Re: [DNSOP] Asking for TCP and/or cookies: a trend? (Was: my lone hum against draft-wkumari-dnsop-multiple-responses
Paul Wouters <paul@nohats.ca> Fri, 22 July 2016 10:45 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2DE512DC77 for <dnsop@ietfa.amsl.com>; Fri, 22 Jul 2016 03:45:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.287
X-Spam-Level:
X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-Seo24YrmYj for <dnsop@ietfa.amsl.com>; Fri, 22 Jul 2016 03:45:22 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB41A12DAA7 for <dnsop@ietf.org>; Fri, 22 Jul 2016 03:45:21 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3rwnNZ69Xgz25X; Fri, 22 Jul 2016 12:45:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1469184318; bh=GchE0eHE/MAXEZXdoD+vFdzAdVEioN08fVsD7+Qa7Uk=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=twJ8xhzWunzNodf1puO04lHRhmlsB3ggII10fIOqw0A4ehHBGXi1E9g385ZpMRHZh A329SCQUBhrrtOwohHVoOEBzpgEvKUVjrwyfFarbqKxWa5Vs+Sr3YQNF5G1zgtpsIj dNal5Wx71Bmqln6VhvbNira3WEW7ikv6JiRwj1VY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id RnN8vXu2IfKf; Fri, 22 Jul 2016 12:45:18 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 22 Jul 2016 12:45:18 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 21627393D67; Fri, 22 Jul 2016 06:45:17 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 21627393D67
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 192CE40D6F5B; Fri, 22 Jul 2016 06:45:17 -0400 (EDT)
Date: Fri, 22 Jul 2016 06:45:16 -0400
From: Paul Wouters <paul@nohats.ca>
To: Mukund Sivaraman <muks@isc.org>
In-Reply-To: <20160721153845.GA13632@jurassic>
Message-ID: <alpine.LRH.2.20.1607220638520.12891@bofh.nohats.ca>
References: <b00ec4.3833.15606420d47.Coremail.yzw_iplab@163.com> <236F5488-42D4-4A89-ACAB-B55FD2B5782A@fl1ger.de> <20160720051949.8FC154EF155E@rock.dv.isc.org> <36A593C1-1F01-4FE1-BC9A-3279F6460358@rfc1035.com> <D65E8617-107E-4B13-986F-24088D0C57C2@powerdns.com> <20160721133730.GA10324@nic.fr> <alpine.LRH.2.20.1607211101590.17541@bofh.nohats.ca> <20160721153845.GA13632@jurassic>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VWWMfNnTNNDm5b-NKixmSF-h7yw>
Cc: IETF dnsop WG <dnsop@ietf.org>, Peter van Dijk <peter.van.dijk@powerdns.com>
Subject: Re: [DNSOP] Asking for TCP and/or cookies: a trend? (Was: my lone hum against draft-wkumari-dnsop-multiple-responses
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jul 2016 10:45:24 -0000
On Thu, 21 Jul 2016, Mukund Sivaraman wrote: > On Thu, Jul 21, 2016 at 11:10:10AM -0400, Paul Wouters wrote: >> And I have been wondering if we should allow for a DNS padding in the >> query packet to ensure answer packets (over UDP) are going to be >> smaller then the query packet. And therefore prevents DDOS >> amplification. > > This has been mentioned before. Some thoughts: > > For DNS, this can affect some cases such as query packets not making it > to the server due to size, lack of ability of the client to guess what > the answer's message size may be, and also EDNS UDP payload size > behavior. We only need to make it less attractive, we don't have to guarantee the question is larger. Just close the gap between question and answer. So doing a 1200 byte dns query packet could be safe? > Once a client cookie has been established (associated with a source IP > address), there's no need to use padding, so perhaps this could be a > step in the initial handshake when the cookie is established - there > could be message size limits to these cookie-establishment query and > reply. That's very true, but it requires we have a lot more clients supporting COOKIEs before we can punish those small questions that don't. Which I guess applies to the padding question too, so yeah I guess my idea is not enough too late and we should just deploy cookies. > DJB's curveCP comes to mind about how it prevents amplification for the > initial handshake. some googling only finds marketing material, not a specification I can read :P Paul
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ted Lemon
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Bob Harold
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Mukund Sivaraman
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Mukund Sivaraman
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Stephane Bortzmeyer
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Paul Wouters
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Mukund Sivaraman
- Re: [DNSOP] Asking for TCP and/or cookies: a tren… Paul Wouters
- [DNSOP] Asking for TCP and/or cookies: a trend? (… Stephane Bortzmeyer
- Re: [DNSOP] my lone hum against draft-wkumari-dns… 延志伟
- Re: [DNSOP] my lone hum against draft-wkumari-dns… 延志伟
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Peter van Dijk
- Re: [DNSOP] my lone hum against draft-wkumari-dns… 延志伟
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Jim Reid
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Mark Andrews
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Jim Reid
- Re: [DNSOP] my lone hum against draft-wkumari-dns… 延志伟
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Mark Andrews
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ted Lemon
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Matthew Pounsett
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ted Lemon
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Matthew Pounsett
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Christopher Morrow
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber
- Re: [DNSOP] my lone hum against draft-wkumari-dns… George Michaelson
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Robert Edmonds
- [DNSOP] my lone hum against draft-wkumari-dnsop-m… Paul Wouters
- Re: [DNSOP] my lone hum against draft-wkumari-dns… Ralf Weber