[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] I-D Action:draft-ietf-dnsext-dns-tcp-requirements-01.txt

To: Ray.Bellis@nominet.org.uk
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-dns-tcp-requirements-01.txt
From: Doug Otis <doug.mtview@gmail.com>
Date: Tue, 27 Oct 2009 16:57:40 -0700
Cc: namedroppers@ops.ietf.org
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=lzCAxZcdT+AnNURDVVfOn3HAFxYuMPkYHthdJfBawNTcjvtfAvqW74KvduQ31gCz1S 9VOLckg7oQazcePeig44IyrPzW2XQGloDe91xftRjNotzetWaGufi+3n6Ukr2xuTcp5z E1daY+fBu0hw1sjRWEHo7dD1WwUUjKH4eYD4g=
In-reply-to: <OFBA1BD290.7688DB70-ON8025765B.0041754C-8025765B.0041BC85@nominet.org.uk>
References: <20091026113003.86DA728C0CF@core3.amsl.com> <OFBA1BD290.7688DB70-ON8025765B.0041754C-8025765B.0041BC85@nominet.org.uk>
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre) Gecko/20090915 Thunderbird/3.0b4

On 10/26/09 4:58 AM, Ray.Bellis@nominet.org.uk wrote:

As you'll have just seen I've just made a (minor) update to this
draft.

I've addressed most (if not all) of the editorial nits and comments.

However for now I've left out wider discussion of the TCP tuning
issues, references to UTO, etc, as "(currently) out of scope",
pending face-to-face discussion in Hiroshima.


Updating RFC 1123 should consider the functional alternative made
possible with RFC2671.  The maximal DNS message size of 512 should
not reflect a 576 MTU, but that of 1476 MTU. Only beyond that limit,
should TCP become required.  After all, most CPE equipment can not
proxy DNS over TCP, so DNS operation is not better accomplished with
this over reaching TCP mandate.

If smaller key sizes become practical, why not permit exclusive
operation of UDP within a known supported range?

4. Transport Protocol Selection

Change:
 o  all requests and responses are guaranteed to be <= 512 bytes

To:
 o  all requests and responses can be contained within a 1476 byte IP
packet to avoid IP fragmentation.

Change:

A resolver SHOULD send a UDP query first, but MAY elect to send a TCP
query instead if it has good reason to expect the response would be
truncated if it were sent over UDP (with or without EDNS0) or for other
operational reasons.

To:

A resolver SHOULD send a UDP query first, but MAY elect to send a TCP
query instead if it has good reason to expect the response would be
truncated if it were sent over UDP with EDNS0, or for other operational
reasons.

7. Security Considerations

This section makes an unsupportable supposition that TCP dependence will
prove safe because it has not yet resulted in successful DDoS attack.

However, following adoption of this TCP mandate, UDP use for framesstill within 1476 bytes might be unnecessarily withdrawn. If this wereto occur for any DNS message over 512 bytes in conjunction with DNSSEC,a substantial portion of DNS traffic may become limited to only usingTCP. TCP, even with SYN cookies, still needs to buffer unacknowledgeddata which creates a significant resource exposure with a DDoSvulnerability.


-Doug

Follow-Ups:
- Re: [dnsext] I-D Action:draft-ietf-dnsext-dns-tcp-requirements-01.txt
  - From: "George Barwood" <george.barwood@blueyonder.co.uk>

References:
- [dnsext] I-D Action:draft-ietf-dnsext-dns-tcp-requirements-01.txt
  - From: Internet-Drafts@ietf.org
- Re: [dnsext] I-D Action:draft-ietf-dnsext-dns-tcp-requirements-01.txt
  - From: Ray.Bellis@nominet.org.uk

Prev by Date: Re: [dnsext] Trust Anchors
Next by Date: Re: [dnsext] I-D Action:draft-ietf-dnsext-dns-tcp-requirements-01.txt
Previous by thread: Re: [dnsext] I-D Action:draft-ietf-dnsext-dns-tcp-requirements-01.txt
Next by thread: Re: [dnsext] I-D Action:draft-ietf-dnsext-dns-tcp-requirements-01.txt
Index(es):
- Date
- Thread