IETF Logo Mail Archive

Re: I-D ACTION:draft-ietf-dnsext-forgery-resilience-01.txt

Peter Koch <pk@DENIC.DE> Mon, 13 August 2007 14:47 UTC

Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IKbCD-000068-8c; Mon, 13 Aug 2007 10:47:05 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IKbCC-00079R-1c; Mon, 13 Aug 2007 10:47:05 -0400
Received: from majordom by psg.com with local (Exim 4.67 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1IKb85-0002Qa-Q8 for namedroppers-data@psg.com; Mon, 13 Aug 2007 14:42:49 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.1
Received: from [81.91.161.3] (helo=smtp.denic.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.67 (FreeBSD)) (envelope-from <peter@denic.de>) id 1IKb7r-0002P8-Rr for namedroppers@ops.ietf.org; Mon, 13 Aug 2007 14:42:44 +0000
Received: from mail-int1.denic.de (mail-int1.denic.de [192.168.0.45]) by smtp.denic.de with esmtp id 1IKb7p-0001M7-ND; Mon, 13 Aug 2007 16:42:33 +0200
Received: from localhost by mail-int1.denic.de with local id 1IKb7p-0001Yp-00; Mon, 13 Aug 2007 16:42:33 +0200
Date: Mon, 13 Aug 2007 16:42:33 +0200
From: Peter Koch <pk@DENIC.DE>
To: IETF DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: I-D ACTION:draft-ietf-dnsext-forgery-resilience-01.txt
Message-ID: <20070813144233.GA28868@denics7.denic.de>
References: <E1IIPpu-0003yG-Ss@stiedprstage1.ietf.org> <46C03070.7020604@isc.org> <20070813110643.GB24229@outpost.ds9a.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20070813110643.GB24229@outpost.ds9a.nl>
User-Agent: Mutt/1.4i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 97adf591118a232206bdb5a27b217034

On Mon, Aug 13, 2007 at 01:06:43PM +0200, bert hubert wrote:

> > Why? I mean, firewalls often block these, but any special reason other than that?
> 
> No, I think Peter Koch suggested it for this reason. No other special

this was one of the operational issues I had (review of -01 still pending).
There are still many people out there with stateless packet filters and
recommending a default behaviour should take into account the consequences
for the operator.

> If you turn it to 64511 you get DJBDNS or PowerDNS, and the highest
> possible protection against spoofing.

Yes, but at what cost and operational complexity? Many sites completely block
UDP ports 2049, 135-139 and others at their perimeter.  "Chargen" is a very
nice source port for DNS queries as well, so there's a lot to avoid.
A name server that is just "as open as possible" may not see the responses
to some of the queries it sends.

1024 is not magic, but it's often enough the threshold value chosen for inbound
packets. Also, a couple of years ago CAIDA, I think, did some research on source
port distribution.  We've done some stats on our AS112 system and see similar
results (see also John K's posting):  53 is the only "low" port with noteworthy
use with huge numbers strating at 1024 and again at 32768.
Even though it would cut the space to 25%, recommending ports in the "dynamic"
port range (49152-65535), might be a better approach.

-Peter

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.46.0 | Report a Bug | By Email | System Status