Re: [DNSOP] my lone hum against draft-wkumari-dnsop-multiple-responses

"Ralf Weber" <dns@fl1ger.de> Wed, 20 July 2016 12:20 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A613F12DBB9 for <dnsop@ietfa.amsl.com>; Wed, 20 Jul 2016 05:20:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VvghdwZp1nI for <dnsop@ietfa.amsl.com>; Wed, 20 Jul 2016 05:20:48 -0700 (PDT)
Received: from smtp.guxx.net (smtp.guxx.net [IPv6:2a01:4f8:a0:322c::25:42]) by ietfa.amsl.com (Postfix) with ESMTP id CC04912DBAC for <dnsop@ietf.org>; Wed, 20 Jul 2016 05:20:47 -0700 (PDT)
Received: by nyx.guxx.net (Postfix, from userid 107) id 0D8AC5F40670; Wed, 20 Jul 2016 14:20:46 +0200 (CEST)
Received: from [64.89.232.131] (dhcp-b26b.meeting.ietf.org [31.133.178.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id C4B6D5F4015F; Wed, 20 Jul 2016 14:20:45 +0200 (CEST)
From: Ralf Weber <dns@fl1ger.de>
To: 延志伟 <yzw_iplab@163.com>
Date: Wed, 20 Jul 2016 14:20:45 +0200
Message-ID: <CB723A3C-8DE8-4E01-AC08-94161CCB5468@fl1ger.de>
In-Reply-To: <3f3d0268.51bf.15606cbef7f.Coremail.yzw_iplab@163.com>
References: <b00ec4.3833.15606420d47.Coremail.yzw_iplab@163.com> <236F5488-42D4-4A89-ACAB-B55FD2B5782A@fl1ger.de> <3f3d0268.51bf.15606cbef7f.Coremail.yzw_iplab@163.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.4r5234)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FDAiT_5mVvw-7i0uhTQPeLZ_ghc>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] my lone hum against draft-wkumari-dnsop-multiple-responses
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2016 12:20:49 -0000

Moin!

On 20 Jul 2016, at 7:34, 延志伟 wrote:
> I understand your points, but these risks always be there because DNS 
> response is larger than the request, like DNSSEC.
Yes, which is why we have several proposals on how to mitigate the 
problem by e.g not giving  back ALL qtypes to an ANY question, or rate 
limit any or answers in general. There also are tools out there that can 
limit based on the answer size, all of that to mitigate or make the 
handling of the amplification better.

> How to avoid DNS DDoS is anther problem.
If you introduce something that makes the answer bigger without 
acknowledging that there could be a problem with it or it is another 
problem you have not been following what is going on in the Internet 
lately.

Others have acknowledged that and described a way forward to mitigate it 
(TCP,TLS,Cookies) which introduce a whole other set of problems (some 
introduce additional round trips) which further more diminishes the gain 
to effort ratio IMHO.

> Anyway, the cache should get the data fist and then it can cache them.
> :-)
That is true, but an answer out of the cache is served a lot of times 
before it has to be cached again, so you are gaining something for that 
tiny fraction of users where the cache is cold or has become cold (not a 
problem if you use software that prefetches), but putting all others to 
risk. Not a good idea IMHO.

So long
-Ralf