nanog mailing list archives

Re: DNS hardening, was Re: Dan Kaminsky

From: Douglas Otis <dotis () mail-abuse org>
Date: Wed, 05 Aug 2009 15:53:32 -0700

On 8/5/09 2:49 PM, Christopher Morrow wrote:

and state-management seems like it won't be too much of a problem on
that dns server... wait, yes it will.

DNSSEC UDP will likely become problematic. This might be due toreflected attacks, fragmentation related congestion, or packet loss.When it does, TCP fallback will tried. TCP must retain state for everyattempt to connect, and will require significantly greater resources forcomparable levels of resilience.

SCTP instead uses cryptographic cookies and the client to retain thisstate information. SCTP can bundle several transactions into a commonassociation, which reduces overhead and latency compared against TCP.SCTP ensures against source spoofed reflected attacks or relatedresource exhaustion. TCP or UDP does not. Under load, SCTP canredirect services without using anycast. TCP can not.


-Doug

Current thread:

Re: dnscurve and DNS hardening, was Re: Dan Kaminsky, (continued)
- - - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Alexander Harrowell (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 07)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Tony Finch (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Roland Dobbins (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Paul Jakma (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Ross Vandegrift (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky Steven M. Bellovin (Aug 07)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 10)

(Thread continues...)