nanog mailing list archives
Re: DNS hardening, was Re: Dan Kaminsky
From: Douglas Otis <dotis () mail-abuse org>
Date: Wed, 05 Aug 2009 15:53:32 -0700
On 8/5/09 2:49 PM, Christopher Morrow wrote:
and state-management seems like it won't be too much of a problem on that dns server... wait, yes it will.
DNSSEC UDP will likely become problematic. This might be due to reflected attacks, fragmentation related congestion, or packet loss. When it does, TCP fallback will tried. TCP must retain state for every attempt to connect, and will require significantly greater resources for comparable levels of resilience.
SCTP instead uses cryptographic cookies and the client to retain this state information. SCTP can bundle several transactions into a common association, which reduces overhead and latency compared against TCP. SCTP ensures against source spoofed reflected attacks or related resource exhaustion. TCP or UDP does not. Under load, SCTP can redirect services without using anycast. TCP can not.
-Doug
Current thread:
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky, (continued)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Alexander Harrowell (Aug 06)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 07)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Tony Finch (Aug 06)
- Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Roland Dobbins (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Jakma (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Ross Vandegrift (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Steven M. Bellovin (Aug 07)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 10)