[116509] in North American Network Operators' Group
Re: DNS hardening, was Re: Dan Kaminsky
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Wed Aug 5 21:54:18 2009
In-Reply-To: <4A7A0D6C.90808@mail-abuse.org>
Date: Wed, 5 Aug 2009 21:53:44 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Douglas Otis <dotis@mail-abuse.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Aug 5, 2009 at 6:53 PM, Douglas Otis<dotis@mail-abuse.org> wrote:
> On 8/5/09 2:49 PM, Christopher Morrow wrote:
>>
>> and state-management seems like it won't be too much of a problem on
>> that dns server... wait, yes it will.
>
> DNSSEC UDP will likely become problematic. =A0This might be due to reflec=
ted
> attacks, fragmentation related congestion, or packet loss. When it does, =
TCP
because all of these problems aren't already problems today? how is
dnssec adding to this? or is your premise that dnssec adds to it
because it requires edns0 and larger responses?
> fallback will tried. =A0TCP must retain state for every attempt to connec=
t,
ask worldnic how well that works... edns0 exists (for at least) the
sidestep of truncate and use tcp.
> and will require significantly greater resources for comparable levels of
> resilience.
Do you really think that dns in the future is going to move to mostly
TCP based transport? do you know what added latency that will be for
all clients which switch? What about handling more stateful requests
on what today are stateless systems? (f-root-style anycasted pods of
authoritative resolvers)
> SCTP instead uses cryptographic cookies and the client to retain this sta=
te
> information. =A0SCTP can bundle several transactions into a common
> association, which reduces overhead and latency compared against TCP. SCT=
P
great... which internet scale applications use SCTP today? Which
loadbalancers are prepared to deal with this 'new' requirement?
> ensures against source spoofed reflected attacks or related resource
> exhaustion. =A0TCP or UDP does not. =A0Under load, SCTP can redirect serv=
ices
how does SCTP ensure against spoofed or reflected attacks?
> without using anycast. =A0TCP can not.
explain your assertions please... these seem like overly broad
marketing slides which may be truthful in a corner-case but under wide
deployment aren't going to work in this manner.
-Chris
