[151979] in North American Network Operators' Group
Re: DNS noise
daemon@ATHENA.MIT.EDU (David Conrad)
Fri Apr 6 16:44:37 2012
From: David Conrad <drc@virtualized.org>
In-Reply-To: <CAAAwwbU7s4BvVm2WAwZDW2h+WDoioudvhW2gdEZdHWKJrmH4mg@mail.gmail.com>
Date: Fri, 6 Apr 2012 13:44:00 -0700
To: Jimmy Hess <mysidia@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Jimmy,
On Apr 6, 2012, at 1:24 PM, Jimmy Hess wrote:
> On Fri, Apr 6, 2012 at 1:24 PM, David Conrad <drc@virtualized.org> =
wrote:
>> I suspect the root server operators might not like this idea very =
much.
> If it solves other problems adequately, they might eventually just =
have to learn to like it.
I was, of course, using the root servers as a proxy for pretty much any =
DNS server operator. The root server operators aren't unique in the =
requirement to respond to an unbounded number of queries.
>> Treating a symptom and ignoring the disease. See =
http://tools.ietf.org/html/bcp38
> No. Implementation of BCP38 does have value, but the existence of
> BCP38 does not solve DNS application problems;
You seemed to have missed the part where it isn't just a DNS problem. =
Your solution would appear to be to replace every datagram-based =
query/response protocol such as ICMP and SNMP. I personally think it is =
more feasible for ISPs to implement BCP38 than it is for the entire =
Internet to move away from using datagram-based query/response =
protocols, but that's probably just me.
> but ignoring mitigation of the symptoms,
> despite there being more readily available options for symptom =
mitigation.
Sorry, which more readily available options are those? I don't think =
forcing a 3-way exchange for stuff like PMTUD is 'readily available'.
> The underlying problem is that "BCP38" is not really a "best common =
practice",
> despite the name of the series.
The name of the series is "Best Current Practice".
> Lots of networks don't and will not ever implement BCP38;
It is true that lots of networks don't implement BCP38. Whether or not =
they will ever is more debatable. I suspect that we're about one major =
spoofing-based infrastructure attack away from proposed legislation that =
would force folks to implement something like BCP38, but I may be a bit =
more pessimistic than most.
However, I would be interested in hearing what the excuses are for folks =
not implementing BCP38 these days.
Regards,
-drc
