At 15:51 -0400 9/24/07, Stephen Hanna wrote:
Finally, I wonder whether other more fundamental techniques for
addressing the problem have been explored. For instance, if DNS clients
were required to perform a simple handshake before a DNS server sent
a long response, fake requests would provide little amplification.
It would be easier to just disable the UDP transport and go to TCP
only to accomplish the same goal. (For one, the handshake would be
subject to the same vulnerabilities that TCP has been strengthened
against.) Removing UDP from DNS erode the light, quick nature of
(legitimate) use.
For example, requests that elicit long responses could prompt a
shift to TCP. Of course, this would have other unpleasant side effects
such as slowing down the processing of DNS requests with long responses
and troubles getting DNS requests through firewalls. I'm not suggesting
that this approach be discussed in this document, simply that it be
considered (which probably has already been done).
Consider it considered. That cure would be worse than the disease.
Especially as the trend will likely be towards a greater incidence of
large DNS responses, e.g., for IPv6, for ENUM, and (if it ever flies)
for DNSSEC.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Think glocally. Act confused.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf