nanog mailing list archives
Re: maybe a dumb idea on how to fix the dns problems i don't know....
From: Paul Vixie <vixie () isc org>
Date: Sun, 10 Aug 2008 15:56:23 +0000
(here we are discussing dns protocol details on nanog@ again. must be sunday.)
From: Joe Abley <jabley () ca afilias info> It may be worth clarifying that "not considering TCP mandatory" above is an implementation/operational choice, and not something that seems to be clearly endorsed by RFC 1035, such as it is. There are a lot of people who insist that TCP transport is used for nothing other than zone transfers in the DNS, and they do so not out of concern over potential TCP state explosion on their servers but instead because "that's what the last guy told me". That kind of reasoning doesn't need a bigger posse. Joe 4.2. Transport ...
actually, it does (need a bigger posse). a little further on in RFC 1035 we find this gem: +--- | 4.2.2. TCP usage | ... | Several connection management policies are recommended: | | - The server should not block other activities waiting for TCP | data. | | - The server should support multiple connections. | | - The server should assume that the client will initiate | connection closing, and should delay closing its end of the | connection until all outstanding client requests have been | satisfied. | | - If the server needs to close a dormant connection to reclaim | resources, it should wait until the connection has been idle | for a period on the order of two minutes. In particular, the | server should allow the SOA and AXFR request sequence (which | begins a refresh operation) to be made on a single connection. | Since the server would be unable to answer queries anyway, a | unilateral close or reset may be used instead of a graceful | close. +--- in the era of RFC 1035 the philosophy was "be liberal in what you accept and be conservative in what you generate" because the other people on the network weren't trying to spam, ddos, or poison you. the above text is effectively a "please ddos me" bumper sticker worn across the ass of anyone who implements it. we're having a terrible time with UDP now simply because upstream sockets can now only be used once before they're closed, and any long-running query can tie up a file descriptor for a longish enough time to drain the pool down to the point where new downstream queries can't be accepted because existing upstream queries have not completed. file descriptors are the new "carbon footprint" of DNS. but at least in the UDP case the shortage is experienced only by the initiator. in the TCP case the shortage is experienced by both the initiator and the responder, and the responder is shackled by [4.2.2]. i don't want to completely dismiss the underlying idea of "fall back to TCP if someone guesses a few QID's wrong". however, i dismiss the idea that it's a simple universal solution. on a mailing list called namedroppers@ where i would more likely expect to see a discussion of fine points of DNS protocol, i spake thusly about a week ago, and so far have heard no reply, though i've implemented these recommendations on a server that only keeps 64 descriptors open at a time and it's been incredibly resistant to my poisoning attempts. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
--- Begin Message --- From: Paul Vixie <vixie () isc org>
Date: Wed, 30 Jul 2008 19:00:06 +0000
correct me if i'm wrong, but i think you might be confusing two proposals here. XQID and the EDNS PING proposal. XQID appends entropy to the actual query name, and shouldn't be downgradeable by leaving out something (because then the answer wouldn't be the same as the query). Using EDNS PING is 'cleaner' (it doesn't muck with the query), but would need something like you ask for here.yes, and i apologize for my confusion, i'm jittery from too much coffee and too little sleep in the last few weeks. PING with that modification to EDNS's fallback would work, though i'm beginning to realize that the requirement should be phrased as "each query transaction must be protected by XYZ bits of high quality random entropy, which can be reached using any combination of udp port number, query ID, DNS 0x20 bits, PING, or repeated queries". XYZ is probably about 50 if we want to rule out guessing attacks. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- to unsubscribe send a message to namedroppers-request () ops ietf org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
--- End Message ---
Current thread:
- Re: maybe a dumb idea on how to fix the dns problems i don't know...., (continued)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Joe Abley (Aug 09)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Matt F (Aug 09)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Joe Abley (Aug 09)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Paul Vixie (Aug 09)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Randy Bush (Aug 09)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Michael Thomas (Aug 09)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Chris Paul (Aug 09)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... brett watson (Aug 09)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Paul Vixie (Aug 09)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Joe Abley (Aug 10)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Paul Vixie (Aug 10)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Joe Abley (Aug 10)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Paul Vixie (Aug 10)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Joe Abley (Aug 09)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Chris Paul (Aug 10)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Rob Payne (Aug 10)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Chris Paul (Aug 10)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Chris Paul (Aug 10)
- Message not available
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... Chris Paul (Aug 10)
- Re: maybe a dumb idea on how to fix the dns problems i don't know.... list-nanog (Aug 10)