhUB5qcqlPS V5UnRjVRTFVaKFYc7uRCHbVrgglsSuAaAtfXh6OMCLX6+jJ+uIm8YBLWZkfPh7yqlGckqM7B /VU9Km0D9zYncIcp9u65bH4Yi6pm32hVKNwMVOvqUHcAPZwjvYpw7exthc8bDeW4jdqHZgFf CzFobD+FwzHCMLh7Tw6nPFMC473oj9G3+ufTW9uce8jb9SN+lDbOwA0PnYjvpe6CDeBO4OYx MVJo8YUA2YMIlf4kBnG2ETodnpWLI8ofi2KiXgnWi2p4nrNa+vchbuNtT8RwOf1AhPC3ejgP WMgdAevFp6R+XGS7oXzdFcaYuJAjzhyrwk5XnX7Un9+xZpR1FG6UNSM0FHXdih3tcaIqZmNC milRl2fQhFcPxZ9b2FBUGZqW0u74e5HaG5zt69x0edp3FT1904h7aC+AxzJHo4/pRFvyBL9g 4AfntkHZ1HpIj40ntf2t/WitBMHM9WpoZf1VW+y+2zv6OScZYd8DWSMe+8rOMMdFrS0atI63 LkjQWAm4hhGvMaO+uHdqQUqpAata2GjBChPo9GZxRuGZ26aUiVEECSR9MHcwJBaTkRoqkkza 4z3EzXb3h3JOK2+ixM8ew0NVbCSwEl8f+fVswpcERORgkBfG5QARAQABzSZTaGFuZSBLZXJy IDxzaGFuZUB0aW1lLXRyYXZlbGxlcnMub3JnPsLBfQQTAQgAJwIbAwULCQgHAgYVCAkKCwIE FgIDAQIeAQIXgAUCWAOZQgUJEswMeAAKCRA3Mpec+WezBpysD/929BehaVaxh2pZN5YR4e9n VmCtXqENDfJD7wYYoFmp8ovmW9TB9RoZhwcMVgImIYZBnr/W9v7bIzY3yLF75TTI235Pvwi+ QFeouU2G7/SB4pDFN0EkCC7EmnLpqMxavKhOJ/TMS5+/hXFAEE1dzqahaId377QliAoR6fGa a3YPKfW3h0zfCLRMg58yJfT/FAbWg7/G0x88Lw3JN2bN23lL++i4qOS4W99uEMet4yIcmA7j h+v0N8MPaZRP6IYt7YhZY+ll52yUWa8HR7ywNVrA5yca23YRzz+Znk8qiA/L7FWZ1+rsm056 HRV5XVvc86T9t1YW2tHT2YwUG/9ZITc9RnmbjnmxeOu2ce6i1V4abaBYZjCUJ46Ujh/Tqsy9 diUM59vcoN5zfG80MsjB+KzBC+uT2x28pKaDU9stIBu0ILT4T/dEkZ1iT4l44a657rY3a44S 6/s3raOm8BypKFlE1rMtZVybAsaSdZ/jL3Dnl2V20hHqhg4oimnBcvUmMp34P/tq+UCE9yO1 8nVTPtQG4SGZpRObGq0e0LjbCt7dC81YCZR7OdZTXPW9MDQ6RMxsArFYdCwZX6uW3YvWVZLI AzCdobqiKakFgojsGLqxgjxlXQ0zqWTVmMc07f1uT3wLoxAPKNgTic5sVzSvins+hDS16Fg9 F2+ZcPGHwgbetc7BTQRYA5d6ARAArj8za6APGlD9gCskzjZ+RsEK+e8Y7UL62yeZFn+QAFtD 7ByMRWBjdchvyMc1pqXh/44hYQ91gor63qTymK/qDHPmXpSOCsgfnqzjSqk5AUW85VVvX8bv fywfNvo1j1xUSu9YylTe8BC9Dla541KFCVi97HcCzPNqjMLTDUfFfOVF2ysUXDixRUNisjC6 zv1yjhgn415+t9HX0NE6DvAFu7MF9Z1SNWGLo+AOKdGIiXbMA1V301mxssJwXTvZ6Q4KGmGS achJEF29t1S8LPtJWgkTd2r8cJtZ3MI4E8/MixHY/plXU/4V4Tt8dUnPjcpQW5iqyx1EHahM 49/rl8EcRHSVLs10kIYK3HGtVJ/sOJq3BFn1D4GFCPmcDtgEkpGcESaK4EUWpKztMrGjYOjH 5t998xq4HedYzNwFNTJX4LwlFY0PoBW69elox6LqjEY6Z+vCb/HvToDWBSYnKkqp/tLH8eKu qNoicspCF9NQQEqYMt0im2PNbIorSnxPKJH/kqS8Bbva78i9kk8cwq6EUP/YmCl70sonlbjV 3l7troNMMLSRXU4690zLDoUV/m68GGzq9SrZCDH3bC6AqxrED/HWJLmbD+ldjpzsYNAFasVz Yo/qV4AQIucEmZJfZSErB/4gSCV1SEMWFCbZxAp9phhNVdiV+Ijcj7BPIoyX76cAEQEAAcLB ZQQYAQgADwUCWAOXegIbDAUJEswDAAAKCRA3Mpec+WezBnqVD/0XqTpMYnCGwBJwjq5q98sh ug+qfoW+zrwih9CfSzX9TRbS3GSuvm7Cydrt34oJOIdlrmGEXAHcm4xGHgSl8Cf1qkTfsjvb AL1xI2RnYAK3uomdyUbbe5SC4M5zY45RZRTxXzEeDTjOkGZaa77dYXQJPqGNlsKZ66Hy6zg6 XFwgkfwALN+xYRZaJPBquuSTbUnK7ikGZES+FNZeSVgJzf6A9HOCwouWFuIj/BOLDm1yagWs uJo3ZHVWXSKLeMpYLD2Vtz1UVHiHhL6DsHUX6hcFVthqKuZDYHxcWQER4Fevkf62KYcl2DCj TyfV+jLk/kBudDk6sWRGFv0QBPQJ/3j/xtIJIjTqbrtq/3Wdm/EhlLNm0/D1WGDOexlazc2N NA5DgoYKyQU1pOBrZGurJZWZFnwJH7Zzw6QuqM9GxDBPhQyJ31o2SX/Z6o7Hwj1uCrovtZp5 GnTX130ShUbmTwT9V50T4DuNuJQuTdRe401A/49yxCaTxFuIbbEX4Mwe01yP1Fii5CUSzAV8 HDsxmaSigT/9UuzF73lRzKy9GKXhFoxvdGILaXlQU/QBQ9U/KOD0Pov4U/AbWwCSlI2YTPet px9LJxBw14phZufEmORKcYprsh2zL0Wh5J5NUaxXlnTOm2liGJgjbG/QOE+JzwzhhA76U/DF bwpJ36QB2uM2Hw==
Message-ID: <c43e2e0d-a9cc-e86d-05a1-0a3684ef1a21@time-travellers.org>
Date: Thu, 1 Apr 2021 17:12:51 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <2607D274-936F-4A31-9E4D-EEBCF45BE838@pch.net>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="NWLno2V0ahWi7Eb5Pe9OtoDkTy1P19J0p"
X-Spam-Score-Int: -28
X-Spam-Bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ffkuL2KduR2RvAk-LdnPxabWnXU>
Subject: [dns-privacy] DDoS resiliance & DNS-over-TCP (was Root Server Operators Statement on DNS Encryption)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 15:13:11 -0000

