IETF Logo Mail Archive

Re: [DNSOP] my lone hum against draft-wkumari-dnsop-multiple-responses

Mark Andrews <marka@isc.org> Wed, 20 July 2016 05:20 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CF7C12D0E7 for <dnsop@ietfa.amsl.com>; Tue, 19 Jul 2016 22:20:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.188
X-Spam-Level:
X-Spam-Status: No, score=-8.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hjKO8XtmxZ3v for <dnsop@ietfa.amsl.com>; Tue, 19 Jul 2016 22:20:12 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C544912D0C9 for <dnsop@ietf.org>; Tue, 19 Jul 2016 22:20:12 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 934F31FCAD8; Wed, 20 Jul 2016 05:20:08 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 6DBDE160076; Wed, 20 Jul 2016 05:20:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 4F1E2160084; Wed, 20 Jul 2016 05:20:07 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id DJQclHJhAXlJ; Wed, 20 Jul 2016 05:20:07 +0000 (UTC)
Received: from rock.dv.isc.org (p4FC092D2.dip0.t-ipconnect.de [79.192.146.210]) by zmx1.isc.org (Postfix) with ESMTPSA id D6ED1160076; Wed, 20 Jul 2016 05:20:06 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 8FC154EF155E; Wed, 20 Jul 2016 15:19:49 +1000 (EST)
To: Ralf Weber <dns@fl1ger.de>
From: Mark Andrews <marka@isc.org>
References: <b00ec4.3833.15606420d47.Coremail.yzw_iplab@163.com> <236F5488-42D4-4A89-ACAB-B55FD2B5782A@fl1ger.de>
In-reply-to: Your message of "Wed, 20 Jul 2016 07:07:01 +0200." <236F5488-42D4-4A89-ACAB-B55FD2B5782A@fl1ger.de>
Date: Wed, 20 Jul 2016 15:19:49 +1000
Message-Id: <20160720051949.8FC154EF155E@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-c-tgSjnDet8C5pg6251bbFHENk>
Cc: 延志伟 <yzw_iplab@163.com>, dnsop@ietf.org
Subject: Re: [DNSOP] my lone hum against draft-wkumari-dnsop-multiple-responses
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2016 05:20:14 -0000

In message <236F5488-42D4-4A89-ACAB-B55FD2B5782A@fl1ger.de>, "Ralf Weber" writes:
> Moin!
>
> On 20 Jul 2016, at 5:03,  wrote:
>
> > About the DDoS risk, it should not be worried so much because this
> > scheme is controlled/triggered by the recursive server (with a flag as
> > NN bit).
> > In other words, the recursive server can get the piggybacked multiple
> > responses only when it wants and of cource it can disable this model
> > anytime.
> That's not who DDos work. If attacker would only do what the specs say
> we wouldn't have any DDos. But an attacker can just create an UDP packet
> with that bits and a spoofed address and fire it off (or get a botnet to
> fire it off).

Which is why DNS COOKIES with a valid server cookie / TCP / DNS-O-TLS
was suggests as being a necessary precondition.

> > Another scenario to illustrate this proposal is under the DANE case:
> > A client wants to visit www.example.com.
> > But this domain name supports DANE can the TLSA record is configured
> > under the domain name: _443._tcp.www.example.com.
> > The client has to query the two names seperately.
> > Yes, it is just one more TTL, but why not to do the optimization with
> > a steerable method.
> Again if example.com is popular almost all the time this record will be
> in the cache already.

But the cache can be the other side of the world.  The browser vendors
aren't willing to go to SRV because they may need to make a second query
to the recursive server to get the addresses of the SRV targets.

>
> So long
> -Ralf
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.29.0 | Report a Bug | By Email | System Status