IETF Logo Mail Archive

Re: [DNSOP] Some distinctions and a request - Have some class?

manning <bmanning@karoshi.com> Mon, 06 July 2015 06:44 UTC

Return-Path: <bmanning@karoshi.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D3401A8A68 for <dnsop@ietfa.amsl.com>; Sun, 5 Jul 2015 23:44:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.21
X-Spam-Level:
X-Spam-Status: No, score=-2.21 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sa0czJCVJi3m for <dnsop@ietfa.amsl.com>; Sun, 5 Jul 2015 23:44:00 -0700 (PDT)
Received: from vacation.karoshi.com (vacation.karoshi.com [198.32.6.68]) by ietfa.amsl.com (Postfix) with ESMTP id 09BA41A8A52 for <dnsop@ietf.org>; Sun, 5 Jul 2015 23:43:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by vacation.karoshi.com (Postfix) with ESMTP id C6823A241D0; Sun, 5 Jul 2015 23:43:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at karoshi.com
Received: from vacation.karoshi.com ([127.0.0.1]) by localhost (vacation.karoshi.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zh9T3g_9J_NA; Sun, 5 Jul 2015 23:43:31 -0700 (PDT)
Received: from [192.168.0.12] (cpe-23-240-123-116.socal.res.rr.com [23.240.123.116]) by vacation.karoshi.com (Postfix) with ESMTPSA id EF413A241C1; Sun, 5 Jul 2015 23:43:23 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset="windows-1252"
From: manning <bmanning@karoshi.com>
In-Reply-To: <C667BD6E-677A-4FC7-9B0F-191FE1B8E961@shinkuro.com>
Date: Sun, 05 Jul 2015 23:43:05 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <14A6711E-CE6F-4808-AC11-A92E8937F409@karoshi.com>
References: <20150704063120.2380.qmail@ary.lan> <017CF015-8A06-40D5-9ECF-B7B7E208C7AF@frobbit.se> <6F830DF3-9FD6-43A1-8E9A-5854958BA848@shinkuro.com> <20150705115107.GA27268@sources.org> <F8D42EF3-CF9A-4836-A798-1AD18CDB5260@redbarn.org> <C667BD6E-677A-4FC7-9B0F-191FE1B8E961@shinkuro.com>
To: Steve Crocker <steve@shinkuro.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/r_-Q0wiRXwKlZUG03Mp2l9GkYcU>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, Vixie Paul <paul@redbarn.org>
Subject: Re: [DNSOP] Some distinctions and a request - Have some class?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 06:44:08 -0000

While not Paul or Stephane, I would like to point out that repeated, empirical evidence shows that simply dropping or ignoring queries has the 
operational effect of link saturation.   A quicker, more reliable DDoS vector may not exist.  I could not agree that dropping queries is sensible or
prudent, if the goal is to have a workable DNS.  As to delay as a mitigating strategy, well, that didm;t work so well either.  The original RFC 1918
blocks had no public DNS service.  We then made the mistake of standing them up.  The intent was to delay the response, with an NXDOMAIN first
and then a redirect into the private network.  It was never flaky enough and developers built around that.  This became apparent when we actually 
started responding authoritatively from these servers.   I think it was less than an hour before Herb and Jon were in my office and we had a call with
the President of the University.   Neither delay, nor redirection will be effective.  Either no answer or an authoritative answer give the community certainty.

I’ll step back and let the experts “solve” this.

manning
bmanning@karoshi.com
PO Box 12317
Marina del Rey, CA 90295
310.322.8102



On 5July2015Sunday, at 5:30, Steve Crocker <steve@shinkuro.com> wrote:

> Stephane and Paul,
> 
> I’m ok with anything that provides effective negative feedback.  Dropping queries or redirecting them is ok with me.
> 
> Thanks,
> 
> Steve
> 
> On Jul 5, 2015, at 5:11 AM, P Vixie <paul@redbarn.org> wrote:
> 
>> Delay is expensive for responders since it requires state. Steve's goal of making some tld strings flaky so as to encourage developers to avoid DNS for those names could be met statelessly. For example delegate them to localhost.
>> 
>> On July 5, 2015 12:51:08 PM GMT+01:00, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
>> On Sat, Jul 04, 2015 at 09:16:17AM -0700,
>>  Steve Crocker <steve@shinkuro.com> wrote 
>>  a message of 21 lines which said:
>> 
>>  except for the additional load it places on the root servers,
>> 
>> RFC 7535 could be a solution.
>> 
>>  I propose augmenting the DNS to include entries in the root that
>>  serve the purpose of giving slow NXDOMAIN responses instead of quick
>>  responses for those strings that the IETF has identified as not
>>  TLDs.
>> 
>> If it is a serious proposal, I object. Delaying answers require
>> keeping state in the authoritative name server and opens a nice DoS
>> boulevard.
>> 
>> 
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>> 
>> -- 
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email