Bill,

On 31/03/2021 22.29, Bill Woodcock wrote:
> 
> 
>> On Mar 31, 2021, at 9:55 PM, Rob Sayre <sayrer@gmail.com> wrote:
>> I still don't understand the resistance here. Some data on what the impact would be still seems like the most helpful thing to move the conversation forward.
> 
> We have that:
> 
> https://vaibhavbajpai.com/documents/papers/proceedings/dot-pam-2021.pdf
> 
> Short story is that it’s 3x - 15x higher load on the servers, more delay, fewer people served, easier DDoS.
> 
> That’s a price that can be paid, if there’s a suitably corresponding benefit, and no more effective way to solve the problem.

One thing about DDoS is that any connection-oriented protocol (TCP, TLS, 
HTTPS, or QUIC) is that you don't need to overbuild your infrastructure 
to the same degree because spoofing source address is a lot harder and 
you can drop unsophisticated traffic floods at or near your edge.

In my mind this probably means changing from the 10x peak-traffic (or 
more!) over-build that authoritative providers have today to a much 
smaller factor.

For unencrypted TCP you can probably get back the 4x or so higher cost 
of running TCP vs. UDP. For encrypted traffic probably not, but I have 
no idea what the additional costs there are (I heard that earlier 
implementations of QUIC were CPU hogs, for example).

Cheers,

--
Shane