Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Paul Vixie <paul@redbarn.org> Tue, 17 March 2015 06:15 UTC

Message-ID: <5507C66B.8020407@redbarn.org>
Date: Tue, 17 Mar 2015 15:15:07 +0900
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
References: <20150309110803.4516.qmail@cr.yp.to> <20150309151812.GA14897@xs.powerdns.com> <20150316142350.GB26918@xs.powerdns.com> <55075C41.9000208@brokendns.net> <13D58CB4-95BD-412B-A073-C95617E97BCE@redbarn.org> <55077A64.7050906@brokendns.net> <20150317011051.B1F952B67791@rock.dv.isc.org>
In-Reply-To: <20150317011051.B1F952B67791@rock.dv.isc.org>
Content-Type: multipart/alternative; boundary="------------020000060400050200020105"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/hq0Chc29rf6gPtUrGmG4xJTDsfY>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
Precedence: list

note: replying only to dnsop@. no thread is ever appropriate for dnsop@
plus some other mailing list. please stop cc'ing dns-operations@ on your
replies; this is not an operational thread, and the people in the dns
community who care about protocol development, are probably on both lists.

> Mark Andrews <mailto:marka@isc.org>
> Tuesday, March 17, 2015 10:10 AM
>
> Lets get DNS cookies finalised so that TC=1 isn't needed for repeat
> legitimate clients. ...
>
> TC=1 for amplification suppression should be triggered by response
> size and whether you are a known repeat client or not rather than
> {meta} query type.

to be clear, response rate limiting will still be necessary even with
dns cookies in place.

without dns cookies, the requests don't have to have correct source-ip
addresses, and thus, a dns server can be made to attack the apparent
source of those queries. rrl helps with this.

with dns cookies, the requests have to have correct source-ip addresses,
and thus, a dns server can be made to attack its own upstream
infrastructure. rrl helps with this, also.

there should of course be more strict rate limits in place for the
former, than for the latter.

-- 
Paul Vixie

Attachment: compose-unknown-contact.jpg

Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Colm MacCárthaigh
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Ted Lemon
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Mark Andrews
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Nicholas Weaver
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… David Conrad
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… bert hubert
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… bert hubert
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Ray Bellis
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… bert hubert
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Ray Bellis
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… P Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Sinatra
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Mark Andrews
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Sinatra
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Tony Finch
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Wouters
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Yunhong Gu
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Yunhong Gu
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Sinatra
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Sinatra
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Sinatra
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Wouters
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Olafur Gudmundsson
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Florian Weimer
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Wouters
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Tony Finch
Re: [DNSOP] dnsop-any-notimp violates the DNS sta… Stephane Bortzmeyer
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Edward Lewis
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… bert hubert
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Jared Mauch
[DNSOP] dnsop-any-notimp violates the DNS standar… D. J. Bernstein
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Jared Mauch
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Tony Finch
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Tony Finch
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… David C Lawrence
Re: [DNSOP] dnsop-any-notimp violates the DNS sta… John Levine
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Edward Lewis
[DNSOP] clarification on DNSOP charter Re: [dns-o… Suzanne Woolf
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… D. J. Bernstein
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Darcy Kevin (FCA)
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Darcy Kevin (FCA)
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Tony Finch
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… D. J. Bernstein
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Michael Graff
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Mark Andrews
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Randy Bush
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Masataka Ohta
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Vixie
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Wouters
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Morizot Timothy S
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Paul Wouters
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… David Conrad
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Morizot Timothy S
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Robert Edmonds
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Nicholas Weaver
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Morizot Timothy S
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Mark Andrews
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… Darcy Kevin (FCA)
Re: [DNSOP] [dns-operations] dnsop-any-notimp vio… D. J. Bernstein

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Attachment: compose-unknown-contact.jpg