Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Michael Sinatra <michael@brokendns.net> Wed, 18 March 2015 08:15 UTC

Return-Path: <michael@brokendns.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8EAC1A00ED for <dnsop@ietfa.amsl.com>; Wed, 18 Mar 2015 01:15:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q4aLCBTjPLHQ for <dnsop@ietfa.amsl.com>; Wed, 18 Mar 2015 01:15:35 -0700 (PDT)
Received: from elwha.brokendns.net (elwha.brokendns.net [206.125.172.202]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C76871A00D8 for <dnsop@ietf.org>; Wed, 18 Mar 2015 01:15:35 -0700 (PDT)
Received: from sponge.burnttofu.net (unknown [IPv6:2601:9:4400:5500::2222]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elwha.brokendns.net (5.65c/IDA-1.4.4/5.63) with ESMTPSA id 9E3D3145F5; Wed, 18 Mar 2015 01:15:35 -0700 (PDT)
Message-ID: <55093427.3070008@brokendns.net>
Date: Wed, 18 Mar 2015 01:15:35 -0700
From: Michael Sinatra <michael@brokendns.net>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Paul Vixie <paul@redbarn.org>
References: <20150309110803.4516.qmail@cr.yp.to> <20150309151812.GA14897@xs.powerdns.com> <20150316142350.GB26918@xs.powerdns.com> <55075C41.9000208@brokendns.net> <13D58CB4-95BD-412B-A073-C95617E97BCE@redbarn.org> <55077A64.7050906@brokendns.net> <5507CA2B.5000206@redbarn.org> <55093346.2050005@brokendns.net>
In-Reply-To: <55093346.2050005@brokendns.net>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/YHXKeWxsRLYYFOoGMRjJpiTPncE>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 08:15:36 -0000


On 03/18/15 01:11, Michael Sinatra wrote:

> I think there are a few issues at play.  google and other public
> recursives will sometimes have multiple backend servers fetch a given RR
> when they receive a single query for that RR on one instance of, say,
> 8.8.8.8.  I am basing this both on observed behavior and on Geoff
> Huston's research (recently presented at NANOG).  And since nothing is
> cached, I get the same servers asking the same query over and over
> again.  Writ large, the result is that I end up with 1-2k of
> simultaneous TCP sessions, per server, per domain.  

Just a quick qualification: This is during an active attack, not as a
normal course of events.  However, the attacks can and will last for
several weeks.

michael