[116496] in North American Network Operators' Group
Re: DNS hardening, was Re: Dan Kaminsky
daemon@ATHENA.MIT.EDU (Douglas Otis)
Wed Aug 5 18:54:30 2009
Date: Wed, 05 Aug 2009 15:53:32 -0700
From: Douglas Otis <dotis@mail-abuse.org>
To: Christopher Morrow <morrowc.lists@gmail.com>
In-Reply-To: <75cb24520908051449n29c53491m90fd021022d9816f@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 8/5/09 2:49 PM, Christopher Morrow wrote:
> and state-management seems like it won't be too much of a problem on
> that dns server... wait, yes it will.
DNSSEC UDP will likely become problematic. This might be due to
reflected attacks, fragmentation related congestion, or packet loss.
When it does, TCP fallback will tried. TCP must retain state for every
attempt to connect, and will require significantly greater resources for
comparable levels of resilience.
SCTP instead uses cryptographic cookies and the client to retain this
state information. SCTP can bundle several transactions into a common
association, which reduces overhead and latency compared against TCP.
SCTP ensures against source spoofed reflected attacks or related
resource exhaustion. TCP or UDP does not. Under load, SCTP can
redirect services without using anycast. TCP can not.
-Doug
