IETF Logo Mail Archive

Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming

"Joe Abley" <jabley@hopcount.ca> Fri, 16 October 2015 17:58 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024D11B32AA for <dnsop@ietfa.amsl.com>; Fri, 16 Oct 2015 10:58:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5z70hgIfRqVx for <dnsop@ietfa.amsl.com>; Fri, 16 Oct 2015 10:58:05 -0700 (PDT)
Received: from mail-qg0-x22f.google.com (mail-qg0-x22f.google.com [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 973DA1B32AF for <dnsop@ietf.org>; Fri, 16 Oct 2015 10:58:03 -0700 (PDT)
Received: by qgad10 with SMTP id d10so13598791qga.3 for <dnsop@ietf.org>; Fri, 16 Oct 2015 10:58:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type; bh=pjWsckoqOge2P/yhAr01gPXap520motB0hKnksnbiOk=; b=GcpCnj3a4vRKyTCy3/1oybXg+VwCPCH41rKdLbn3T52kly6a+ifVj14KTGr+ewvfME bsL4bpcRxaLyF+Ypbu0FMFt1bZf9Hxl5JFNeDM9+zIJ+s25GYnqdUqBAR55ILcaFHPop rSlxE8uYcNvZ68975WziB5cVvn8IhUEHDskcI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-type; bh=pjWsckoqOge2P/yhAr01gPXap520motB0hKnksnbiOk=; b=PKuAEA4pP4ofS+KwDA8h0LIRrxfCcqqhdKvHFlfXiPAy7RfA+GWZQH7vv1s2iWS1zj Eqk+FSsURqaJestHiziBpyu8g04+VzvcX0ETHZ/xCbQrgbst8dcCqyj4JuZrevw8gKzr 6Ad+YxxbgyiUiQpr0atGPo7dksrN+6/yyMm+yqMRU4s6cfNCpQYemMQm8sQoPF0/9eyr kIxGhLkkfbr+07Bri+vLeAWx6KPQFzQzmZNu7Tqi73a6KLe86qmShhnnMLHiNgysMov8 U6lkMbF6nLZGMPZYQNLlL7FEbFYCjyLBAFVoQ08m2YwzqiChtbATIDl069ZVv2KwfeqA fxjA==
X-Gm-Message-State: ALoCoQmQH4kPTuLlWae2/dqpKDRQKkj/Shq9l2yswQevN/16qdBrpapKtRdjy9JhI13zVAE2Vqk6
X-Received: by 10.140.238.214 with SMTP id j205mr21524977qhc.21.1445018282685; Fri, 16 Oct 2015 10:58:02 -0700 (PDT)
Received: from [172.19.130.142] (135-23-68-43.cpe.pppoe.ca. [135.23.68.43]) by smtp.gmail.com with ESMTPSA id 14sm1932118qhx.10.2015.10.16.10.58.01 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 16 Oct 2015 10:58:01 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Date: Fri, 16 Oct 2015 13:58:00 -0400
Message-ID: <BCE894DC-01B6-42C4-9589-1C19CA395250@hopcount.ca>
In-Reply-To: <A7B11A56-A66F-4E13-9675-56344E25C403@vpnc.org>
References: <8149BC4D-F11E-4E4F-BBB8-C38D865A4184@vpnc.org> <20151016161831.58bdf78d@pallas.home.time-travellers.org> <56211942.20206@redbarn.org> <CAJE_bqcxjC=zS8tj6tKGX18UeEFm6GHcyRhjC7AFdh3x9-L=vA@mail.gmail.com> <d2f5212cbf9b4f46a5cae9f3af3f1f50@mxph4chrw.fgremc.it> <A7B11A56-A66F-4E13-9675-56344E25C403@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/VFC8addmOGwP2FXSy6bOros2Tvw>
Cc: dnsop WG <dnsop@ietf.org>, Darcy Kevin <kevin.darcy@fcagroup.com>
Subject: Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 17:58:06 -0000


On 16 Oct 2015, at 13:15, Paul Hoffman wrote:

> On 16 Oct 2015, at 10:07, Darcy Kevin (FCA) wrote:
>
>> Let's see, millions of full-service resolvers, times the packet-count 
>> differential between UDP and TCP, times the average reload/restart 
>> frequency of those full-service resolvers per day/week/month. Can't a 
>> case be made from sheer volume?
>
> The root operators have shown no concern about legitimate resolvers 
> asking a lot more queries. Given that using TCP for priming helps 
> mitigate an injection attack,

Have we characterised this attack at all?

We're talking principally about a risk to resolvers that prime but don't 
validate, right?


Joe

v2.23.0 | Report a Bug | By Email