Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming

[Paul Vixie <paul@redbarn.org>]

On Friday, October 16, 2015 13:58:00 Joe Abley wrote:
> On 16 Oct 2015, at 13:15, Paul Hoffman wrote:
> > On 16 Oct 2015, at 10:07, Darcy Kevin (FCA) wrote:
> >> Let's see, millions of full-service resolvers, times the packet-count
> >> differential between UDP and TCP, times the average reload/restart
> >> frequency of those full-service resolvers per day/week/month. Can't a
> >> case be made from sheer volume?
> > 
> > The root operators have shown no concern about legitimate resolvers
> > asking a lot more queries.

i am a root operator and i reject your characterization of my position.

i don't want tcp tried first, ever. i understand that tcp would be tried 
first, for new-fangled clients who want to try to negotiate persistent tcp. 
but that should not include the priming query, because root name servers are 
expected to have a large number of rdns servers to serve, and tcpcb's will 
always be finite.

> > Given that using TCP for priming helps
> > mitigate an injection attack,

given that tcp is often blocked by firewalls since udp mostly just works and 
has always been tried first, i think that leaning on tcp to help with a 
priming injection attack has a low success likelihood. let's get the injection 
attack solved in other ways, for example, using dns cookies.

-- 
Paul