> Paul Wouters <mailto:p...@nohats.ca> > Wednesday, January 21, 2015 8:38 AM > On Wed, 21 Jan 2015, Paul Vixie wrote: > >> even if changing TCP/53's connection semantics could be done without >> creating new DoS vectors, the small number of DNS TCP initiators and >> responders who will ever be upgraded > > responders do not need to be upgraded for this, as we found out on this > list about two years ago when Mark Andrews patched dig and I ran a test > with that.
a responder with a small file descriptor limit who ignores keepalive signalling can easily see all of its tcp slots occupied, either by persistent initiators, or by any extremely unskilled, low-investment attacker. > >> , would be able to adopt TCP/80 >> faster. many middleboxes assume that DNS is UDP-only, and a few no doubt >> proxy the transaction in a way that hijacks the connection management >> semantics in a way that would (a) pass your new signalling along, but >> (b) not follow it. > > What is the problem with "if you are behind broken middleware, do DNS > like it it 1999" ? I don't see how that is a reason to start moving to > port 80. dnssec. but, more importantly, persistent tcp is all we've got. RFC 6013 failed, in the sense that the tcp-m WG chose not to give it the IANA resources it would have needed. google's tcp-fastopen is at best unsecure. SCTP seems to have jammed in the breach. if we want (and we do want) to keep a hot path open between a dns initiator and its pool of dns responders, then we need persistent tcp in the HTTP/1.1 style, and we need a large number of tcp slots on the responder, in the style of HTTP/1.1 responders. the t-shirt is wrong. it's not "cross out 'lets take it to the ietf' and write 'just put it into dns'". rather, it's "cross out 'lets assume that our initiator has an internet connection' and write 'lets assume that our initiator has a web connection'". the internet is older than the web, but no longer larger than the web. just as ethernet was the RS232 of the 1990's, so now TCP/80 is the RS232 of the new century. i do not love this fact, but i do recognize it. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
