IETF Logo Mail Archive

Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming

Paul Vixie <paul@redbarn.org> Fri, 16 October 2015 18:54 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A08321ACDC5 for <dnsop@ietfa.amsl.com>; Fri, 16 Oct 2015 11:54:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yM4IfFirUS4d for <dnsop@ietfa.amsl.com>; Fri, 16 Oct 2015 11:54:34 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58B8F1ACDBD for <dnsop@ietf.org>; Fri, 16 Oct 2015 11:54:34 -0700 (PDT)
Received: from linux-rfx1.localnet (unknown [IPv6:2001:559:8000:cb:958d:c6fd:152:3050]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id F23F913B44; Fri, 16 Oct 2015 18:54:33 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: dnsop@ietf.org
Date: Fri, 16 Oct 2015 18:54:32 +0000
Message-ID: <2006463.tKbQZhsASq@linux-rfx1>
Organization: Vixie Freehold
User-Agent: KMail/4.14.10 (Linux/4.2.1-1-desktop; KDE/4.14.12; x86_64; ; )
In-Reply-To: <C5AC57FF-11B7-43B9-B339-7A63E6B71F5E@vpnc.org>
References: <8149BC4D-F11E-4E4F-BBB8-C38D865A4184@vpnc.org> <1653724.UdtLHTI650@linux-rfx1> <C5AC57FF-11B7-43B9-B339-7A63E6B71F5E@vpnc.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2459792.rOJZgv9dD3"; micalg="pgp-sha1"; protocol="application/pgp-signature"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/5oVDpB6_rtTAcN5ULGUq-ylleQg>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 18:54:36 -0000

PaulOn Friday, October 16, 2015 11:47:54  Hoffman wrote:
> On 16 Oct 2015, at 11:30, Paul Vixie wrote:
> 
> > i don't want tcp tried first, ever. i understand that tcp would be
> > tried
> > first, for new-fangled clients who want to try to negotiate persistent
> > tcp.
> > but that should not include the priming query, because root name
> > servers are
> > expected to have a large number of rdns servers to serve, and tcpcb's
> > will
> > always be finite.
> 
> Are you arguing for a special case of "TCP to authoritative servers is
> fine, but not for the root servers"? If so, that's an interesting
> discussion for draft-ietf-dnsop-5966bis, which is still in WG Last Call.

no. as i wrote above, i just don't want tcp tried first for priming, no matter 
what tcp session persistency specifications may evolve separately. therefore 
the text in the current version of the draft is fine by me.

> 
> >>> Given that using TCP for priming helps
> >>> mitigate an injection attack,
> > 
> > given that tcp is often blocked by firewalls since udp mostly just
> > works and
> > has always been tried first, i think that leaning on tcp to help with
> > a
> > priming injection attack has a low success likelihood.
> 
> If a recursive resolver is behind a firewall that blocks TCP, the
> priming query will time out and they will use UDP.

well, sure. but there's no reason to risk that timeout. we know udp is going 
to work, and, we know we have to secure udp against insertion attacks using 
something other than source port randomization. dns cookies are a given, from 
the point of view that this priming rfc will live in. so there's no need for 
tcp in priming, and definitely no cause to risk a timeout or to create even a 
temporary state burden on the root name servers during priming.

> 
> > let's get the injection
> > attack solved in other ways, for example, using dns cookies.
> 
> If you believe that the extra CPU required for a root server to support
> https://tools.ietf.org/html/draft-ietf-dnsop-cookies-05 is less of a
> threat to the operations of the root server than that of persistent TCP
> connections, it would be great to see a write-up on that.

i hadn't mentioned cpu load. i'm talking about state load. cpu is very easy to 
upgrade, whereas tcp state blob storage, not so easy.

> The
> intelligent use of state for TCP seems to be similar to that for
> cookies, but comes with some major advantages. If rootops as a group
> support cookies instead of TCP, that's valuable information, but we
> haven't heard that yet.

the rootops as a whole don't, and won't, take a position on matters of this 
sort. this would be a matter for the rssac caucus to discuss and address. (the 
rootops are members of the rssac caucus, along with a lot of other people.)


-- 
Paul

v2.23.0 | Report a Bug | By Email