Re: [DNSOP] my lone hum against draft-wkumari-dnsop-multiple-responses
Jim Reid <jim@rfc1035.com> Wed, 20 July 2016 07:19 UTC
Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA4A712DAD3 for <dnsop@ietfa.amsl.com>; Wed, 20 Jul 2016 00:19:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level:
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u23gGNRIjxKl for <dnsop@ietfa.amsl.com>; Wed, 20 Jul 2016 00:19:27 -0700 (PDT)
Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D91712DADE for <dnsop@ietf.org>; Wed, 20 Jul 2016 00:18:48 -0700 (PDT)
Received: from [10.24.255.10] (unknown [46.189.28.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 6CB2E2421411; Wed, 20 Jul 2016 07:18:45 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <20160720051949.8FC154EF155E@rock.dv.isc.org>
Date: Wed, 20 Jul 2016 08:18:44 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <36A593C1-1F01-4FE1-BC9A-3279F6460358@rfc1035.com>
References: <b00ec4.3833.15606420d47.Coremail.yzw_iplab@163.com> <236F5488-42D4-4A89-ACAB-B55FD2B5782A@fl1ger.de> <20160720051949.8FC154EF155E@rock.dv.isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ce4X63JVgR4rB4Llhlrxy0QTJRo>
Cc: IETF dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] my lone hum against draft-wkumari-dnsop-multiple-responses
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2016 07:19:30 -0000
> On 20 Jul 2016, at 06:19, Mark Andrews <marka@isc.org> wrote: > >> That's not who DDos work. If attacker would only do what the specs say >> we wouldn't have any DDos. But an attacker can just create an UDP packet >> with that bits and a spoofed address and fire it off (or get a botnet to >> fire it off). > > Which is why DNS COOKIES with a valid server cookie / TCP / DNS-O-TLS > was suggests as being a necessary precondition. The draft does not say that Mark. Under Security Considerations, it says: "One could mitigate this by only serving responses to EXTRA requests over TCP or when using Cookies [RFC5395], although there is no easy way to signal this to a client other than through the use of the truncate bit." It's a bit of a stretch to call that a suggestion and a far bigger one to claim cookies and/or TCP as a necessary precondition. There's no language like "clients and servers SHOULD (MUST?) use DNS cookies/TCP/DNSoverTLS for EXTRA queries and responses". Well, not yet anyway. Maybe in the next release. And if DNS over TLS is the answer, the overheads of that handshake would more than cancel out the benefit of optimising away an extra query/response RTT. FWIW, I think it's a Bad Idea and the start of a very slippery slope to make queries or responses to QTYPEs dependent on the underlying transport protocol (modulo AXFR of course). Are layering violations acceptable nowadays?
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ted Lemon
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Bob Harold
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Mukund Sivaraman
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Mukund Sivaraman
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Stephane Bortzmeyer
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Paul Wouters
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Mukund Sivaraman
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Paul Wouters
- [DNSOP] Asking for TCP and/or cookies: a trend? (… Stephane Bortzmeyer
- Re: [DNSOP] my lone hum against draft-wkumari-dns… 延志伟
- Re: [DNSOP] my lone hum against draft-wkumari-dns… 延志伟
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Peter van Dijk
- Re: [DNSOP] my lone hum against draft-wkumari-dns… 延志伟
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Jim Reid
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Mark Andrews
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Jim Reid
- Re: [DNSOP] my lone hum against draft-wkumari-dns… 延志伟
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Mark Andrews
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ted Lemon
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Matthew Pounsett
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ted Lemon
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Matthew Pounsett
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Christopher Morrow
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber
- Re: [DNSOP] my lone hum against draft-wkumari-dns… George Michaelson
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Robert Edmonds
- [DNSOP] my lone hum against draft-wkumari-dnsop-m… Paul Wouters
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber