IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

paul@redbarn.org Tue, 18 July 2023 00:19 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A0DEC14CE54 for <dnsop@ietfa.amsl.com>; Mon, 17 Jul 2023 17:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fvma3gfYI_JQ for <dnsop@ietfa.amsl.com>; Mon, 17 Jul 2023 17:19:34 -0700 (PDT)
Received: from util.redbarn.org (util.redbarn.org [IPv6:2001:559:8000:cd::222]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD56EC14CE40 for <dnsop@ietf.org>; Mon, 17 Jul 2023 17:19:34 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by util.redbarn.org (Postfix) with ESMTPS id 881091649FF; Tue, 18 Jul 2023 00:19:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1689639574; bh=HS2LkKitJ52dczJe8YwD0pRiuqN7yusV0RAmnNxCvn8=; h=Date:Subject:In-Reply-To:References:From:To:Cc; b=qaXyuA4u+DJH7JjMkQdQAhFlj8RMSvBt9a3CYIC2GaePPwuy1Nc8GRpN/6pMkoMbb HFqhAiHu82kADe8bkRaIixWHs4pEUYG5HXnrQl0K+7o3JwDuWmCYq+SVZxvhLOnvP7 IrKDB+e75FpF36AUNDQdv3nUA4JvAB9lE1+feVUQ=
Received: from [IPv6:2607:fb90:3781:c5d4:ad3:2957:5030:d863] (unknown [IPv6:2607:fb90:3781:c5d4:ad3:2957:5030:d863]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (1024 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 2F78DD788A; Tue, 18 Jul 2023 00:19:34 +0000 (UTC)
Date: Mon, 17 Jul 2023 17:19:31 -0700
Message-ID: <6d61b263-53eb-4d16-b69b-4463de6a9a1b@redbarn.org>
In-Reply-To: <30DE782D-E477-4A4A-BD1E-91DEC58BDE19@virtualized.org>
References: <20230717164035.5668EFE31C0B@ary.qy> <m14jm2eaiz.fsf@narrans.de> <ff32cd62-849a-7d2a-3697-0b7a742d3619@nohats.ca> <ff30dd1e-2e4a-f037-5676-fa26c523acb1@taugh.com> <CAH1iCipMsZzu-VCXGvO0SU=ta07TKbiUSRZtYS1uFBWzKLVMnA@mail.gmail.com> <330deaf1-cf31-787a-8ca9-780fd68236d9@taugh.com> <CAH1iCioy0_cOvrVA2S80JwzOGuDYukOXPCC+=edhyG=JCmoRwg@mail.gmail.com> <lQMQJg1qUYW2joN2qYWfiwdewUeALZqRco6Fcdo5V4oDUdUnmffSoHgVIzehR86lFvBeRAAptRdsewk_deDLGPQjq1riK7SysM_BWcqD2z0=@strandkip.nl> <ab175248-bbaa-899d-668f-70ebaa931d6e@redbarn.org> <8F5E7EA6-4C91-4E5C-9540-CDA6C7288989@virtualized.org> <99C325F2-06EB-4B8A-B85A-2C9082B48EFF@isc.org> <30DE782D-E477-4A4A-BD1E-91DEC58BDE19@virtualized.org>
From: paul@redbarn.org
To: Mark Andrews <marka@isc.org>, David Conrad <drc@virtualized.org>
Cc: dnsop@ietf.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.boxer.email_1434830150494260"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KDwOVfMay9GAUj82PJlzxrjt9qQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2023 00:19:39 -0000

You are right. My state mass observation was meant for the prior -1 where Joe referred to udp as a legacy protocol. Apologies for the slop. 


p vixie 


On Jul 17, 2023 17:15, David Conrad <drc@virtualized.org> wrote:

Mark, 

On Jul 17, 2023, at 4:23 PM, Mark Andrews <marka@isc.org> wrote: 
>> Joe is (correctly, IMHO) pointing out that given there is a need to support TCP-based DNS queries (see RFC 7766), prudent engineering would suggest you need to prepare for attacks against that infrastructure. As such arguing “state has mass” appears to miss the point. 
> And most servers will never see a DoS attack. 

And most servers (particularly the ones that wouldn’t see a DoS attack) wouldn’t notice the strain of TCP-based DNS requests. So? 

> TCP also puts much more load on recursive servers.  It slows down the resolution process.  DOT and DOH put even more load on recursive and authoritative servers. 

Again, missing the point, unless you believe there are going to be fewer TCP-based DNS queries over time and RFC 7766 should be deprecated. 

Engineering to how the Internet was in the past may not be an optimal strategy. 

Regards, 
-drc 

_______________________________________________ 
DNSOP mailing list 
DNSOP@ietf.org 
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email