nanog mailing list archives
Re: DNS hardening, was Re: Dan Kaminsky
From: Florian Weimer <fweimer () bfk de>
Date: Thu, 06 Aug 2009 07:07:32 +0000
* Douglas Otis:
Establishing SCTP as a preferred DNS transport offers a safe harbor for major ISPs.
SCTP is not a suitable transport for DNS, for several reasons: Existing SCTP stacks are not particularly robust (far less than TCP). The number of bugs still found in them is rather large. Only very few stacks (if any) implement operation without kernel buffers. The remaining ones are subject to the same state exhaustion attacks as TCP stacks are. At least some parts of SCTP and the SCTP API were designed for a cooperative environment. The SCTP API specification is very ambiguous, which is quite strange for such a young protocol. For instance, it is not clear if a single socket is used to communicate with multiple peers, head-of-line blocking can occur. The protocol has insufficient signalling to ensure that implementations turn off features which are harmful on a global scale. For instance, persistant authoritative <-> resolver connections only work if you switch off heartbeat, but the protocol cannot do this, and it is likely that many peers won't do it. SCTP proposers generally counter these observations by referring to extensions and protocols which are not yet standardized, not implemented, or both, constantly moving the goalposts. -- Florian Weimer <fweimer () bfk de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Current thread:
- Re: DNS hardening, was Re: Dan Kaminsky, (continued)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Jakma (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Ross Vandegrift (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Steven M. Bellovin (Aug 07)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 10)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- A DNSSEC irony Edward Lewis (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: Fwd: Dan Kaminsky Dave Israel (Aug 03)
- Re: Dan Kaminsky Jorge Amodio (Aug 05)