Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

Mark Andrews <marka@isc.org> Mon, 13 February 2017 23:07 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A30011299DE for <dnsop@ietfa.amsl.com>; Mon, 13 Feb 2017 15:07:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GJ7riXxRcUuE for <dnsop@ietfa.amsl.com>; Mon, 13 Feb 2017 15:07:11 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A624129453 for <dnsop@ietf.org>; Mon, 13 Feb 2017 15:07:11 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id B503F3493EF; Mon, 13 Feb 2017 23:07:08 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 98244160053; Mon, 13 Feb 2017 23:07:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 7ED70160072; Mon, 13 Feb 2017 23:07:08 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id aUWNLZpnaY1y; Mon, 13 Feb 2017 23:07:08 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 26AAA160053; Mon, 13 Feb 2017 23:07:08 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 390AF6397A00; Tue, 14 Feb 2017 10:07:04 +1100 (EST)
To: Vernon Schryver <vjs@rhyolite.com>
From: Mark Andrews <marka@isc.org>
References: <201702132243.v1DMhNKr062300@calcite.rhyolite.com>
In-reply-to: Your message of "Mon, 13 Feb 2017 22:43:23 +0000." <201702132243.v1DMhNKr062300@calcite.rhyolite.com>
Date: Tue, 14 Feb 2017 10:07:04 +1100
Message-Id: <20170213230704.390AF6397A00@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-RRyZVQ-OFfnGEUhOBbXd5IsrK4>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 23:07:12 -0000

In message <201702132243.v1DMhNKr062300@calcite.rhyolite.com>om>, Vernon Schryver writes:
> > From: Tony Finch <dot@dotat.at>
> 
> > One of the points of minimal-any is that the answer is not truncated
> > because you do not want clients to automatically retry over TCP. This is
> > to handle situations where many third-party recursive servers are under
> > attack using one of your names, so the recursive servers are hitting
> > your authoritative servers hard. RRL does not work in this case, because
> > the clients are legitimate recursive servers. You want to give them an
> > answer asap, that they can cache without hitting TCP.
> 
> On the contrary, as that case is described, RRL works fine, and
> this minimal-any mechanism won't help the obvious attack situation
> in that might be intended.
> 
> Each legitimate recursive server will ask once per some TTL and
> cache the rrsets that it gets.  No single legitimate recursive
> server will make a lot of ANY requests per unit time.
> 
> An attack that might be intended involves many open recursive servers
> (perhaps open only local infected eyeball stubs) being hit for only a
> few requests each (or at least passing on only a few each request) for
> your names but many all together.
> 
> However, in that case how many legitimate recursive servers will
> send ANY requests to authorities?

Any with a empty cache for name when the query comes in and a qtype
255 in the request.

The hard part of a 255 request is just having cached negative
responses for individual types doesn't result in useful response
to the request.  You still need to recurse with qtype 255 to get
some data to return including NODATA for a ENT.

Mark

> Vernon Schryver    vjs@rhyolite.com
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org